Daily August 2014

daily@lists.cert.at

1 participants
20 discussions

Tageszusammenfassung - Donnerstag 14-08-2014
by Daily end-of-shift report 14 Aug '14

14 Aug '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 13-08-2014 18:00 − Donnerstag 14-08-2014 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Safari: Apple behebt diverse Sicherheitslücken *** --------------------------------------------- Der Hersteller hat in der Nacht zum Donnerstag seinen hauseigenen Browser für verschiedene Betriebssysteme aktualisiert. Für Entwickler stellte Apple außerdem eine weitere Vorschauversion von OS X 10.9.5 bereit. --------------------------------------------- http://www.heise.de/security/meldung/Safari-Apple-behebt-diverse-Sicherheit… *** Vulnerability in Spotify Android App May Lead to Phishing *** --------------------------------------------- We have discovered a vulnerability that affects versions of the Spotify app for Android older than 1.1.1. If exploited, the vulnerability can allow bad guys to control what is being displayed on the app interface. This vulnerability can be potentially abused by cybercriminals to launch phishing attacks that may result to information loss or theft. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/ZJMVGX3NMwk/ *** Portal: Tor für mobile Router *** --------------------------------------------- Anonymes Surfen mit Tor ist noch sicherer, wenn die Software nicht auf dem eigenen Rechner läuft. Die Software Portal integriert Tor in der Firmware Openwrt und lässt sich so auf ausgewählten mobilen Routern nutzen. --------------------------------------------- http://www.golem.de/news/portal-tor-fuer-mobile-router-1408-108575-rss.html *** Tiny Malware PoC: Malware Without IAT, DATA OR Resource Section *** --------------------------------------------- Have you ever wondered about having an EXE without any entry in IAT (Import Address Table) at all? Well, I knew that its possible, but never saw an actual exe file without IAT entry. So I developed an application which is 1,536 bytes and still does basic annoying malware things. --------------------------------------------- http://www.codeandsec.com/PoC-Tiny-Malware-Without-IAT-DATA-Or-Resource-Sec… *** SAMHAIN v3.1.2 Released *** --------------------------------------------- The Samhain host-based intrusion detection system (HIDS) provides file integrity checking and log file monitoring/analysis, as well as rootkit detection, port monitoring, detection of rogue SUID executables, and hidden processes. Samhain been designed to monitor multiple hosts with potentially different operating systems, providingcentralized logging and maintenance, although it can also be used as standalone application on a single host. --------------------------------------------- http://www.toolswatch.org/2014/08/samhain-v3-1-2-released/ *** ZeroLocker *** --------------------------------------------- Recently in the news we saw FireEye and Fox-IT provide the ability to decrypt files encrypted by older crpytolocker variants. They used the command and control servers seized by the FBI during operation Tovar. Since they have access to those RSA keys they essentially have the password required for every single file encrypted by a Cryptolocker variant that used Evgeniy Bogachev's botnet. --------------------------------------------- http://www.webroot.com/blog/2014/08/14/zero-locker/ *** JSA10643 - 2014-08 Security Bulletin: Juniper Secure Analytics (JSA)/Security Threat Response Manager (STRM): Multiple vulnerabilities resolved by third party software upgrades. *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10643&actp=RSS *** JSA10642 - 2014-08 Security Bulletin: Network and Security Manager NSM: Multiple vulnerabilities *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10642&actp=RSS *** Disqus 2.7.5 Cross Site Request Forgery / Cross Site Scripting *** --------------------------------------------- Topic: Disqus 2.7.5 Cross Site Request Forgery / Cross Site Scripting Risk: Medium Text:<!-- Exploit for Disqus for Wordpress admin stored CSRF+XSS up to v2.7.5 Blog post explainer: https://www.nikcub.com/posts/... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014080064 *** Google Chrome Multiple Bugs Let Remote Users Execute Arbitrary Code and Obtain Information *** --------------------------------------------- http://www.securitytracker.com/id/1030732 *** SSA-310688 (Last Update 2014-08-14): Denial-of-Service Vulnerability in SIMATIC S7-1500 CPU *** --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** SSA-234763 (Last Update 2014-08-14): OpenSSL Vulnerabilities in Siemens Industrial Products *** --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… Next End-of-Shift report on 2014-08-18

1 0

Tageszusammenfassung - Mittwoch 13-08-2014
by Daily end-of-shift report 13 Aug '14

13 Aug '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 12-08-2014 18:00 − Mittwoch 13-08-2014 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** (Updated 2014/8/13) Syria offline - initial analysis of BGP (and explanation) *** --------------------------------------------- This blog post evolved over time - initially it was a mere scratchpad for notes during our initial research between 2012/11/29 and 11/30. Later, after Syria was back online again, I added a summary and some potential explanations of what might have happened at the end of this blog post. UPDATE 2014/8/13: It seems it was the NSA that hacked a router, according to Snowden. Scroll to the end for links. --------------------------------------------- http://www.cert.at/services/blog/20121129184048-616.html *** MS14-AUG - Microsoft Security Bulletin Summary for August 2014 - Version: 1.0 *** --------------------------------------------- This bulletin summary lists security bulletins released for August 2014. With the release of the security bulletins for August 2014, this bulletin summary replaces the bulletin advance notification originally issued August 7, 2014. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification. --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS14-AUG *** Assessing risk for the August 2014 security updates *** --------------------------------------------- Today we released nine security bulletins addressing 40 unique CVEs. Two bulletins have a maximum severity rating of Critical while the other seven have a maximum severity rating of Important. This table is designed to help you prioritize the deployment of updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max exploit-ability Likely first 30 days impact Platform mitigations and key notes MS14-051 (Internet Explorer) Victim browses --------------------------------------------- http://blogs.technet.com/b/srd/archive/2014/08/12/assessing-risk-for-the-au… *** Microsoft-Patchday: 26 Lücken im Internet Explorer gestopft *** --------------------------------------------- Wie am zweiten Dienstag im Monat üblich, hat Microsoft eine Reihe von Sicherheitslücken im Internet Explorer, in Windows und in anderen Produkten geschlossen. Für den IE gibt es 26 einzelne Patches, eine Lücke wird bereits von Angreifern aktiv genutzt. --------------------------------------------- http://www.heise.de/newsticker/meldung/Microsoft-Patchday-26-Luecken-im-Int… *** Cisco Unified Communications Manager and Cisco Unified Presence Server SQL Injection Vulnerability *** --------------------------------------------- CVE-2014-3339 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Study: Firmware Plagued By Poor Encryption and Backdoors *** --------------------------------------------- itwbennett writes: The first large-scale analysis of firmware has revealed poor security practices that could present opportunities for hackers probing the Internet of Things. Researchers with Eurecom, a technology-focused graduate school in France, developed a web crawler that plucked more than 30,000 firmware images from the websites of manufacturers including Siemens, Xerox, Bosch, Philips, D-Link, Samsung, LG and Belkin. In one instance, the researchers found a Linux kernel that was 10... --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/-X--LranmlI/story01.htm *** Fifteen zero days found in hacker router comp romp *** --------------------------------------------- Four routers rooted in SOHOpelessly Broken challenge DEF CON Researchers have unveiled 15 zero day vulnerabilities in four home and small business routers as part of the SOHOpelessly Broken hacker competition in DEF CON this week. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/08/13/fifteen_zer… *** Black Hat USA 2014 talk about hypervisor security *** --------------------------------------------- This week I presented at Black Hat USA. The talk is titled "Poacher turned gatekeeper: lessons learned from eight years of breaking hypervisors". The main points were: Describe the attack surface of Type 1 and Type 2 hypervisors Show that despite not being 100% bulletproof, hypervisors are still the best usable way to isolate potentially... --------------------------------------------- http://labs.bromium.com/2014/08/11/black-hat-usa-2014-talk-about-hypervisor… *** Wireless Auditing, Intrusion Detection & Prevention System *** --------------------------------------------- WAIDPS is an open source wireless swissknife written in Python and work on Linux environment. This is a multipurpose tools designed for audit (penetration testing) networks, detect wireless intrusion (WEP/WPA/WPS attacks) and also intrusion prevention (stopping station from associating to access point). --------------------------------------------- http://www.ehacking.net/2014/08/wireless-auditing-intrusion-detection.html *** SSA-635659 (Last Update 2014-08-14): Heartbleed Vulnerability in Siemens Industrial Products *** --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** Gefälschtes Tor-Browser-Bundle mit Trojaner *** --------------------------------------------- Eine täuschend echte Kopie der Seite torproject.org verteilt einen Trojaner. Der Student Julien Voisin hat ihn zerlegt - und konnte Kontakt zu den Verantwortlichen herstellen. --------------------------------------------- http://www.heise.de/newsticker/meldung/Gefaelschtes-Tor-Browser-Bundle-mit-… *** Ältere Versionen von Disqus für WordPress angreifbar *** --------------------------------------------- Ein Sicherheitsforscher hat Sicherheitslücken im beliebten Disqus-Plug-in für WordPress entdeckt. Administratoren sollten sicherstellen, dass die entsprechenden Updates installiert sind. --------------------------------------------- http://www.heise.de/security/meldung/Aeltere-Versionen-von-Disqus-fuer-Word… *** New Metasploit 4.10: Credentials Are the New Exploits *** --------------------------------------------- We’ve given credentials a new boost with Metasploit 4.10. It’s now easier to manage, reuse and report on credentials as part of a penetration test. --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/08/13/credentia…

1 0

Tageszusammenfassung - Dienstag 12-08-2014
by Daily end-of-shift report 12 Aug '14

12 Aug '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 11-08-2014 18:00 − Dienstag 12-08-2014 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Adobe Security Bulletins Posted *** --------------------------------------------- The following Security Bulletins have been posted today: APSB14-18: Security updates available for Adobe Flash Player http://helpx.adobe.com/security/products/flash-player/apsb14-18.html APSB14-19: Security updates available for Adobe Reader and Acrobat http://helpx.adobe.com/security/products/reader/apsb14-19.html Customers of the affected products should consult the relevant Security Bulletin(s) for details. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1118 *** Cisco Unified Communications Manager SIP Subsystem Vulnerability *** --------------------------------------------- CVE-2014-3337 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Cisco Unified Communications Manager CTIManager Vulnerability *** --------------------------------------------- CVE-2014-3338 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Two new Gameover Zeus variants in the wild *** --------------------------------------------- About two months after botnet takedown efforts, new versions of the malware have surfaced in the U.S. and abroad. --------------------------------------------- http://www.scmagazine.com/two-new-gameover-zeus-variants-in-the-wild/articl… *** Millions of PCs Affected by Mysterious Computrace Backdoor *** --------------------------------------------- Absolute Softwares anti-theft Computrace software is mysteriously installed on brand new machines, nearly impossible to remove, and exploitable. --------------------------------------------- http://threatpost.com/millions-of-pcs-affected-by-mysterious-computrace-bac… *** NIST wants better SCADA security *** --------------------------------------------- Preparing the way for a test lab Americas National Institute of Standards and Technology (NIST) wants to take a hand in addressing the SCADA industry's chronic insecurity, by building a test bed for industrial control systems. --------------------------------------------- http://www.theregister.co.uk/2014/08/12/nist_wants_better_scada_security/ *** Command Injection allows Unauthenticated Command Bypass on multiple D-Link products *** --------------------------------------------- The DNS-315L DNS-320L, DNS-327L, DNS-340L, and DNS-345 have been identifed as having a vulnerability in their Web-GUI application that allows malicious users to gain access to the device configuraiton, device operating system, and stored file without requiring log-in credentials. --------------------------------------------- http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10042 *** 2Q 2014 Security Roundup: Turning the Tables on Cyber Attacks *** --------------------------------------------- The incidents that cropped up in the months of April to June 2014 - from the data breaches, DDoS attacks, to malware improvements and threats to privacy - highlighted the need for enterprises to craft a more strategic response against and in anticipation of security threats. There were plenty of threats to be found in the quarter. There was... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/Cf4i9ouVNiM/ *** How to hack a Macbook using just USB *** --------------------------------------------- Yesterday, at the 2014 DEF CON hackers conference in Las Vegas, security researchers Joe Fitzpatrick and Miles Crabil demonstrated how they could directly access the memory of Apple Macbook devices using a piece of hardware they built to plug into the computer's own USB slot. --------------------------------------------- http://www.techly.com.au/2014/08/12/hack-macbook-using-just-usb/ *** BlackBerry Z10 erlaubte freien Zugriff über das WLAN *** --------------------------------------------- Sicherheitsforscher haben eine Lücke öffentlich gemacht, die es einem Angreifer erlaubte, auf Daten auf dem BlackBerry Z10 zuzugreifen. Der eingebaute File-Server erlaubte Zugriff auf den Telefonspeicher, ohne nach einem Passwort zu fragen. --------------------------------------------- http://www.heise.de/security/meldung/BlackBerry-Z10-erlaubte-freien-Zugriff…

1 0

Tageszusammenfassung - Montag 11-08-2014
by Daily end-of-shift report 11 Aug '14

11 Aug '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 08-08-2014 18:00 − Montag 11-08-2014 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Cisco Unity Connection SQL Injection Vulnerability *** --------------------------------------------- CVE-2014-3336 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Splunk Bugs Permit Remote Cross-Site Scripting and Remote Authenticated Directory Traversal Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1030690 *** Incident Response with Triage-ir, (Sun, Aug 10th) *** --------------------------------------------- In many cases having a full disk image is not an option during an incident. Imagine that you are suspecting that you have dozen of infected or compromised system. Can you spend 2-3 hours to make a forensic copy of hard disks hundred computers? In such situation fast forensics is the solution for such situation. Instead of copying everything collecting some files that may contain an evidence can solve this issue. In this diary I am going to talk about an application that will collect most of... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18509&rss *** Verifying preferred SSL/TLS ciphers with Nmap, (Mon, Aug 11th) *** --------------------------------------------- In last year or two, there has been a lot of talk regarding correct usage of SSL/TLS ciphers on web servers. Due to various incidents more or less known incidents, web sites today should use PFS (Perfect Forward Secrecy), a mechanism that is used when an SSL/TLS connection is established and symmetric keys exchanged. PFS ensures that, in case an attacker obtains the server's private key, he cannot decrypt previous SSL/TLS connections to that server. If PFS is not used (if RSA is used to --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18513&rss *** WordHound erzeugt maßgeschneiderte Wörterbücher für Passwort-Knacker *** --------------------------------------------- Wörterbuch-Attacken auf Passwort-Hashes dauern lange und sind nicht immer erfolgreich. Schneidet man die durchzuprobierenden Passwörter aber auf das Ziel zurecht, sind selbst vergleichbar komplizierte Kennwörter unter Umständen nicht mehr sicher. --------------------------------------------- http://www.heise.de/newsticker/meldung/WordHound-erzeugt-massgeschneiderte-… *** You cannot cyberhijack an airplane, but you can create mischief *** --------------------------------------------- Hacking a plane and taking control of the aircraft is a considerably scary prospect, but two speakers at DefCon 22 in Las Vegas quashed the notion and put worries to rest. --------------------------------------------- http://www.scmagazine.com/defcon-you-cannot-cyberhijack-an-airplane-but-you… *** Cybercrime Report: Soziale Netzwerke zunehmend betroffen *** --------------------------------------------- 2013 wurden in Österreich 11.199 Fälle von Cybercrime angezeigt. Als Motive sieht das Bundeskriminalamt finanzielle Interessen, Langeweile und Hacktivism. [...] Neue Technologien werden in Zukunft weiterhin neue Erscheinungsformen von Cyberkriminalität begünstigen, heißt es im Report. Genannt wurde der Einsatz von "NFC" (Near Field Communication) zur Durchführung kontaktloser Zahlungsvorgänge, aber auch Verkehrsmittel, die mit der Möglichkeit zur Netzwerk-Kommunikation ausgestattet werden, wie zum Beispiel Smart-Vehicles und Drohnen, warnt der Bericht abschließend. --------------------------------------------- http://futurezone.at/netzpolitik/cybercrime-report-soziale-netzwerke-zunehm…

1 0

Tageszusammenfassung - Freitag 8-08-2014
by Daily end-of-shift report 08 Aug '14

08 Aug '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 07-08-2014 18:00 − Freitag 08-08-2014 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Massives Datenleck *** --------------------------------------------- Massives Datenleck | 6. August 2014Diverse Medien berichten, dass eine kriminelle Gruppe aus Russland eine gigantische Zahl an Zugangsdaten erbeutet hat. Siehe u.a.: New York Times, Slate, WSJ, DerStandard, Futurezone, Heise, ... | Woher die Credentials wirklich stammen (die Geschichte mit dem Botnet und SQL-Injection klingt ein bisschen nach einem Bericht aus 2013), ist auch nicht restlos geklärt: In anderen Fällen war das eine Mischung aus diversen Kampagnen, sowohl Einbrüchen in... --------------------------------------------- http://www.cert.at/services/blog/20140806143111-1213.html *** Black Hat USA Talks: Investigating PowerShell Attacks *** --------------------------------------------- Threat actors are always eager to adopt new tools, tactics, and procedures that can help them evade detection and conduct their mission. Incident responders from Mandiant have observed increasing use of PowerShell by targeted attackers to conduct command-and-control in compromised... --------------------------------------------- http://www.fireeye.com/blog/technical/2014/08/black-hat-usa-talks-investiga… *** IETF will selbst elliptische Kurven standardisieren *** --------------------------------------------- Künftig will die IETF nicht mehr nur einfach die von der NIST empfohlenen Krypto-Standards übernehmen, sondern eigene schaffen. Die NIST hingegen versucht weiterhin, ihr ramponiertes Image als unabhängige Instanz zu retten. --------------------------------------------- http://www.heise.de/security/meldung/IETF-will-selbst-elliptische-Kurven-st… *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect WebSphere Application Server July 2014 CPU *** --------------------------------------------- There are multiple vulnerabilities in IBM SDK Java Technology Edition that is shipped with IBM WebSphere Application Server. These issues were disclosed as part of the IBM Java SDK updates in July 2014. CVE(s): CVE-2014-4263 and CVE-2014-4244, Affected product(s) and affected version(s): IBM Java SDK shipped with IBM WebSphere Application Server Version 8.5.0.0 through 8.5.5.2, Version 8.0.0.0 through 8.0.0.9, Version 7.0.0.0 through 7.0.0.33, Version 6.1.0.0 through 6.1.0.47 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** Checking for vulnerabilities in the Smart Grid System, (Thu, Aug 7th) *** --------------------------------------------- SCADA systems are not composed the same way as regular IT systems. Therefore, the risk and vulnerability assessment cannot be performed as it is done for any other IT system. The most important differences are: SCADA Pentesting should not be done in production environment: SCADA devices are very fragile and some activities that could pose harmless to regular IT environments could be catastrophic to the process availability. Think of massive blackouts or no water supply for a city. SCADA --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18499&rss *** Wordpress: Defektes Plugin erlaubt Admin-Zugriff *** --------------------------------------------- Das Wordpress-Plugin Custom Contacts Form hat einen Fehler, der es Angreifern erlaubt, administrative Rechte über eine Webseite zu erhalten. Es gibt bereits einen Patch. --------------------------------------------- http://www.golem.de/news/wordpress-defektes-plugin-erlaubt-admin-zugriff-14… *** Analyzing the Fake ID Android vulnerability *** --------------------------------------------- In this video shot at Black Hat 2014 in Las Vegas, Jeff Forristal of Bluebox Security sits with Danielle Walker, reporter at SC Magazine, to discuss the Fake ID Android vulnerability. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/Tp9gYIOHaFg/ *** Black Hat 2014: 75 Prozent aller mobilen Kassensysteme verwundbar *** --------------------------------------------- Knapp drei viertel aller gängigen mobilen Terminals zum Auslesen von Kreditkarten basieren auf der selben Hard- und Software. Forscher haben demonstriert, wie sie die Geräte unter Kontrolle bringen und so dem Kartenmissbrauch Tür und Tor öffnen. --------------------------------------------- http://www.heise.de/newsticker/meldung/Black-Hat-2014-75-Prozent-aller-mobi… *** Patchday: Microsoft behebt kritische Lücken in Windows und IE *** --------------------------------------------- Am kommenden Patchday veröffentlicht Microsoft insgesammt neun Sicherheitsupdates, davon sind zwei als "kritisch" und sieben weitere als "wichtig" markiert. --------------------------------------------- http://www.heise.de/newsticker/meldung/Patchday-Microsoft-behebt-kritische-… *** Microsoft: Keine Updates mehr für ältere Internet Explorer *** --------------------------------------------- Ab Anfang 2016 will Microsoft ältere Internet-Explorer-Versionen nicht mehr unterstützen. Bis dahin sollten Windows-Nutzer den Webbrowser aktualisieren, um weiterhin Updates zu erhalten. --------------------------------------------- http://www.heise.de/security/meldung/Microsoft-Keine-Updates-mehr-fuer-aelt… *** How to Use Your Cat to Hack Your Neighbor's Wi-Fi *** --------------------------------------------- Late last month, a Siamese cat named Coco went wandering in his suburban Washington, DC neighborhood. He spent three hours exploring nearby backyards. He killed a mouse, whose carcass he thoughtfully brought home to his octogenarian owner, Nancy. And while he was out, Coco mapped dozens of his neighbors' Wi-Fi networks, identifying four routers that used... --------------------------------------------- http://feeds.wired.com/c/35185/f/661467/s/3d4f7cee/sc/10/l/0L0Swired0N0C20A… *** HPSBHF03084 rev.1 HP PCs with UEFI Firmware, Execution of Arbitrary Code *** --------------------------------------------- Potential security vulnerabilies have been identified with certain HP PCs with UEFI Firmware. The vulnerabilities could be exploited to allow execution of arbitrary code. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** HPSBUX03087 SSRT101413 rev.1 - HP-UX CIFS Server (Samba), Remote Denial of Service (DoS), Execution of Arbitrary Code, Unauthorized Access *** --------------------------------------------- Potential security vulnerabilities have been identified with HP-UX CIFS-Server (Samba). The vulnerabilities could be exploited remotely to cause a Denial of Service (DoS). --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** Neues Sysinternals-Tool hilft bei der Malware-Suche *** --------------------------------------------- Mit dem Programm Sysmon ist die beliebte Werkzeugsammlung von Microsoft Sysinternals um ein neues Tool zum Aufspüren verdächtiger Aktivitäten auf Windows-Rechnern gewachsen. --------------------------------------------- http://www.heise.de/security/meldung/Neues-Sysinternals-Tool-hilft-bei-der-…

1 0

Tageszusammenfassung - Donnerstag 7-08-2014
by Daily end-of-shift report 07 Aug '14

07 Aug '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 06-08-2014 18:00 − Donnerstag 07-08-2014 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Cisco IOS Software and Cisco IOS XE Software EnergyWise Crafted Packet Denial of Service Vulnerability *** --------------------------------------------- cisco-sa-20140806-energywise --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Security expert calls home routers a clear and present danger *** --------------------------------------------- In Black Hat Q&A, In-Q-Tel CISO says home routers are "critical infrastructure." --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/iXnyWy8k6JU/ *** Black Hat 2014: Netzbetreiber-Software zum Fernsteuern von Mobilgeräten erlaubt Missbrauch *** --------------------------------------------- Auf zwei Milliarden Mobilfunkgeräten läuft eine verwundbare Software, die Netzbetreibern zum Kontrollieren der Geräte dient. Mit geringem Aufwand können Angreifer die Geräte unbemerkt aus der Ferne manipulieren und so beispielsweise Datenverkehr mitschneiden. --------------------------------------------- http://www.heise.de/security/meldung/Black-Hat-2014-Netzbetreiber-Software-… *** Internet Explorer begins blocking out-of-date ActiveX controls *** --------------------------------------------- As part of our ongoing commitment to delivering a more secure browser, starting August 12th Internet Explorer will block out-of-date ActiveX controls. ActiveX controls are small apps that let Web sites provide content, like videos and games, and let you interact with content like toolbars. Unfortunately, because many ActiveX controls aren't automatically updated, they can become outdated as new versions are released. --------------------------------------------- http://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-bloc… *** Cisco 2014 Midyear Security Report: Exposing Weak Links to Strengthen the Security Chain *** --------------------------------------------- You may be thinking, "What could have possibly changed since January?" True to form, the attacker community continues to evolve, innovate, and think up new ways to discover and exploit weak links in the security chain. Also true to form, they sometimes simply use tried and true methods to exploit some of the same old vulnerabilities that continue to present themselves. --------------------------------------------- https://blogs.cisco.com/security/cisco-2014-midyear-security-report-exposin… *** Securing VoIP systems *** --------------------------------------------- Countermeasures for these security issues are given below in greater detail: - Encryption - Firewalls - Traffic Analysis - Improved network Security - Authentication mechanisms - Apply appropriate patches - Turn off unnecessary protocols... --------------------------------------------- http://resources.infosecinstitute.com/securing-voip-systems/ *** Jetzt updaten: Ältere Synology NAS-Geräte anfällig für Ransomware *** --------------------------------------------- Der NAS-Hersteller Synology hat Details zu der Lücke bekannt gegeben, die der Erpressungs-Trojaner SynoLocker ausnutzt, um die Daten seiner Opfer zu verschlüsseln. Nach Informationen des Herstellers betrifft das Sicherheitsproblem nur ältere Firmware-Versionen und wurde im Dezember 2013 behoben. Die DiskStation-Manager-Software (DSM) Version 4.3-3810 oder älter soll betroffen sein, ein Update auf DSM 5.0 soll Abhilfe schaffen. --------------------------------------------- http://www.heise.de/newsticker/meldung/Jetzt-updaten-Aeltere-Synology-NAS-G… *** OpenSSL-Updates - diesmal nicht ganz so schlimm *** --------------------------------------------- Die OpenSSL-Entwickler beseitigen neun Sicherheitslücken, die meisten von Google-Forschern entdeckt. Allerdings ist diesmal nichts wirklich dramatisches dabei. --------------------------------------------- http://www.heise.de/newsticker/meldung/OpenSSL-Updates-diesmal-nicht-ganz-s… *** Hintergrund: Politische Lösungen für eine sichere Zukunft der Kommunikation *** --------------------------------------------- Nach den Snowden-Enthüllungen steht eine Diskussion an, was wir zukünftig besser machen können, um Spionage und großflächige Massenüberwachung zu verhindern. Neben der besserer Technik braucht es da auch neue politische Ansätze, meint Linus Neumann. --------------------------------------------- http://www.heise.de/security/artikel/Politische-Loesungen-fuer-eine-sichere… *** Security Notice-Statement on 9 OpenSSL Vulnerabilities *** --------------------------------------------- Aug 07, 2014 20:29 --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-notices…

1 0

Tageszusammenfassung - Mittwoch 6-08-2014
by Daily end-of-shift report 06 Aug '14

06 Aug '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 05-08-2014 18:00 − Mittwoch 06-08-2014 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Another Bypass Identified in PayPal 2FA *** --------------------------------------------- A security researcher has uncovered a simple method for bypassing the two-factor authentication mechanism that PayPal uses to protect accounts that are tied to eBay accounts. The vulnerability is related to the way that the login flow works when a user is prompted to connect her eBay account to her PayPal account. The eBay and... --------------------------------------------- http://threatpost.com/another-bypass-identified-in-paypal-2fa/107605 *** Mozilla zukünftig mit zentralen Sperrlisten *** --------------------------------------------- Sichere Internet-Verbindungen erfordern Mechanismen, kompromittierte Zertifikate als ungültig zu erklären. Die aktuellen Verfahren dazu funktionieren jedoch nicht. Zukünftig soll das bei Firefox und Co die OneCRL richten. --------------------------------------------- http://www.heise.de/security/meldung/Mozilla-zukuenftig-mit-zentralen-Sperr… *** Researchers release CryptoLocker decryption tool *** --------------------------------------------- Tool uses private keys found in database of victims.The CryptoLocker ransomware is one of the nastiest pieces of malware to have targeted Internet users in recent years. The malware uses strong file encryption (more particularly, AES encryption with a key that has been encrypted using an RSA-2048 private key) to deny the user access to their files unless they pay a ransom of around US$300. At a time when we often seem to be learning about accidental or intentional vulnerabilities in encryption,... --------------------------------------------- http://www.virusbtn.com/blog/2014/08_06.xml?rss *** CipherShed *** --------------------------------------------- CipherShed is free (as in free-of-charge and free-speech) encryption software for keeping your data secure and private. It started as a fork of the now-discontinued TrueCrypt Project. --------------------------------------------- http://n0where.net/ciphershed/ *** Web-Fu - Chrome extension for pentesting web applications *** --------------------------------------------- Chrome extension for pentesting web applications. Web-fu Is a web hacking tool focused on discovering and exploiting web vulnerabilitites. --------------------------------------------- http://hack-tools.blackploit.com/2014/08/web-fu-chrome-extension-for-pentes…

1 0

Tageszusammenfassung - Dienstag 5-08-2014
by Daily end-of-shift report 05 Aug '14

05 Aug '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 04-08-2014 18:00 − Dienstag 05-08-2014 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Synology - erste Informationen bezüglich "Synolocker" *** --------------------------------------------- Special Notes SynoLocker Message Issue - If NAS is not infected: First, close all open ports for external access for now. Backup the data on the DiskStation and update DSM to the latest version. Synology will provide further information as soon as possible if you are vulnerable. If NAS is infected, first do not trust (and ignore) any unauthorized, non-Synology messages or emails. Hard shut down the DiskStation to prevent any further issues. --------------------------------------------- https://myds.synology.com/support/support_form.php?lang=us *** Synolocker: Why OFFLINE Backups are important, (Tue, Aug 5th) *** --------------------------------------------- One current threat causing a lot of sleepless nights to victims is "Cryptolocker" like malware. Various variations of this type of malware are still haunting small businesses and home users by encrypting files and asking for ransom to obtain the decryption key. Your best defense against this type of malware is a good backup. Shadow volume copies may help, but arent always available and complete. In particular for small businesses, various simple NAS systems have become popular over --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18481&rss *** Ubuntu-Sperrbildschirm verliert Tastatureingaben *** --------------------------------------------- Eine jetzt geschlossene Sicherheitslücke im Sperrbildschirm der Linux-Distribution Ubuntu könnte zur Folge haben, dass Nutzer ihr Passwort aus Versehen öffentlich im Internet bekanntgeben. --------------------------------------------- http://www.heise.de/newsticker/meldung/Ubuntu-Sperrbildschirm-verliert-Tast… *** Barracuda Web Application Firewall Reusable URL-Based Authentication Tokens Let Remote Users Bypass Authentication *** --------------------------------------------- http://www.securitytracker.com/id/1030665 *** Evernote Patches Vulnerability in Android App *** --------------------------------------------- We have previously discussed an Android vulnerability that may lead to user data being captured or used to launch attacks. We discovered that the popular Android app for Evernote contained the said vulnerability. We disclosed the details to Evernote, and they took action by issuing an update to the Android version of their app. Evernote has added additional... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/BBLQmuk3RrQ/ *** Symantec Endpoint Protection Local Client Application Device Control Buffer Overflow *** --------------------------------------------- Revisions None Severity CVSS2Base ScoreImpactExploitabilityCVSS2 VectorSEP Local Client ADC Buffer Overflow- Medium6.... --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** Bugtraq: SEC Consult SA-20140805-0 :: Multiple vulnerabilities in Readsoft Invoice Processing and Process Director *** --------------------------------------------- http://www.securityfocus.com/archive/1/533024 *** A Peek Into the Lions Den - The Magnitude [aka PopAds] Exploit Kit *** --------------------------------------------- Recently we managed to have an unusual peek into the content that is used on the servers of the prevalent exploit kit, Magnitude. In this blog post we'll review its most up-to-date administration panel and capabilities, as well as review some infection statistics provided by Magnitude over the course of several weeks. These days, after the arrest of Paunch, Blackhole exploit kit creator, exploit kit developers and sellers have learned their lesson regarding doing business in the --------------------------------------------- http://blog.spiderlabs.com/2014/08/a-peek-into-the-lions-den-the-magnitude-… *** Vulnerability in Spotify Android App May Lead to Phishing *** --------------------------------------------- We have discovered a vulnerability that affects versions of the Spotify app for Android older than 1.1.1. If exploited, the vulnerability can allow bad guys to control what is being displayed on the app interface. This vulnerability can be potentially abused by cybercriminals to launch phishing attacks that may result to information loss or theft. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/GZKakDZwRhw/

1 0

Tageszusammenfassung - Montag 4-08-2014
by Daily end-of-shift report 04 Aug '14

04 Aug '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 01-08-2014 18:00 − Montag 04-08-2014 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** ZDI-14-273: AlienVault OSSIM av-centerd Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of AlienVault OSSIM. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-14-273/ *** Remote code execution on Android devices *** --------------------------------------------- You walk into a coffee shop and take a seat. While waiting for your coffee, you take out your smartphone and start playing a game you downloaded the other day. Later, you go to work and check your email in the elevator. Without you knowing, an attacker has just gained a foothold in your corporate... --------------------------------------------- http://labs.bromium.com/2014/07/31/remote-code-execution-on-android-devices/ *** POWELIKS: Malware Hides In Windows Registry *** --------------------------------------------- We spotted a malware that hides all its malicious codes in the Windows Registry. The said tactic provides evasion and stealth mechanisms to the malware, which Trend Micro detects as TROJ_POWELIKS.A. When executed, TROJ_POWELIKS.A downloads files, which can cause further system infection. Systems affected by this malware risk being infected by other malware, thus causing further... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/OEAKGdXwSnc/ *** All Samba 4.x.x are vulnerable to a remote code execution vulnerability in the nmbd NetBIOS name services daemon, (Sat, Aug 2nd) *** --------------------------------------------- A remote code execution in nmbd (the NetBIOS name services daemon) has been found in Samba versions 4.0.0 to 4.1.10. ( assgined CVE-2014-3560) and a patch has been release by the team at samba.org. Heres the details from http://www.samba.org/samba/security/CVE-2014-3560 =========== Description =========== All current versions of Samba 4.x.x are vulnerable to a remote code execution vulnerability in the nmbd NetBIOS name services daemon. A malicious browser can send packets that may overwrite --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18471&rss *** TP-Link TL-WR740N v4 arbitrary shell command execution *** --------------------------------------------- Topic: TP-Link TL-WR740N v4 arbitrary shell command execution Risk: High Text:# Exploit Title: TP-Link TL-WR740N v4 router (FW-Ver. 3.16.6 Build 130529 Rel.47286n) arbitrary shell command execution # Dat... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014080013 *** Verschlüsselungstrojaner attackiert Synology-Speichersysteme *** --------------------------------------------- Cyber-Erpresser haben einen neuen, direkten Weg gefunden, um das digitale Hab und Gut ihrer Opfer als Geisel zu nehmen: Sie nutzen eine Sicherheitslücke in der NAS-Firmware, um den gesamten Netzwerkspeicher zu verschlüsseln. --------------------------------------------- http://www.heise.de/newsticker/meldung/Verschluesselungstrojaner-attackiert… *** China boots Kaspersky and Symantec off security contractor list *** --------------------------------------------- Foreign firms dropped from roll of approved infosec vendors Kaspersky Labs and Symantec have both been booted off China's list of approved security vendors for government agencies, as the country continues to tighten up against foreign tech firms in the wake of the NSA indiscriminate surveillance revelations. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/08/04/kaspersky_s… *** Bugtraq: ownCloud Unencrypted Private Key Exposure *** --------------------------------------------- http://www.securityfocus.com/archive/1/533010 *** Backdoor Techniques in Targeted Attacks *** --------------------------------------------- Backdoors are an essential part of targeted attacks, as they allow an external threat actor to exercise control over any compromised machines. These allow the threat actor to collect information and move laterally within the targeted organization. Our investigations into various targeted attacks have showed that a wide variety of tactics are used by backdoors to carry out... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/fHW4IPov8YE/ *** IBM Security Bulletin: Multiple vulnerabilities in current releases of the IBM WebSphere Real Time *** --------------------------------------------- Java SE issues disclosed in the Oracle July 2014 Critical Patch Update, plus 1 additional vulnerability CVE(s): CVE-2014-3086, CVE-2014-4227, CVE-2014-4262, CVE-2014-4219, CVE-2014-4209, CVE-2014-4220, CVE-2014-4268, CVE-2014-4218, CVE-2014-4252, CVE-2014-4266, CVE-2014-4265, CVE-2014-4221, CVE-2014-4263, CVE-2014-4244 and CVE-2014-4208 Affected product(s) and affected version(s): IBM WebSphere Real Time Version 3 Service Refresh 7 and earlier Refer to the following reference URLs for --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** IBM Security Bulletin: Security vulnerabilities in Apache Tomcat in Rational DOORS Web Access *** --------------------------------------------- The Apache Tomcat application server in installations of IBM Rational DOORS Web Access version contains security vulnerabilities. CVE(s): CVE-2013-4322, CVE-2013-4590, CVE-2014-0096, CVE-2014-0099 and CVE-2014-0119 Affected product(s) and affected version(s): Rational DOORS Web Access version 9.6.0.x, 9.5.2.x, 9.5.1.x, 9.5.0.x, 1.5.0.x, 1.4.0.4 Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin: --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin…

1 0

Tageszusammenfassung - Freitag 1-08-2014
by Daily end-of-shift report 01 Aug '14

01 Aug '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 31-07-2014 18:00 − Freitag 01-08-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Russian ransomware author takes the easy route *** --------------------------------------------- Symantec Security Response has observed a new variant of ransomcrypt malware which is easy to update and uses open source components to encrypt files. The variant, detected as Trojan.Ransomcrypt.L, uses a legitimate open source implementation of the OpenPGP standard to encrypt files on the victim’s computer. The threat then displays a ransom notice in Russian, asking the user to pay in order to unlock the files. --------------------------------------------- http://www.symantec.com/connect/blogs/russian-ransomware-author-takes-easy-… *** Announcing EMET 5.0 *** --------------------------------------------- Today, we are excited to announce the general availability of the Enhanced Mitigation Experience Toolkit (EMET) 5.0. As many of you already know, EMET is a free tool, designed to help customers with their defense in depth strategies against cyberattacks, by helping detect and block exploitation techniques .. --------------------------------------------- http://blogs.technet.com/b/srd/archive/2014/07/31/announcing-emet-v5.aspx *** Backoff - Technical Analysis *** --------------------------------------------- As discussed in the an advisory published by US-CERT, Trustwave SpiderLabs has discovered a previously unidentified family of Point of Sale (PoS) malware. This blog post serves as a technical analysis of the Backoff malware family. While a number .. --------------------------------------------- http://blog.spiderlabs.com/2014/07/backoff-technical-analysis.html *** BadUSB: Wenn USB-Geräte böse werden *** --------------------------------------------- Wer die Firmware eines USB-Sticks kontrolliert, kann den zu einem perfekten Trojaner umfunktionieren. Deutsche Forscher zeigen, dass das komplett via Software möglich ist und sich damit ganz neue Infektions-Szenarien eröffnen. --------------------------------------------- http://www.heise.de/security/meldung/BadUSB-Wenn-USB-Geraete-boese-werden-2… *** Backups - The Forgotten Website Security Pillar *** --------------------------------------------- I travel a lot (a lot might actually be an understatement these days), but the travel always revolves around a couple common threads - namely website security education and awareness. In these travels, regardless of the community I am engaging with, there are always common questions .. --------------------------------------------- http://blog.sucuri.net/2014/07/backups-the-forgotten-website-security-pilla… *** The Severe Flaw Found in Certain File Locker Apps *** --------------------------------------------- Protecting data has always been one of the most important aspects of our digital life. Given the amount of activity done on smartphones, this is especially rings true for smartphones. While users may use the built-in privacy and security settings of their devices, others take it a step further and employ security .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/the-severe-flaw-… *** MediaWiki Input Validation Flaws Permit Cross-Site Scripting and Clickjacking Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1030660 *** Offensive Security reports of Symantec Endpoint Protection zero-day vulnerability (July 2014) *** --------------------------------------------- This Knowledge Base article will be updated as further information becomes available. Please subscribe to this document to receive update notifications automatically. To mitigate this issue while research is underway and solutions are being identified, uninstall or disable the sysplant driver. --------------------------------------------- http://www.symantec.com/business/support/index?page=content&id=TECH223338 *** Backdoor.Gates: Also Works for Windows *** --------------------------------------------- We have received reports about a Linux malware known as Backdoor.Gates. Analysis showed that this malware has the following features .. --------------------------------------------- http://www.f-secure.com/weblog/archives/00002728.html *** SubSTATION Server Telegyr 8979 Master Vulnerabilities *** --------------------------------------------- This advisory provides mitigation details for a Buffer Overflow Vulnerability in the SUBNET Solutions Inc (SUBNET), SubSTATION Server 2, Telegyr 8979 Master .. --------------------------------------------- http://ics-cert.us-cert.gov//advisories/ICSA-14-196-01 *** Yes, Hackers Could Build an iPhone Botnet - Thanks to Windows *** --------------------------------------------- A reminder to Apple and smug iPhone owners: Just because iOS has never been the victim of a widespread malware outbreak doesn't mean mass iPhone hacking isn't still possible. Now one group of security researchers plans .. --------------------------------------------- http://www.wired.com/2014/08/yes-hackers-could-build-an-iphone-botnetthanks… *** Citadel Malware Variant Allows Attackers Remote Access, Even After Removal *** --------------------------------------------- A new variant of the Citadel banking Trojan has been discovered where the attackers are using Windows remote shell commands to be enable Remote Desktop Protocol access, even if the malware is discovered and removed. --------------------------------------------- http://threatpost.com/citadel-malware-variant-allows-attackers-remote-acces…

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily August 2014