Daily June 2015

daily@lists.cert.at

1 participants
21 discussions

Tageszusammenfassung - Dienstag 30-06-2015
by Daily end-of-shift report 30 Jun '15

30 Jun '15

======================= = End-of-Shift report = ======================= Timeframe: Montag 29-06-2015 18:00 − Dienstag 30-06-2015 18:00 Handler: Robert Waldner Co-Handler: n/a *** Windows kerberos ticket theft and exploitation on other platforms *** --------------------------------------------- I decided to take a look at how the kerberos tickets can be dumped from a Windows target and re-used on Linux. It was surprisingly easy to accomplish. --------------------------------------------- https://mikkolehtisalo.wordpress.com/2015/06/29/copying-windows-kerberos-ti… *** Why vulnerability disclosure shouldn't be a marketing tool *** --------------------------------------------- So now we have three approaches to vulnerability disclosure: full disclosure, responsible disclosure, and marketing disclosure. My concern with the latter is that by its very nature it will get more coverage in both the IT industry and mainstream media. ... In the cases where the vulnerability does affect the organization, the security team is called into action to remediate it, but this remediation may be based more on the impact the vulnerability has had on the news headlines rather than on the impact it actually may have on the environment, This results in already overstretched security teams being distracted from other core tasks. --------------------------------------------- http://www.net-security.org/article.php?id=2318 *** DSA-3297 unattended-upgrades - security update *** --------------------------------------------- It was discovered that unattended-upgrades, a script for automaticinstallation of security upgrades, did not properly authenticatedownloaded packages when the force-confold or force-confnew dpkg optionswere enabled via the DPkg::Options::* apt configuration. --------------------------------------------- https://www.debian.org/security/2015/dsa-3297 *** How Malware Campaigns Employ Google Redirects and Analytics, (Tue, Jun 30th) *** --------------------------------------------- The email message sent to the bank employee claimed that the sender received a wire transfer from the recipients organization and that the sender wanted to confirm that the payment went through without issues. The victim was encouraged to click a link that many people would considersafe, in part because it began with https://www.google.com/. How would you examine the nature of this email? Examining MSG and EML Files on Linux One way to analyze the suspicious message saved as an Outlook .msg file --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19843&rss *** Tearing Apart a Datto *** --------------------------------------------- Datto devices are becoming a popular backup solution for small to medium sized businesses. They are easy to use and well equipped out of the box. We recently found ourselves in an engagement where one of these devices was accessible via the LAN. Gaining access to backups is a bit of a goldmine during an assessment; unrestricted access to file shares, configuration information, extracting hashes from the NTDS.dit file, and a multitude of other things. --------------------------------------------- http://silentbreaksecurity.com/tearing-apart-a-datto/ *** Vulnerability in Citrix NetScaler Application Deliver Controller and NetScaler Gateway Management Interface Could Result in Arbitrary Command Injection *** --------------------------------------------- A vulnerability has been identified in Citrix NetScaler Application Delivery Controller (ADC) and Citrix NetScaler Gateway Management Interface that could allow an authenticated malicious user to execute shell commands on the appliance. CVE: CVE-2015-5080 --------------------------------------------- http://support.citrix.com/article/CTX201149 *** Viele Android-Geräte über Debugger angreifbar *** --------------------------------------------- Über eine Schwachstelle im Debugger können Angreifer den Inhalt des Hauptspeichers von über 90 Prozent aller Android-Geräte auslesen und so weitere Attacken fahren. --------------------------------------------- http://www.heise.de/newsticker/meldung/Viele-Android-Geraete-ueber-Debugger… *** Analyzing a Facebook Clickbait Worm *** --------------------------------------------- Here at Sucuri we suspect everything, especially when your friends start to share content written in another language with clickbait headlines. If you are not familiar with the term, clickbait is when web content is created in a way that psychologically exploits the reader's curiosity using compelling headlines. When someone clicks on the article to read it, the service promoting the article generates online advertisement revenue. --------------------------------------------- https://blog.sucuri.net/2015/06/analyzing-a-facebook-clickbait-worm.html *** Vulnerabilities in Cisco products*** --------------------------------------------- Cisco Unified IP Phones 9900 Series Denial of Service Vulnerability http://tools.cisco.com/security/center/viewAlert.x?alertId=39554 --------------------------------------------- Cisco Unified Communications Domain Manager Information Disclosure Vulnerability http://tools.cisco.com/security/center/viewAlert.x?alertId=39557 --------------------------------------------- *** Vulnerabilities in IBM products*** --------------------------------------------- Security Bulletin: Vulnerabilities in libxml2 affect System Networking Products (CVE-2014-0191, CVE-2013-2877, CVE-2014-3660) http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098306 --------------------------------------------- Security Bulletin: Vulnerabilities in OpenSSL affect Flex System FC3171 8Gb SAN Switch and Flex System FC3171 8Gb SAN Pass-thru (CVE-2014-3513, CVE-2014-3567, CVE-2014-3568) http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098265 --------------------------------------------- Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects IBM Flex System Manager (FSM) SMIA Configuration Tool (CVE-2015-4000) http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098403 --------------------------------------------- Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru firmware. (CVE-2015-2808) http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098314 --------------------------------------------- Security Bulletin: Vulnerability in RC4 stream cipher affects IBM System Networking RackSwitch (CVE-2015-2808) http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098302 ---------------------------------------------Security Bulletin: Vulnerability in RC4 stream cipher affects IBM BladeCenter Switches (CVE-2015-2808) http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098303 --------------------------------------------- Security Bulletin: Multiple vulnerabilities in xorg-x11-server affect IBM Flex System Manger (FSM) http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098372 --------------------------------------------- Security Bulletin: GNU C library (glibc) vulnerability affects IBM Flex System EN6131 40Gb Ethernet / IB6131 40Gb Infiniband Switch Firmware (CVE-2015-0235) http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098317 --------------------------------------------- Security Bulletin: Vulnerabilities in OpenSSL affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru Firmware (CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206) http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098358 --------------------------------------------- Security Bulletin: Vulnerabilities in OpenSSL affect IBM System x, BladeCenter and Flex Systems Unified Extensible Firmware Interface (UEFI) (CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275) http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098339 --------------------------------------------- IBM Security Bulletin: IBM SmartCloud Analytics - Log Analysis is affected by Open Source Python Vulnerability (CVE-2014-9365) http://www.ibm.com/support/docview.wss?uid=swg21958936 --------------------------------------------- IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Endpoint Manager for Remote Control http://www.ibm.com/support/docview.wss?uid=swg21903374 --------------------------------------------- IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime, affect Tivoli Endpoint Manager for Remote Control. http://www.ibm.com/support/docview.wss?uid=swg21903373 --------------------------------------------- IBM Security Bulletin: A vulnerability in cURL libcURL affects IBM Tivoli Composite Application Manager for Transactions (CVE-2014-8150) http://www.ibm.com/support/docview.wss?uid=swg21697198 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 29-06-2015
by Daily end-of-shift report 29 Jun '15

29 Jun '15

======================= = End-of-Shift report = ======================= Timeframe: Freitag 26-06-2015 18:00 − Montag 29-06-2015 18:00 Handler: Robert Waldner Co-Handler: n/a *** In eigener Sache: CERT.at sucht Verstärkung *** --------------------------------------------- Wir suchen aktuell eine/n ProgrammiererIn - vorerst als Karenzvertretung bis Jahresende. Details siehe https://cert.at/about/jobs/jobs.html --------------------------------------------- http://www.cert.at/services/blog/20150629141329-1553.html *** IETF Officially Deprecates SSLv3 *** --------------------------------------------- The IETF, in RFC7568, declared SSLv3 "not sufficiently secure" and prohibited its use. SSLv3 fallbacks were to blame for the POODLE and BEAST attacks. --------------------------------------------- http://threatpost.com/ietf-officially-deprecates-sslv3/113503 *** NIST Updates Random Number Generation Guidelines *** --------------------------------------------- An anonymous reader writes: Encryption weighs heavily on the public consciousness these days, as weve learned that government agencies are keeping an eye on us and a lot of our security tools arent as foolproof as weve thought. In response to this, the National Institute of Standards and Technology has issued a formal update to its document on how to properly generate a random number - crucial in many types of encryption. --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/JJ7XjyjPA9c/nist-updates-ra… *** Lücke im Flash Player: Exploit Kit erhöht Angriffs-Risiko *** --------------------------------------------- Bisher haben Angreifer die in der letzten Woche bekanntgewordene Schwachstelle in Adobes Flash Player nur vereinzelt und gezielt attackiert. Aktuell nutzt jedoch auch das Magnitude Exploit Kit die Lücke aus und vergrößert den Angriffsradius. --------------------------------------------- http://heise.de/-2730795 *** The State of the ESILE/Lotus Blossom Campaign *** --------------------------------------------- As is generally the case with backdoors, ESILE contacts a command-and-control server in order to receive commands from its attacker. How it does this is also a fingerprint of the campaign as well. It uses a URL based on the MAC address of the infected machine's network interface, as well as the current time. ... This distinctive pattern can be used to help spot and block ESILE-related endpoints on an organization's network. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/the-state-of-the… *** Migrating from SHA-1 to SHA-2 *** --------------------------------------------- Heres a comprehensive document on migrating from SHA-1 to SHA-2 in Active Directory certificates.... --------------------------------------------- https://www.schneier.com/blog/archives/2015/06/migrating_from_.html *** Cyber Security Challenge: Bundesheer sucht Nachwuchs-Hacker *** --------------------------------------------- Qualifikation läuft bis August, Veranstaltung von Cyber Security Austria und Abwehramt organisiert --------------------------------------------- http://derstandard.at/2000018220253 *** Bugtraq: ESA-2015-097: EMC Secure Remote Services (ESRS) Virtual Edition (VE) Multiple Security Vulnerabilities *** --------------------------------------------- Summary: ESRS VE version 3.06 contains security fixes for multiple vulnerabilities that could potentially be exploited by malicious uses to compromise the affected system Insufficient Certificate Validation CVE-2015-0543: CVSSv2 Base Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) Cookie Generated with Insufficient Randomness CVE-2015-0544: CVSSv2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) --------------------------------------------- http://www.securityfocus.com/archive/1/535851 *** The Powershell Diaries 2 - Software Inventory, (Mon, Jun 29th) *** --------------------------------------------- After last weeks story, hopefully youve got your problem users accounts identified. With that worked out, lets see about finding problem applications. We all need a handle on what applications are installed on workstations for a number of reasons to make sure that when upgrade time comes, that nobody gets left behind that older apps that have security vulnerabilities or have limited function get taken care of... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19851&rss *** Critical vulnerabilities in Polycom RealPresence Resource Manager (RPRM) *** --------------------------------------------- Business recommendation: By combining all vulnerabilities documented in this advisory an unprivileged authenticated remote attacker can gain full system access (root) on the RPRM appliance. This has an impact on all conferences taking place via this RP Resource Manager. Attackers can steal all conference passcodes and join or record any conference. SEC Consult recommends not to use this system until a thorough security review has been performed by security professionals and all identified issues have been resolved. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2015… *** TYPO3-EXT-SA-2015-015: Cross-Site Scripting in extension "404 Page not found handling" (pagenotfoundhandling) *** --------------------------------------------- It has been discovered that the extension "404 Page not found handling" (pagenotfoundhandling) is susceptible to Cross-Site Scripting Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C Affected Versions: version 2.1.0 and below --------------------------------------------- http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-e… *** Hacker-Angriff vermutet: Apache Build-Server offline *** --------------------------------------------- Bis jetzt wurde ein Angriff nicht offiziell bestätigt. Auch ist nicht bekannt, ob ein Eingriff in auf den Servern gebaute Software-Pakete stattgefunden hat. Die Build-Systeme der ASF werden unter anderem von OpenOffice, dem Tomcat-Projekt und dem Web-Framework Apache Wicket verwendet. Neben den Build-Servern und der Continuous-Integration-Webseite ist auch das CMS der Apache-Seiten betroffen. --------------------------------------------- http://heise.de/-2731265 *** Cisco Application Policy Infrastructure Controller Unauthorized Access Vulnerability *** --------------------------------------------- CVE: CVE-2015-4225, CVSS2 Base Score: 5.5 A vulnerability in the role-based access control (RBAC) of the Cisco Application Policy Infrastructure Controller (Cisco APIC) could allow an authenticated, remote attacker to have read access to certain information stored in the affected system. The vulnerability is due to improper handling of RBAC for health scoring. An attacker could exploit this vulnerability to gain access to information on the affected system. --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39529

1 0

Tageszusammenfassung - Freitag 26-06-2015
by Daily end-of-shift report 26 Jun '15

26 Jun '15

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 25-06-2015 18:00 − Freitag 26-06-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Multiple Default SSH Keys Vulnerabilities in Cisco Virtual WSA, ESA, and SMA *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Magento Platform Targeted By Credit Card Scrapers *** --------------------------------------------- We've been writing a lot about E-Commerce hacks and PCI Compliance recently. The more people buy things online, the more of an issue this will be come and the more important it will .. --------------------------------------------- https://blog.sucuri.net/2015/06/magento-platform-targeted-by-credit-card-sc… *** MMD-0034-2015 - New ELF Linux/DES.Downloader on Elasticsearch CVE-2015-1427 exploit *** --------------------------------------------- This is a tough writing, and will be many addition will be added after the initial release. We are pushed to release this as alert of an on going attack, it is a real malware incident .. --------------------------------------------- http://blog.malwaremustdie.org/2015/06/mmd-0034-2015-new-elf.html *** That shot you heard? SSLv3 is now DEAD *** --------------------------------------------- Its joined the choir invisible We really, really, really mean it this time: take SSL3 and bury .. --------------------------------------------- http://www.theregister.co.uk/2015/06/26/that_shot_you_heard_sslv3_is_now_de… *** EU-Ermittler zerschlagen Ring von Online-Banking-Betrügern *** --------------------------------------------- Verschiedenen Behörden aus Europa haben eine erfolgreiche Operation gegen Cyber-Kriminelle durchgeführt, die im großen Stil über alle Kontinente verteilt Banking-Trojaner eingesetzt haben. --------------------------------------------- http://heise.de/-2729777 *** Windows Server 2003 noch auf Drittel aller Server: Support-Ende im Juli *** --------------------------------------------- Am 14. Juli endet der Support von Windows Server 2003, Server 2003 R2 und Small Business Server 2003. Ab dann wird es für das zwölf Jahre alte System keine neuen Updates, Hotfixes oder Sicherheits-Aktualisierung mehr geben. --------------------------------------------- http://derstandard.at/2000018075592 *** Polycom RealPresence Resource Manager critical vulnerabilities allow surveillance on conferences *** --------------------------------------------- Multiple remote vulnerabilities (arbitrary file disclosure, path traversal, arbitrary file upload, privilege escalation in the web application) combined with local vulnerabilities (sudo misconfiguration, weak filesystem permissions) allow an .. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2015… *** Siemens Climatix BACnet/IP Communication Module Cross-site Scripting Vulnerability *** --------------------------------------------- This advisory provides mitigation details for an identified cross-site scripting vulnerability in the Siemens Climatix BACnet/IP communication module. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-176-01 *** PACTware Exceptional Conditions Vulnerability *** --------------------------------------------- This advisory provides mitigation details for a handling of exceptional conditions vulnerability in the PACTware Consortium PACTware application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-176-02 *** Latest spam filter test sees significant drop in catch rates *** --------------------------------------------- Despite a drop in catch rates, 15 products earn a VBSpam award, with four earning a VBSpam+ award.Spam is notoriously volatile and thus, while we like to make the news headlines with our tests as much as anyone, we would warn against .. --------------------------------------------- http://www.virusbtn.com/blog/2015/06_26.xml *** ZDI-15-262: HP System Management Homepage Single Sign On Stack Buffer Overflow Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard System Management Homepage. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-15-262/

1 0

Tageszusammenfassung - Donnerstag 25-06-2015
by Daily end-of-shift report 25 Jun '15

25 Jun '15

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 24-06-2015 18:00 − Donnerstag 25-06-2015 18:00 Handler: Robert Waldner Co-Handler: n/a *** Paper: Using .NET GUIDs to help hunt for malware *** --------------------------------------------- Tool to extract identifiers incorporated into VirusTotal. The large number of new malware samples found each day hasnt made malware analysis an easier task, and researchers could use anything that helps them automate this task. Today, we publish a paper by Cylance researcher Brian Wallace, who looks at two globally unique identifiers (GUIDs) found in malware created using .NET, which can help link multiple files to the same Visual Studio project. --------------------------------------------- http://www.virusbtn.com/blog/2015/06_24a.xml?rss *** The Powershell Diaries - Finding Problem User Accounts in AD, (Wed, Jun 24th) *** --------------------------------------------- Powershell has gotten a lot of attention lately as a pentesters tool of choice, since it has access to pretty much every low-level system function in the Microsoft ecosystem, and the AV industry isnt dealing well with that yet (aside from ignoring powershell completely that is). But what about day-to-day system administration? Really, the possibilities for admins are just as limitless as for pentesters - thats what Powershell was invented for after all ! --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19833&rss *** Shibboleth authentication - Moderately critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-129 *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2015-129 Project: Shibboleth authentication (third-party module) Version: 6.x, 7.x Date: 2015-June-24 Security risk: 13/25 ( Moderately Critical) AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All Vulnerability: Cross Site Scripting Description Shibboleth authentication module allows users to log in and get permissions based on federated (SAML2) authentication.The module didnt filter the text that is displayed as a login link. --------------------------------------------- https://www.drupal.org/node/2511518 *** HybridAuth Social Login - Less Critical - Access bypass - SA-CONTRIB-2015-127 *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2015-127 Project: HybridAuth Social Login (third-party module) Version: 7.x Date: 2015-June-24 Security risk: 8/25 ( Less Critical) AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypass Description The HybridAuth Social Login module enables you to allow visitors to authenticate or login to a Drupal site using their identities from social networks like Facebook or Twitter. --------------------------------------------- https://www.drupal.org/node/2511410 *** Web security subtleties and exploitation of combined vulnerabilities, (Thu, Jun 25th) *** --------------------------------------------- The goal of a penetration test is to report all identified vulnerabilities to the customer. Of course, every penetration tester puts most of his effort into finding critical security vulnerabilities: SQL injection, XSS and similar, which have the most impact for the tested web application (and, indeed, it does not hurt a penetration testers ego when such a vulnerability is identified :) However, I strongly push towards reporting of every single vulnerability, no matter how harmless it might appear ... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19837&rss *** Samsung deaktiviert keine Sicherheitsupdates von Windows *** --------------------------------------------- PR-Desaster im Eigenbau: Samsung veröffentlicht ein Tool namens "disable_Windowsupdate.exe". Doch das macht gar nicht das, was der Name vermuten lässt. --------------------------------------------- http://www.heise.de/newsticker/meldung/Samsung-deaktiviert-keine-Sicherheit… *** Von wegen Schutz: NOD32 erlaubt das Kapern von Rechnern *** --------------------------------------------- Statt die Nutzer zu schützen erlaubte NOD32 von Eset es Angreifern, die Rechner der Opfer komplett zu übernehmen. Das Update, welches die Lücke schließt, sollte schleunigst eingespielt werden. --------------------------------------------- http://heise.de/-2728967 *** SSA-142512 (Last Update 2015-06-25): Cross-Site Scripting Vulnerability in Climatix BACnet/IP Communication Module *** --------------------------------------------- SSA-142512 (Last Update 2015-06-25): Cross-Site Scripting Vulnerability in Climatix BACnet/IP Communication Module --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** Multiple vulnerabilities in Cisco products *** *** Cisco Wireless LAN Controller Command Injection Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39517 *** Cisco IOS XR MPLS LDP Packet Processing Denial of Service Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39509 *** Cisco Unified Presence Server Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39504 *** Cisco IM and Presence Service Leaked Encrypted Passwords Privilege Escalation Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39505 *** Cisco IM and Presence Service SQL Injection Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39506

1 0

Tageszusammenfassung - Mittwoch 24-06-2015
by Daily end-of-shift report 24 Jun '15

24 Jun '15

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 23-06-2015 18:00 − Mittwoch 24-06-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Operation Clandestine Wolf � Adobe Flash Zero-Day in APT3 PhishingCampaign *** --------------------------------------------- In June, FireEye�s FireEye as a Service team in Singapore uncovered a phishing campaign exploiting an Adobe Flash Player zero-day vulnerability (CVE-2015-3113). The attackers� emails included links to compromised web servers that served either benign content or a malicious Adobe Flash Player file that exploits CVE-2015-3113. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-… *** Digital Snake Oil *** --------------------------------------------- One of the most common complaints we see on our forums, and from our users, concerns a particular category of program called �Registry Optimizers� or �Registry Cleaners� or �Registry Defragmenters�. For this post, we will just refer to them as .. --------------------------------------------- https://blog.malwarebytes.org/social-engineering/2015/06/digital-snake-oil/ *** Websites Hacked Via Website Backups *** --------------------------------------------- The past few months we�ve been spending a good deal of time talking about backups. This is for good reason, they are often your safety net when things go wrong; interestingly enough though, they are often the forgotten pillar of security. It�s why we .. --------------------------------------------- https://blog.sucuri.net/2015/06/websites-hacked-via-website-backups.html *** Cisco AnyConnect Client for Windows Privilege Escalation Vulnerability *** --------------------------------------------- A vulnerability in Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to install and execute an arbitrary executable file with privileges equivalent to the Microsoft Windows operating system SYSTEM account. --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39466 *** MMD-0033-2015 - Linux/XorDDoS infection incident report (CNC: HOSTASA.ORG) *** --------------------------------------------- This post is an actual malware infection incident of the"Linux/XOR.DDoS" malware, see this previous post as reference, malware was in attempt to infect a real service. Incident details: Source of attack: An attack .. --------------------------------------------- http://blog.malwaremustdie.org/2015/06/mmd-0033-2015-linuxxorddos-infection… *** Analysis and Exploitation of an ESET Vulnerability *** --------------------------------------------- Many antivirus products include emulation capabilities that are intended to allow unpackers to run for a few cycles before signatures are applied. ESET NOD32 uses a minifilter or kext to intercept all disk I/O, which is analyzed and then emulated if .. --------------------------------------------- http://googleprojectzero.blogspot.com/2015/06/analysis-and-exploitation-of-… *** Of Privacy, Security, and the Art of Scanning *** --------------------------------------------- With all the recent news and attention on world events the concept and concern around privacy has increased over the last several years. This is an excellent progression of personal protection and should be pursued .. --------------------------------------------- http://blog.shadowserver.org/2015/06/23/of-privacy-security-and-the-art-of-… *** Attacking Ruby Gem Security with CVE-2015-3900 *** --------------------------------------------- A Ruby gem is a standard packaging format used for Ruby libraries and applications. This packaging format allows Ruby software developers a clearly defined format in which they can .. --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Secu… *** Samsung deliberately disabling Windows Update *** --------------------------------------------- On my home forum Sysnative, a user (wavly) was being assisted with a WU issue, which was going well, aside from the fact that wavlys WU kept getting disabled randomly. It was figured out eventually after using auditpol.exe and registry security .. --------------------------------------------- http://bsodanalysis.blogspot.de/2015/06/samsung-deliberately-disabling-wind… *** Kaspersky hilft Facebook User-PCs nach Viren zu scannen *** --------------------------------------------- Facebook will die Verbreitung von Malware über das soziale Netzwerk eindämmen. Dafür werden nicht nur Profile nach verdächtigen Aktivitäten gescannt. Das Unternehmen bietet Nutzern auch die Möglichkeit an, einen kostenlosen Scan ihres Computers durchzuführen. Seit einiger Zeit .. --------------------------------------------- http://derstandard.at/2000017946165 *** Identifying vulnerable code *** --------------------------------------------- No matter how much care you take during development of any software, security issues creep in. Hence, it is important to get the code reviewed for security loopholes. Code is the only advantage for organizations over the hackers and they need .. --------------------------------------------- http://resources.infosecinstitute.com/identifying-vulnerable-code/ *** Am 30. Juni ist DNSSEC-Day *** --------------------------------------------- Am 30. Juni 2015 veranstalten das BSI, der DENIC und heise online den DNSSEC-Day. Kern der Veranstaltung ist ein Livestreaming, bei dem Fachleute Nutzen und .. --------------------------------------------- http://heise.de/-2723932 *** Results of my recent PostScript Charstring security research unveiled *** --------------------------------------------- Some months ago, I started reverse engineering and investigating the security posture of the Adobe Type Manager Font Driver (ATMFD.DLL) module, which provides support for Type 1 and OpenType fonts in the Windows kernel since Windows NT 4.0, .. --------------------------------------------- http://j00ru.vexillium.org/?p=2520

1 0

Tageszusammenfassung - Dienstag 23-06-2015
by Daily end-of-shift report 23 Jun '15

23 Jun '15

======================= = End-of-Shift report = ======================= Timeframe: Montag 22-06-2015 18:00 − Dienstag 23-06-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Security updates available for Adobe Flash Player (APSB15-14) *** --------------------------------------------- A Security Bulletin (APSB15-14) has been published regarding security updates for Adobe Flash Player. These updates address a critical vulnerability (CVE-2015-3113), and Adobe recommends users update their product installations to the latest .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1210 *** Multiple vulnerabilities in Cisco products *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39439 http://tools.cisco.com/security/center/viewAlert.x?alertId=39440 http://tools.cisco.com/security/center/viewAlert.x?alertId=39455 http://tools.cisco.com/security/center/viewAlert.x?alertId=39457 http://tools.cisco.com/security/center/viewAlert.x?alertId=39459 http://tools.cisco.com/security/center/viewAlert.x?alertId=39460 http://tools.cisco.com/security/center/viewAlert.x?alertId=39377 http://tools.cisco.com/security/center/viewAlert.x?alertId=39458 *** �Free� Proxies Aren�t Necessarily Free *** --------------------------------------------- Netflix, Hulu and a host of other content streaming services block non-U.S. users from viewing their content. As a result, many people residing in or traveling outside of the United States seek to circumvent such restrictions by using services that advertise "free" and "open" Web proxies capable of .. --------------------------------------------- http://krebsonsecurity.com/2015/06/free-proxies-arent-necessarily-free *** Security hole in MacKeeper used to shove malware onto Macs *** --------------------------------------------- According to researchers at BAE, a recent Mac malware infestation was carried out using a security hole in a utility called MacKeeper. --------------------------------------------- https://nakedsecurity.sophos.com/2015/06/22/security-hole-in-mackeeper-used… *** New Dridex infection vector identified - Banking Trojan�s authors use Microsoft Office trick and a legitimate service to infect systems *** --------------------------------------------- Malware authors can sometimes be creative in order to manipulate their human targets on the one hand and to circumvent security products, too. The experts of G DATA�s SecurityLabs analyzed a specially crafted Microsoft Word document .. --------------------------------------------- https://blog.gdatasoftware.com/blog/article/new-dridex-infection-vector-ide… *** XOR DDOS Mitigation and Analysis, (Tue, Jun 23rd) *** --------------------------------------------- I have struggled over the past recent months with a clients environment becoming infected and reinfected with an XOR DDOS trojan. The disruption and reinfection rates were costly at times. The client in question .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19827 *** This Radio Bug Can Steal Laptop Crypto Keys, Fits Inside a Pita *** --------------------------------------------- The list of paranoia-inducing threats to your computer�s security grows daily: Keyloggers, trojans, infected USB sticks, ransomware�and now the rogue falafel sandwich. --------------------------------------------- http://www.wired.com/2015/06/radio-bug-can-steal-laptop-crypto-keys-fits-in… *** mTAN-Trojaner hat es erneut auf Android-Nutzer abgesehen *** --------------------------------------------- Gefälschte E-Mails im Namen der Postbank machen aktuell die Runde und fordern Nutzer dazu auf, eine SSL-Zertifikat-App zu installieren. Dahinter verbirgt sich jedoch ein Trojaner, der unter anderem mTANs für Online-Banking mitschneidet. --------------------------------------------- http://heise.de/-2721682 *** Moose Malware-Part 1 *** --------------------------------------------- In this article series, we will learn about a famous Linux family of malware known as MOOSE, which is used to steal unencrypted traffic over the wire and infect other devices automatically. This malware steals HTTP cookies and performs .. --------------------------------------------- http://resources.infosecinstitute.com/moose-malware-part-1/ *** Edges for file renames and process kills. *** --------------------------------------------- With build 47 ProcDOT introduced brand new edges to visualize situations where a file is being renamed or a process is being killed by some thread. While the latter was quite easy to implement it�s the renaming of files which stands out of the mass of typical frames/events in terms of ProcDOT�s animation capabilities. --------------------------------------------- http://procdot.com/blog_20150623.htm *** Support-Ende beim Windows Server 2003 am 14. Juli *** --------------------------------------------- Länger als Windows XP hat Microsoft sein Server-Betriebssystem derselben Generation mit Sicherheits-Updates versorgt. Aber am 14. Juli ist damit endgültig Schluss. --------------------------------------------- http://www.heise.de/newsticker/meldung/Support-Ende-beim-Windows-Server-200…

1 0

Tageszusammenfassung - Montag 22-06-2015
by Daily end-of-shift report 22 Jun '15

22 Jun '15

======================= = End-of-Shift report = ======================= Timeframe: Freitag 19-06-2015 18:00 − Montag 22-06-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Owning Internet Printing - A Case Study in Modern Software Exploitation *** --------------------------------------------- Modern exploit mitigations draw attackers into a game of diminishing marginal returns. With each additional mitigation added, a subset of software bugs become unexploitable, .. --------------------------------------------- http://googleprojectzero.blogspot.com/2015/06/owning-internet-printing-case… *** Cacti Input Validation Flaw Permits Cross-Site Scripting and SQL Injection Attacks *** --------------------------------------------- The software does not properly filter HTML code from user-supplied input before displaying the input [CVE-2015-2665]. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The .. --------------------------------------------- http://www.securitytracker.com/id/1032672 *** Multiple vulnerabilities in Cisco products *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39432 http://tools.cisco.com/security/center/viewAlert.x?alertId=39431 http://tools.cisco.com/security/center/viewAlert.x?alertId=39422 http://tools.cisco.com/security/center/viewAlert.x?alertId=39424 http://tools.cisco.com/security/center/viewAlert.x?alertId=39423 *** Banking Trojan has targeted Bundestag *** --------------------------------------------- After the initial reports on the attacks on the Bundestag (German Federal Parliament), variants of the Swatbanker family are now putting the Bundestags intranet on a watch list. The operators of the botnet are apparently trying to steal access data and server responses associated with this .. --------------------------------------------- https://blog.gdatasoftware.com/blog/article/banking-trojan-has-targeted-bun… *** Microsoft website dedicated to online privacy gets hacked *** --------------------------------------------- Digital Constitution was running outdated of version of WordPress. --------------------------------------------- http://arstechnica.com/security/2015/06/microsoft-website-dedicated-to-onli… *** Microsoft: Meine Lücken schließ' ich nicht *** --------------------------------------------- Sicherheitsexperten geben Details zu Lücken in Internet Explorer heraus, weil Microsoft die Lücken nicht schließen will. --------------------------------------------- http://heise.de/-2718449 *** Standardschlüssel gefährdet SAPs Datenbank Hana *** --------------------------------------------- Bei der Installation wird die Benutzerdatenbank in SAPs Hana mit dem stets gleichen Standardschlüssel abgesichert. Weil dieser nur selten geändert wird, könnten sich Unberechtigte leicht Zugriff auf die dort gespeicherten Administratorkonten verschaffen. --------------------------------------------- http://www.golem.de/news/it-sicherheit-standardschluessel-gefaehrdet-saps-d… *** VMware Workstation: Der Einbruch �über Port COM1 *** --------------------------------------------- Über Schwachstellen in VMwares Workstation und Player ist ein vollständiger Zugriff auf das Wirtssystem aus einem Gastsystem heraus möglich. VMware hat bereits Updates veröffentlicht. --------------------------------------------- http://www.golem.de/news/vmware-workstation-der-einbruch-ueber-port-com1-15… *** Advertising: The Digital Turf War on your Desktop *** --------------------------------------------- https://blog.malwarebytes.org/privacy-2/2015/06/advertising-the-digital-tur… *** XARA-Lücke: Apple kündigt Fix für iOS und OS X an *** --------------------------------------------- Das Sicherheitsproblem, über das unter anderem Passwörter ausgelesen werden könnten, soll demnächst in der Software behoben werden. Zudem versucht sich der iPhone-Hersteller an anderen Lösungen. --------------------------------------------- http://heise.de/-2718624 *** The most common information security mistakes of e-commerces *** --------------------------------------------- Almost every month a new incident involving a big retailer, e-commerce or web platform makes the news headlines. Most retail fraud is now committed online, and in 2014 alone hackers managed to steal more than 61 million records from .. --------------------------------------------- https://www.htbridge.com/blog/the-most-common-information-security-mistakes… *** Adware for OS X distributes Trojans *** --------------------------------------------- Lately, reports about distribution of new malicious and potentially dangerous programs for OS X have been emerging with great frequency. Doctor Web security researches have registered a growing number of various adware and installers .. --------------------------------------------- http://news.drweb.com/show/?i=9502&lng=en&c=9 *** Steal That Car in 60 Seconds *** --------------------------------------------- Introduction Cars are everywhere and they are being upgraded with new technology as often as any other device we use. Taking some inspiration from the movie Knight and Day, .. --------------------------------------------- http://resources.infosecinstitute.com/the-car-in-60-seconds/ *** NSA spionierte österreichische Antiviren-Hersteller aus *** --------------------------------------------- Ikarus und Emsisoft genannt – NSA überwachte E-Mails an Firmen, um Entdeckung von Schadprogrammen mitzubekommen --------------------------------------------- http://derstandard.at/2000017842807 *** Magnitude EK: Traffic Analysis *** --------------------------------------------- Hello and welcome! Recently I have been skilling up in malware analysis. Specifically, my focus has been centred on client-side exploit kits, such common kits include: Angler, Nuclear, Magnitude, Neutrino, RIG... There are quite a few reasons for my new found .. --------------------------------------------- http://www.fuzzysecurity.com/tutorials/21.html *** Android Activtity Security *** --------------------------------------------- Each Android Application is made up of Activity, Service, Content Provider and Broadcast Receiver, which are the basic components of Android. Among those components, An Activity is .. --------------------------------------------- http://translate.wooyun.io/2015/06/22/android-activtity-security.html *** A month with BADONIONS *** --------------------------------------------- A few weeks ago I got the idea of testing how much sniffing is going on in the Tor network by setting up a phishing site where I login with unique password and then store them. I .. --------------------------------------------- https://chloe.re/2015/06/20/a-month-with-badonions/ *** Poseidon and Backoff POS � the links and similarities *** --------------------------------------------- Poseidon, also known as FindPOS, is a malware family designed for Windows point-of-sale systems. Poseidon scans the memory for running processes and employs keystroke logging .. --------------------------------------------- https://blog.team-cymru.org/2015/06/poseidon-and-the-backoff-pos-link *** Bypassing Microsoft EMET 5.2 - a neverending story? *** --------------------------------------------- The experts of the SEC Consult Vulnerability Lab managed to adapt the EMET 5.0 / 5.1 bypasses to additionally work against the latest Microsoft EMET version which is 5.2. Results of the research were already presented this year at .. --------------------------------------------- http://blog.sec-consult.com/2015/06/bypassing-microsoft-emet-52-neverending…

1 0

Tageszusammenfassung - Freitag 19-06-2015
by Daily end-of-shift report 19 Jun '15

19 Jun '15

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 18-06-2015 18:00 − Freitag 19-06-2015 18:00 Handler: Stephan Richter Co-Handler: n/a *** So Long, and Thanks for All the Domains *** --------------------------------------------- While Trojans like Dyre and Dridex are dominating malware-related news, we take the time to have a closer look at Tinba (Tiny Banker, Zusy, Illi), yet another Trojan which targets Windows users. In the first part of this post, we... --------------------------------------------- http://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-dom… *** Understanding type confusion vulnerabilities: CVE-2015-0336 *** --------------------------------------------- In March 2014, we observed a patched Adobe Flash vulnerability (CVE-2015-0336) being exploited in the wild. Adobe released the patch on March 12, 2014, and exploit code using this vulnerability first appeared about a week later. To help stay protected: Keep your Microsoft security software, such as Windows Defender for Windows 8.1 up-to-date. Keep your third-party software, such as Adobe Flash Player, up-to-date. Be cautious when browsing potentially malicious or compromised websites. --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2015/06/18/understanding-type-confu… *** Tapatalk-Plug-in liest Daten von Forennutzern aus *** --------------------------------------------- Wie die Administratoren des HardwareLuxx-Forums entdeckten, liest das Plug-in der Mobil-App die E-Mail-Adressen ihrer 200.000 Nutzer auf Anfrage aus und schickt diese an eigene Server. Tapatalk hält das Ganze für ein Versehen. --------------------------------------------- http://heise.de/-2716662 *** Paper: Beta exploit pack: one more piece of crimeware for the infection road! *** --------------------------------------------- Exploit kit currently being tested focuses primarily on Flash Player exploits.Nuclear, Angler, Magnitude and Rig. Security researchers know were talking about exploit kits (or browser exploit packs), toolkits that automate the exploitation of client-side vulnerabilities and thus facilitate infection through drive-by downloads.Today, we publish an article by researchers Aditya K. Sood and Rohit Bansal, in which they look at a new exploit kit, Beta. Though it is still in a testing phase, Aditya... --------------------------------------------- http://www.virusbtn.com/blog/2015/06_19.xml?rss *** SAP Hana users warned of security vulnerability *** --------------------------------------------- Hard on the heels of the release of a newly updated version of SAP Hana, a security researcher has warned of a potentially serious vulnerability in the in-memory platform. "If an attacker can exploit this vulnerability, he can get access to all encrypted data stored in an SAP Hana database," said Alexander Polyakov, CTO with ERPScan, which presented the details Thursday at the Black Hat Sessions XIII conference in the Netherlands. --------------------------------------------- http://www.cio.com/article/2937953/sap-hana-users-warned-of-security-vulner… *** Identifying Your Prey *** --------------------------------------------- User hunting is one of my favorite phases of an engagement. Whether it's performed for lateral spread and escalation, or to demonstrate impact by tracking down incident responders and executives, we end up hunting for users on nearly every assessment we conduct. I presented this topic at the Shmoocon '15 Firetalks, and published the "I Hunt Sys Admins" post to help highlight some of the ways we track down where users are located in Windows domains. --------------------------------------------- http://www.verisgroup.com/2015/06/17/identifying-your-prey/ *** an awesome list of honeypot resources *** --------------------------------------------- A curated list of awesome honeypots, tools, components and much more. The list is divided into categories such as web, services, and others, focusing on open source projects. There is no pre-established order of items in each category, the order is for contribution. If you want to contribute, please read the guide. --------------------------------------------- https://github.com/paralax/awesome-honeypots *** The Samsung SwiftKey Vulnerability - What You Need To Know, And How To Protect Yourself *** --------------------------------------------- Recently, researchers announced that a vulnerability in Samsung Android devices had been found which allowed attackers to run malicious code on vulnerable devices if they became the targets of a man-in-the-middle attack. In this post we will explain how this vulnerability works, and what can users do to protect themselves. The Vulnerability The stock Android... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/Y8_n4zFsafI/ *** Security CheatSheets - A collection of cheatsheets for various infosec tools and topics *** --------------------------------------------- These security cheatsheets are part of a project for the Ethical Hacking and Penetration Testing course offered at the University of Florida. Expanding on the default set of cheatsheets, the purpose of these cheatsheets are to aid penetration testers/CTF participants/security enthusiasts in remembering commands that are useful, but not frequently used. Most of the tools that will be covered have been included in our class and are available in Kali Linux. --------------------------------------------- http://www.kitploit.com/2015/06/security-cheatsheets-collection-of.html *** Bundestag: Linksfraktion veröffentlicht Malware-Analyse *** --------------------------------------------- Die Linksfraktion veröffentlicht im Zusammenhang mit dem Bundestags-Hack eine Analyse von Malware, die auf ihren Servern gefunden wurde. Darin wird eine Verbindung zur russischen Organisation APT28 nahegelegt. Doch wirklich überzeugend sind die Belege dafür nicht. --------------------------------------------- http://www.golem.de/news/bundestag-linksfraktion-veroeffentlicht-malware-an… *** Bugtraq: ZTE ZXV10 W300 v3.1.0c_DR0 - UI Session Delete Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/535797 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Content Manager Enterprise Edition (CVE-2015-0478, CVE-2015-0488, CVE-2015-1916, CVE-2015-2808) *** http://www.ibm.com/support/docview.wss?uid=swg21960248 *** IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM InfoSphere Discovery (CVE-2015-0488) *** http://www.ibm.com/support/docview.wss?uid=swg21903544 *** IBM Security Bulletin: Rational Test Control Panel component in Rational Test Workbench and Rational Test Virtualization Server affected by Apache Tomcat vulnerability (CVE-2014-0230) *** http://www.ibm.com/support/docview.wss?uid=swg21959294 *** IBM Security Bulletin: Rational Test Control Panel component in Rational Test Workbench and Rational Test Virtualization Server uses an insecure hashing scheme for handling user passwords (CVE-2015-1913) *** http://www.ibm.com/support/docview.wss?uid=swg21959298 *** IBM Security Bulletin: Rational Test Control Panel component in Rational Test Workbench and Rational Test Virtualization Server affected by Apache Tomcat vulnerability (CVE-2014-0227) *** http://www.ibm.com/support/docview.wss?uid=swg21959291 *** IBM Security Bulletin: GNU C library (glibc) vulnerabilities affect IBM SmartCloud Entry (CVE-2014-6040 CVE-2014-7817) *** http://www.ibm.com/support/docview.wss?uid=isg3T1022093 *** Wind River VXWorks TCP Predictability Vulnerability in ICS Devices *** --------------------------------------------- This advisory provides mitigation details for a TCP predictability vulnerability identified in Wind River's VxWorks. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-169-01 *** Cisco WebEx Meeting Center Web-Based Administrative Interface User Enumeration Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39420

1 0

Tageszusammenfassung - Donnerstag 18-06-2015
by Daily end-of-shift report 18 Jun '15

18 Jun '15

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 17-06-2015 18:00 − Donnerstag 18-06-2015 18:00 Handler: Stephan Richter Co-Handler: n/a *** OS X and iOS Unauthorized Cross Application Resource Access (XARA), (Thu, Jun 18th) *** --------------------------------------------- The last couple of days, a paper with details about XARA vulnerabilities in OS X and iOS is getting a lot of attention [1]. If you havent seen the term XARA before, then this is probably because cross-application-resource-access was normal in the past. Different applications has access to each others data as long as the same user ran them. But more recently, operating systems like OS X and iOS made attempts to sandbox applications and isolate applications from each other even if the same user... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19815&rss *** Apple OS X and iOS in the vulnerability spotlight - meet "CORED," also known as "XARA" *** --------------------------------------------- The security issue of the week has arrived in iOS and OS X, and its attracted a funky name already. The researchers called it XARA, but others had different ideas, and dubbed it "CORED." As in "Apple CORED." --------------------------------------------- http://feedproxy.google.com/~r/nakedsecurity/~3/Q4IwUfvQIVM/ *** IT-Sicherheitskonferenz FIRST: Ohne Vertrauen geht nichts, aber das Vertrauen geht *** --------------------------------------------- Die FIRST-Konferenz in Berlin beschäftigte sich damit, wie die Sicherheit von Computernetzen verbessert werden kann. Am Ende stand die Erkenntnis, dass die Arbeit komplizierter wird, weil Staaten zunehmend in IT-Sicherheit eingreifen. --------------------------------------------- http://heise.de/-2716841 *** Caching Out: The Value of Shimcache for Investigators *** --------------------------------------------- During a recent investigation, we found references to timestamps associated with probable malicious files that preceded the earliest known date of compromise. These Application Compatibility Cache (“Shimcache”) timestamps were the only evidence linked to this timeframe. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2015/06/caching_out_the_val.ht… *** Uncovering Tor users: where anonymity ends in the Darknet *** --------------------------------------------- Intelligence services have not disclosed any technical details of how they detained cybercriminals who created Tor sites to distribute illegal goods; in particular, they are not giving any clues how they identify cybercriminals who act anonymously. This may mean that the implementation of the Tor Darknet contains some vulnerabilities and/or configuration defects that make it possible to unmask any Tor user. In this research, we will present practical examples to demonstrate how Tor users may... --------------------------------------------- http://securelist.com/analysis/publications/70673/uncovering-tor-users-wher… *** Drupal-Lücken erlauben das Kapern von Admin-Konten *** --------------------------------------------- In Drupal 6 und 7 klaffen vier Sicherheitslücken. Die schwerwiegendste erlaubt es Angreifer, Admin-Konten des CMS über OpenID zu kapern. Updates, welche die Lücken schließen, stehen zum Download bereit. --------------------------------------------- http://heise.de/-2715975 *** Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2015-002 *** --------------------------------------------- Advisory ID: DRUPAL-SA-CORE-2015-002Project: Drupal core Version: 6.x, 7.xDate: 2015-June-17Security risk: 15/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypass, Information Disclosure, Open Redirect, Multiple vulnerabilitiesDescriptionImpersonation (OpenID module - Drupal 6 and 7 - Critical)A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their --------------------------------------------- https://www.drupal.org/SA-CORE-2015-002 *** Security Advisories for Drupal Third-Party Modules *** --------------------------------------------- https://www.drupal.org/security/contrib *** Bugtraq: [security bulletin] HPSBGN03350 rev.1 - HP SiteScope Using RC4, Remote Disclosure of Information *** --------------------------------------------- http://www.securityfocus.com/archive/1/535785 *** Bugtraq: [security bulletin] HPSBGN03338 rev.1 - HP Service Manager running RC4, Remote Disclosure of Information *** --------------------------------------------- http://www.securityfocus.com/archive/1/535786 *** Cisco IOS XR IPv6 Packet Processing Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39383 *** Cisco IOS XR SSH Disconnect Error Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39402 *** Symantec Endpoint Protection Manager and Client Issues *** ---------------------------------------------  Revisions None Severity CVSS2Base ScoreImpactExploitabilityCVSS2 VectorSEPM Auth User Blind SQLi in PHP prepared state... --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** [R2] PHP < 5.4.41 Vulnerabilities Affect Tenable SecurityCenter *** --------------------------------------------- http://www.tenable.com/security/tns-2015-06 *** Rack denial of service *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/103917 *** SQL Injection in EXT:sb_akronymmanager *** --------------------------------------------- It has been discovered that the extension "Akronymmanager" (sb_akronymmanager) is susceptible to SQL Injection --------------------------------------------- http://www.typo3.org/news/article/sql-injection-in-extsb-akronymmanager/ *** pure-ftpd 1.0.39 remote denial of service in glob_() *** --------------------------------------------- Topic: pure-ftpd 1.0.39 remote denial of service in glob_() Risk: Medium Text:Version 1.0.40 of pure-FTPd fixes a potential denial of service issue. From the NEWS file: - The process handling a user... --------------------------------------------- http://cxsecurity.com/issue/WLB-2015060101

1 0

Tageszusammenfassung - Mittwoch 17-06-2015
by Daily end-of-shift report 17 Jun '15

17 Jun '15

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 16-06-2015 18:00 − Mittwoch 17-06-2015 18:00 Handler: Stephan Richter Co-Handler: n/a *** Unpatched OS X, iOS flaws allow password, token theft from keychain, apps *** --------------------------------------------- Six researchers from Indiana University Bloomington, Peking University and Georgia Tech have recently published a paper in which they detail the existence of critical security weaknesses in Apples OS... --------------------------------------------- http://www.net-security.org/secworld.php?id=18523 *** Security: Unverschlüsselte App-Updates gefährden Samsungs Smartphones *** --------------------------------------------- Wenn Apps ihre Aktualisierungen unverschlüsselt abholen, sind sie leicht zu manipulieren. Vor allem bei systemnahen Anwendungen ist das ein gravierendes Problem, wie ein aktueller Fall belegt, der vor allem die Galaxy-Reihe von Samsung betrifft. --------------------------------------------- http://www.golem.de/news/security-unverschluesselte-app-updates-gefaehrden-… *** CVE-2014-4114 and an Interesting AV Bypass Technique, (Tue, Jun 16th) *** --------------------------------------------- Citizenlabs recently reported on a CVE-2014-4114 campaign against pro-democracy / pro-Tibetian groups in Hong Kong. The attacks happening should not surprise anyone, nor that the attacks were sophisticated. The vulnerability itself was patched with MS14-060 and has been used by APT and crime groups for sometime. Trend Micro wrote a good write-up of the issue here. What is interesting is what, in effect, is an anti-virus bypass that was employed by the actors. This bypass was discussed in this... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19809&rss *** VU#155412: Samsung Galaxy S phones fail to properly validate Swiftkey language pack updates *** --------------------------------------------- Vulnerability Note VU#155412 Samsung Galaxy S phones fail to properly validate Swiftkey language pack updates Original Release date: 16 Jun 2015 | Last revised: 16 Jun 2015 Overview Samsung Galaxy S phones, including the S4 Mini, S4, S5, and S6, fail to properly validate Swiftkey language pack updates. Description CWE-345: Insufficient Verification of Data Authenticity - CVE-2015-2865Samsung Galaxy S phones, including the S4 Mini, S4, S5, and S6, are pre-installed with a version of Swiftkey... --------------------------------------------- http://www.kb.cert.org/vuls/id/155412 *** EMC Unified Infrastructure Manager/Provisioning Authentication Flaw Lets Remote Users Access the System *** --------------------------------------------- http://www.securitytracker.com/id/1032589 *** Red Hat OpenSSL Locking Error in ssleay_rand_bytes() Lets Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1032587 *** Vulnerabilities in Cisco Products *** --------------------------------------------- *** Cisco Cloud Portal Appliance Pregenerated Default Host Keys Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39380 *** Cisco Prime Collaboration Manager SQL Injection Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39365 *** Cisco Prime Collaboration Assurance Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=31998 *** Cisco Adaptive Security Appliance Encrypted IPSec or IKEv2 Packet Modification Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39366 *** [HTB23261]: OS Command Injection in Vesta Control Panel *** --------------------------------------------- Product: Vesta Control Panel v0.9.8Vulnerability Type: OS Command Injection [CWE-78]Risk level: Critical Creater: http://vestacp.comAdvisory Publication: May 20, 2015 [without technical details]Public Disclosure: June 17, 2015 CVE Reference: CVE-2015-4117 CVSSv2 Base Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C) Vulnerability Details: High-Tech Bridge Security Research Lab discovered critical vulnerability in Vesta Control Panel, which can be exploited to execute arbitrary system commands and gain... --------------------------------------------- https://www.htbridge.com/advisory/HTB23261 *** VU#842780: Vesta Control Panel is vulnerable to cross-site request forgery *** --------------------------------------------- Vulnerability Note VU#842780 Vesta Control Panel is vulnerable to cross-site request forgery Original Release date: 16 Jun 2015 | Last revised: 16 Jun 2015 Overview Vesta Control Panel is vulnerable to a cross-site request forgery (CSRF) attack. Description CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2015-2861Vesta Control Panel contains a cross-site request forgery (CSRF) vulnerability. An attacker can perform actions with the same permissions as a victim user, provided the victim has --------------------------------------------- http://www.kb.cert.org/vuls/id/842780 *** Bugtraq: ESA-2015-043: RSA Validation Manager Security Update for Multiple Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/535777 *** GarrettCom Magnum Series Devices Vulnerabilities *** --------------------------------------------- This advisory provides mitigation details for multiple vulnerabilities in GarrettCom's Magnum 6k and Magnum 10k product lines. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-167-01-0 *** Security update available for Adobe Photoshop CC *** --------------------------------------------- Adobe has released an update for Photoshop CC for Windows and Macintosh. This update addresses vulnerabilities that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. --------------------------------------------- https://helpx.adobe.com/security/products/photoshop/apsb15-12.html *** Security update available for Adobe Bridge CC *** --------------------------------------------- Adobe has released an update for Adobe Bridge CC for Windows and Macintosh. This update addresses vulnerabilities that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. --------------------------------------------- https://helpx.adobe.com/security/products/bridge/apsb15-13.html *** Bugtraq: VCE3570: VCE Vision(TM) Intelligent Operations Cryptographic and Cleartext Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/535781 *** [R1] PHP < 5.4.41 Vulnerabilities Affect Tenable SecurityCenter *** --------------------------------------------- June 15, 2015 --------------------------------------------- http://www.tenable.com/security/tns-2015-06

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily June 2015