Daily September 2016

daily@lists.cert.at

1 participants
22 discussions

Tageszusammenfassung - Freitag 30-09-2016
by Daily end-of-shift report 30 Sep '16

30 Sep '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 29-09-2016 18:00 − Freitag 30-09-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** The Equation Groups Firewall Exploit Chain *** --------------------------------------------- There has been plenty of research on pieces of this exploit kit, but very little on the full exploit chain. We were interested in studying some of the command and control traffic used by this exploit kit for emulation in BreakingPoint. On the way, we figured out how a lot of the puzzle pieces fit together. What follows are our findings on how this kit gains persistent control of a Cisco firewall. We also identify some of the missing pieces that were not previously available. --------------------------------------------- https://www.ixiacom.com/company/blog/equation-groups-firewall-exploit-chain *** European Cyber Security Month: get in the driving seat of your own online security *** --------------------------------------------- October 2016 is European Cyber Security Month and this year October will bring plenty of opportunities for people to discover how to stay safe online and play an active role in their own security. Throughout European Cyber Security Month – which kicks-off today in Brussels - over 300 activities, including events, training sessions, tips and an online quiz, will take place across 27 countries. This year's Cyber Security Month will focus on security in banking, cyber safety, cyber training and mobile malware. --------------------------------------------- https://www.enisa.europa.eu/news/ecsm *** Lesser known tricks of spoofing extensions *** --------------------------------------------- It is a well-known fact that malware using social engineering tricks is designed to hide itself from being an obvious executable. In this short article, we will present two other less common tricks used to deceive users. --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2016/09/lesser-known-tricks-of-spo… *** Backdoored D-Link Router Should be Trashed, Researcher Says *** --------------------------------------------- A researcher who found a slew of vulnerabilities in a popular router says it's so hopelessly broken that consumers who own them should throw them away. --------------------------------------------- http://threatpost.com/backdoored-d-link-router-should-be-trashed-researcher… *** Sentinel 7.4 SP3 (Sentinel 7.4.3.0) Build 2805 *** --------------------------------------------- This service pack resolves the following security vulnerabilities: Sentinel 7.4 SP3 resolves a Java deserialization (CVE-2016-1000031) vulnerability. --------------------------------------------- https://download.novell.com/Download?buildid=HXXzqDiAPd0~ *** [SANS ISC Diary] Another Day, Another Malicious Behaviour *** --------------------------------------------- I published the following diary on isc.sans.org: "Another Day, Another Malicious Behaviour". Every day, we are spammed with thousands of malicious emails and attackers always try to find new ways to bypass the security controls. Yesterday, I detected a suspicious HTTP GET request... --------------------------------------------- https://blog.rootshell.be/2016/09/30/sans-isc-diary-another-day-another-mal… *** Patch für Street Fighter V: Anti-Cheat-Tool als Rootkit missbrauchar *** --------------------------------------------- Ein aktueller Patch für die Windows-Version von Street Fighter V bringt Maßnahmen gegen Cheater mit, deaktiviert dafür aber einen essentiellen Sicherheits-Mechanismus von Computern. Mittlerweile soll ein Fix des Sicherheits-Problem aus der Welt schaffen. --------------------------------------------- https://heise.de/-3338614 *** Bugtraq *** --------------------------------------------- *** Bugtraq: Multiple exposures in Sophos UTM *** http://www.securityfocus.com/archive/1/539518 --------------------------------------------- *** Bugtraq: [SYSS-2016-060] Logitech M520 - Insufficient Verification of Data Authenticity (CWE-345) *** http://www.securityfocus.com/archive/1/539517 --------------------------------------------- *** Bugtraq: Persistent XSS in Abus Security Center - CVSS 8.0 *** http://www.securityfocus.com/archive/1/539514 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 29-09-2016
by Daily end-of-shift report 29 Sep '16

29 Sep '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 28-09-2016 18:00 − Donnerstag 29-09-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Dangerous Linux Trojan family investigated by Doctor Web *** --------------------------------------------- September 27, 2016 Doctor Web’s security researchers have examined a Trojan named Linux.Mirai which is used by criminals to carry out DDoS attacks. Because virus specialists were familiar with earlier versions of this Trojan, they were able to find many features of the previous versions in this latest one, .. --------------------------------------------- http://news.drweb.com/show/?i=10218&lng=en&c=9 *** SSH Brute Force Compromises Leading to DDoS *** --------------------------------------------- A few weeks ago we ran an experiment to see how long it would take for some IPv4-only and IPv6-only servers to be compromised via SSH brute force attacks. We configured five cloud servers on Linode and Digital Ocean with the root password .. --------------------------------------------- https://blog.sucuri.net/2016/09/ssh-brute-force-compromises-leading-to-ddos… *** Introducing Her Royal Highness, the Princess Locker Ransomware *** --------------------------------------------- Today we bring you Princess Locker; the ransomware only royalty could love. First discovered by Michael Gillespie, Princess Locker encrypts a victims data and then demands a hefty ransom .. --------------------------------------------- http://www.bleepingcomputer.com/news/security/introducing-her-royal-highnes… *** Sicherheitsrisiko Baustellenampeln: Grüne Welle auf Knopfdruck *** --------------------------------------------- Es klingt wie ein Computerspiel oder ein Hackerfilm, ist aber leider Realität: Die Ampelanlagen eines deutschen Herstellers lassen sich fernsteuern. Obwohl das Unternehmen seit Monaten Kenntnis davon hat, ist bislang nichts geschehen. --------------------------------------------- http://www.golem.de/news/sicherheitsrisiko-baustellenampeln-gruene-welle-au… *** ManageEngine ServiceDesk Plus vulnerable to cross-site scripting *** --------------------------------------------- http://jvn.jp/en/jp/JVN50347324/ *** Rekord-DDoS-Attacke mit 1,1 Terabit pro Sekunde gesichtet *** --------------------------------------------- Höher, schneller, weiter: Ein stetig wachsendes Botnet soll die Server eines französischen Web-Hosters mit gewaltigen Datenmengen bombardiert haben. Dabei handelt es sich offensichtlich um den bisher größten dokumentierten DDoS-Angriff. --------------------------------------------- http://heise.de/-3336494 *** 500-Millionen-Hack: Yahoo sparte an der Sicherheit *** --------------------------------------------- Marissa Mayer verteilte bei Yahoo kostenfreie iPhones und teures Catering - an der Sicherheit wurde aber offenbar gespart. Außerdem bezweifelt eine Sicherheitsfirma, dass Yahoo wirklich von einem staatlichen Akteur gehackt wurde. --------------------------------------------- http://www.golem.de/news/500-millionen-hack-yahoo-sparte-an-der-sicherheit-… *** Multiple vulnerabilities in extension "phpMyAdmin" *** --------------------------------------------- https://typo3.org/news/article/multiple-vulnerabilities-in-extension-phpmya… *** Cisco patcht Hintertür weg und schließt weitere Lücken *** --------------------------------------------- Unter bestimmten Voraussetzungen sollen Angreifer ohne viel Aufwand Email Security Appliances kapern können. Cisco stuft die Sicherheitslücke mit dem höchsten Bedrohungsgrad ein. --------------------------------------------- http://heise.de/-3337464 *** Bundeskriminalamt: Bewusstsein für Cyberbedrohungen immer noch mangelhaft *** --------------------------------------------- Bundesheer und Bundeskriminalamt setzen auf Aufklärung und suchen technikaffine Kräfte --------------------------------------------- http://derstandard.at/2000045143087

1 0

Tageszusammenfassung - Mittwoch 28-09-2016
by Daily end-of-shift report 28 Sep '16

28 Sep '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 27-09-2016 18:00 − Mittwoch 28-09-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** Warnung vor Rechnungen der "Austria Domain Hosting" *** --------------------------------------------- Aktuell erhalten zahlreiche InternetnutzerInnen per E-Mail vermeintliche Rechnungen der "Austria Domain Hosting". Zu zahlen sind 179,40 Euro für eine nie bestellte Registrierung einer Domain. In Wirklichkeit handelt es sich um einen Betrugsversuch! --------------------------------------------- https://www.watchlist-internet.at/gefaelschte-rechnungen/warnung-vor-rechnu… *** Datenschützer decken schwere Mängel im Internet der Dinge auf *** --------------------------------------------- Das Global Privacy Network (GPEN) hat 314 vernetzte Geräte von Fitness-Trackern über Blutzuckermessgeräte bis zu Smart-TVs geprüft und ist auf große Lücken beim Datenschutz gestoßen. Selbst sensible Informationen würden kaum verschlüsselt. --------------------------------------------- http://www.heise.de/newsticker/meldung/Datenschuetzer-decken-schwere-Maenge… *** Back in Time Memory Forensics, (Tue, Sep 27th) *** --------------------------------------------- You might get into a case where you have only the disk image without having the memory image. Or even if you have the memory image but you wish If you have something back in time.With hibernation file (hiberfil.sys) ,PageFile (pageand crash dump that might be possible. And if you are lucky enough you might be able to recover them from volume shadow copy which is enabled by default in most of modern Windows OS . --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21527&rss *** Bugtraq: ESA-2016-127: EMC ViPR SRM Stored Cross-Site Scripting Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/539492 *** Vuln: libgd gd_webp.c Integer Overflow Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/93184 *** Security Advisory: BIND vulnerability CVE-2016-2776 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/18/sol18829561.html?… *** Vuln: Symantec Messaging Gateway CVE-2016-5312 Directory Traversal Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/93148 *** Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: September 2016 *** --------------------------------------------- On September 22, 2016, the OpenSSL Software Foundation released an advisory that describes 14 vulnerabilities. Of these 14 vulnerabilities, the OpenSSL Software Foundation classifies one as "Critical Severity" one as "Moderate Severity" and the other 12 as "Low Severity". Subsequently, on September 26, the OpenSSL Software Foundation released an additional advisory that describes two new vulnerabilities. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Vuln: Apache Axis2 Document Type Declaration Processing Security Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/40976 *** Vuln: Apache Xerces-C CVE-2016-4463 Stack Buffer Overflow Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/91501 *** BIND Bug in buffer.c Constructing Query Responses Lets Remote Users Cause the Target Service to Crash *** --------------------------------------------- BIND Bug in buffer.c Constructing Query Responses Lets Remote Users Cause the Target Service to Crash --------------------------------------------- http://www.securitytracker.com/id/1036903 *** Security Advisory: libssh vulnerability CVE-2016-0739 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/57/sol57255643.html?… *** Security Advisory: TMM SSL/TLS virtual server vulnerability CVE-2016-6907 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/39/sol39508724.html?… *** EMC ViPR SRM Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks *** --------------------------------------------- EMC ViPR SRM Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks --------------------------------------------- http://www.securitytracker.com/id/1036904 *** Security Advisory - Path Traversal Vulnerability in Multiple Huawei Products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160928-… *** SSA-378531 (Last Update 2016-09-27): Vulnerabilities in SIMATIC WinCC, PCS 7 and WinCC Runtime Professional *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-378531… *** TP-Link Archer CR-700 Cross Site Scripting *** --------------------------------------------- n running the command above, it send a DHCP request to the router. On a DHCP request, the host name is sent to which we have forcibly set it to an XSS script <script>alert(5)</script> --------------------------------------------- https://cxsecurity.com/issue/WLB-2016090203 *** Bugtraq: Multiple vulnerabilities found in the Dlink DWR-932B (backdoor, backdoor accounts, weak WPS, RCE ...) *** --------------------------------------------- Multiple vulnerabilities found in the Dlink DWR-932B (backdoor, backdoor accounts, weak WPS, RCE ...) --------------------------------------------- http://www.securityfocus.com/archive/1/539502 *** ICS-CERT releases new tools for securing industrial control systems *** --------------------------------------------- The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has published newer versions of two tools that can help administrators with securing industrial control systems: the Cyber Security Evaluation Tool (CSET), and a whitepaper on recommended practices for improving ICS cybersecurity with defense-in-depth strategies. While the former has received many update through the years (this newer version is v8.0), the whitepaper is a 'modernized' version of a document .. --------------------------------------------- https://www.helpnetsecurity.com/2016/09/28/tools-securing-industrial-contro… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: A security vulnerability has been identified in WebSphere Liberty Profile shipped with IBM License Metric Tool v9 and IBM BigFix Inventory v9 (CVE-2016-3485) *** http://www.ibm.com/support/docview.wss?uid=swg21990448 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in Oracle Outside In Technology affect IBM Rational DOORS Next Generation (CVE-2016-3574, CVE-2016-3575, etc) *** http://www.ibm.com/support/docview.wss?uid=swg21988718 --------------------------------------------- *** IBM Security Bulletin: Security Vulnerability in Apache Commons FileUpload affects IBM WebSphere Dashboard Framework (CVE-2016-3092 ) *** http://www-01.ibm.com/support/docview.wss?uid=swg21990386 --------------------------------------------- *** IBM Security Bulletin: Security Vulnerability in Apache Commons FileUpload affects IBM Web Experience Factory (CVE-2016-3092 ) *** http://www-01.ibm.com/support/docview.wss?uid=swg21990394 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Tomcat affects IBM Algo Credit Limits (CVE-2016-3092) *** http://www.ibm.com/support/docview.wss?uid=swg21988584 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect Rational BuildForge (CVE-2016-2107, CVE-2016-2176) *** http://www.ibm.com/support/docview.wss?uid=swg21988081 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in sblim-sfcb affects IBM Integrated Management Module (IMM) for System x & BladeCenter (CVE-2015-5185) *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099487 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in libxml2 affects IBM Integrated Management Module (IMM) for System x & BladeCenter (CVE-2015-8710) *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099488 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 27-09-2016
by Daily end-of-shift report 27 Sep '16

27 Sep '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 26-09-2016 18:00 − Dienstag 27-09-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** Sofacy APT Targeting OS X Machines with Komplex Trojan *** --------------------------------------------- APT gang Sofacy is targeting Mac OS X users with a Trojan that allows an attacker to execute remote commands on infected systems. --------------------------------------------- http://threatpost.com/sofacy-apt-targeting-os-x-machines-with-komplex-troja… *** Java-Deserialization-Cheat-Sheet *** --------------------------------------------- A cheat sheet for pentesters about Java Native Binary Deserialization vulnerabilities --------------------------------------------- https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet *** Sicherheitsupdate für Django 1.8 und 1.9 veröffentlicht *** --------------------------------------------- Grund für das Update des Webframeworks ist eine Schwachstelle, die im Zusammenspiel mit Google Analytics Djangos CSRF-Schutz angreifbar macht. Das aktuelle Django 1.10 ist nicht betroffen, und ältere Varianten als 1.8 erhalten keine Security-Patches mehr. --------------------------------------------- http://heise.de/-3332611 *** Rotten Potato - Privilege Escalation from Service Accounts to SYSTEM *** --------------------------------------------- The idea behind this vulnerability is simple to describe at a high level: - Trick the 'NT AUTHORITY\SYSTEM' account into authenticating via NTLM to a TCP endpoint we control. - Man-in-the-middle this authentication attempt (NTLM relay) to locally negotiate a security token for the 'NT AUTHORITY\SYSTEM' account. This is done through a series of Windows API calls. - Impersonate the token we have just negotiated --------------------------------------------- https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-… *** Unsafe at any clock speed: Linux kernel security needs a rethink *** --------------------------------------------- Ars reports from the Linux Security Summit - and finds much work that needs to be done. --------------------------------------------- http://arstechnica.com/security/2016/09/linux-kernel-security-needs-fixing/ *** No wonder were being hit by Internet of Things botnets. Ever tried patching a Thing? *** --------------------------------------------- Akamai CSO laments pisspoor security design practices Internet of Things devices are starting to pose a real threat to security for the sensible part of the web, Akamais chief security officer Andy Ellis has told The Register. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/09/27/akamai_chie… *** CVE-2016-7543 -- bash SHELLOPTS+PS4 *** --------------------------------------------- The recent bash 4.4 patched an old attack vector regarding specially crafted SHELLOPTS+PS4 environment variables against bogus setuid binaries using system()/popen(). --------------------------------------------- http://seclists.org/oss-sec/2016/q3/617 *** Siemens SCALANCE M-800/S615 Web Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a web security vulnerability in Siemens SCALANCE M-800 and S615 modules. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-271-01 *** IBM Security Bulletin: Vulnerabilities in OpenSSH affect AIX (CVE-2015-8325, CVE-2016-6210, CVE-2016-6515) *** --------------------------------------------- http://aix.software.ibm.com/aix/efixes/security/java_july2016_advisory.asc

1 0

Tageszusammenfassung - Montag 26-09-2016
by Daily end-of-shift report 26 Sep '16

26 Sep '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 23-09-2016 18:00 − Montag 26-09-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Kein Erste Bank-Sicherheitszertifikat installieren *** --------------------------------------------- In einer gefälschten Erste Bank-Nachricht verlangen Kriminelle von Empfängern, dass diese ein Sicherheitszertifikat für ihr mobiles Endgerät installieren. Tun Adressaten das nicht, führt das angeblich zur Kontensperrung. Die Installation des Sicherheitszertifikats infiziert das Smartphone mit Schadsoftware. Mit dieser haben Kriminelle Zugriff auf das fremde Konto. Opfer verlieren Geld. --------------------------------------------- https://www.watchlist-internet.at/schadsoftware/kein-erste-bank-sicherheits… *** Geschwächte iTunes-Backup-Verschlüsselung: Apple stellt Fix in Aussicht *** --------------------------------------------- Eine Schwachstelle macht Brute-Force-Angriffe auf verschlüsselte iTunes-Backups von iOS-10-Geräten weniger zeitintensiv. Apple ist das Problem bekannt - und betont, dass iCloud-Backups davon nicht betroffen sind. --------------------------------------------- http://heise.de/-3331346 *** VBA and P-code, (Mon, Sep 26th) *** --------------------------------------------- I want to draw your attention to some great work Dr. Bontchev did. pcodedmp.py is a VBA P-code disassembler. Microsoft Office documents contain VBA macros in several forms. They contain the source code, but also compiled P-code. Dr. Bontchev created a proof-of-concept document that executes P-code and does not contain the corresponding source code. Here is the output from his pcodedmp.py tool for his PoC document: python pcodedmp.py -d poc2b.docProcessing file:... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21521&rss *** Leaking Beeps: Here's A Reason to Kick Pagers out of Hospitals *** --------------------------------------------- Today, Trend's FTR team released the paper Leaking Beeps: Unencrypted Pager Messages in the Healthcare Industry, on our research into pager technology. If are concerned about keeping your health information private, I would highly recommend you read through it. I, for one, was not expecting the findings we made. Pagers are secure, right? We've used them for decades, they are hard to monitor, and that's why some of our most trusted industries use them, including the healthcare... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/o-H15bX77W8/ *** OpenSSL Fixes Critical Bug Introduced by Latest Update *** --------------------------------------------- OpenSSL's most recent update introduced a critical vulnerability in the crypto library, forcing an emergency update today. --------------------------------------------- http://threatpost.com/openssl-fixes-critical-bug-introduced-by-latest-updat… *** OpenSSL Security Advisory [26 Sep 2016] *** --------------------------------------------- This security update addresses issues that were caused by patches included in our previous security update, released on 22nd September 2016. Given the Critical severity of one of these flaws we have chosen to release this advisory immediately to prevent upgrades to the affected version, rather than delaying in order to provide our usual public pre-notification. --------------------------------------------- https://www.openssl.org/news/secadv/20160926.txt *** Security Advisory: NodeJS vulnerability CVE-2016-2086 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/15/sol15311661.html?… *** Security Notice - Statement on Elevation of Privilege Vulnerability in Huawei HG8247H Product Disclosed on THEZEDT Website *** --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2016/huawei-sn-20160924-01-… *** Security Notice - Statement on Elevation of Privilege Vulnerability in Huawei HG8247H Product Disclosed on TheZedt Website *** --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2016/huawei-sn-20160924-01-… *** Security Advisory - Heap Overflow Vulnerability in the HIFI Driver of Huawei Smart Phone *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2015/hw-460347 *** Security Advisory - Privilege Escalation Vulnerability in Huawei Multiple Smart Phones *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160926-… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple Expat XML Parser vulnerabilities in Prospect *** http://www-01.ibm.com/support/docview.wss?uid=swg21988817 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager for Web is affected by security vulnerabilities in libxml2 *** http://www.ibm.com/support/docview.wss?uid=swg21990838 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager for Mobile is affected by security vulnerabilities in libxml2 *** http://www.ibm.com/support/docview.wss?uid=swg21990837 --------------------------------------------- *** IBM Security Bulletin: Multiple libarchive vulnerabilities affect Watson Explorer *** http://www-01.ibm.com/support/docview.wss?uid=swg21988311 --------------------------------------------- *** IBM Security Bulletin: A command injection vulnerability has been identified in IBM Security Access Manager for Web appliances (CVE-2016-3028) *** http://www.ibm.com/support/docview.wss?uid=swg21990317 --------------------------------------------- *** IBM Security Bulletin: A vulnerability associated with the default account lockout settings in IBM Security Access Manager for Web has been identified (CVE-2016-3025) *** http://www.ibm.com/support/docview.wss?uid=swg21990318 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in Apache Struts affect SAN Volume Controller and Storwize Family *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009282 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Apache Struts and Apache Commons FileUpload affects IBM WebSphere Service Registry and Repository (CVE-2016-1181, CVE-2016-1182, CVE-2016-3092) *** http://www.ibm.com/support/docview.wss?uid=swg21988198 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in Struts v2 affect IBM Opportunity Detect *** http://www.ibm.com/support/docview.wss?uid=swg21987854 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect SAN Volume Controller and Storwize Family (CVE-2016-2107 CVE-2016-2108) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009281 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 23-09-2016
by Daily end-of-shift report 23 Sep '16

23 Sep '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 22-09-2016 18:00 − Freitag 23-09-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** The era of big DDOS?, (Thu, Sep 22nd) *** --------------------------------------------- I have been tracking DDOSs for a number of years, and quite frankly, it has become boring. Dont get me wrong, I am not complaining, just stating a fact. A number of factors seem tohave contributed to its fall from mainstream consciousness. somewhat better filtering practices, more awareness of timely patching, and probably the most significant being the novelty has worn off. Occasionally I will still see a multi-Gbps DDOS, but mostly it has been relegated to booter traffic which is not even a... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21511&rss *** LGPO.exe v2.0 PRE-RELEASE: support for MLGPO and REG_QWORD *** --------------------------------------------- LGPO.exe is a command-line utility to automate the management of local group policy objects (LGPO). Version 1.0 was released last January. The PRE-RELEASE LGPO.exe v2.0 is attached to this blog post, and adds support for Multiple Local Group Policy Objects (MLGPO) and 64-bit REG_QWORD registry values. Full details are in the LGPO.pdf in the download. For more... --------------------------------------------- https://blogs.technet.microsoft.com/secguide/2016/09/23/lgpo-exe-v2-0-pre-r… *** Gefälschte Sendungsverfolgungen der Post *** --------------------------------------------- Internet-Nutzer/innen erhalten eine angebliche Sendungsverfolgung der Österreichischen Post. Darin heißt es, dass das Unternehmen ein Paket zurückerhalten habe. Damit es Empfänger/innen erhalten können, sollen sie einen Link aufrufen und eine Datei ausführen. Sie beinhaltet Schadsoftware. Wer diese öffnet, erleidet einen Datenverlust. --------------------------------------------- https://www.watchlist-internet.at/gefaelschte-rechnungen/gefaelschte-sendun… *** Nach DDoS-Attacken: Akamai nimmt Sicherheitsforscher Krebs vom Netz *** --------------------------------------------- Nach der Enttarnung eines israelischen DDoS-Anbieters ist der Sicherheitsexperte Krebs selbst Opfer eines ungewöhnlichen Angriffs geworden. Seine Website ist vom Netz genommen worden. --------------------------------------------- http://www.golem.de/news/nach-ddos-attacken-akamai-nimmt-sicherheitsforsche… *** A week to go for the European Cyber Security Month launch! *** --------------------------------------------- ENISA together with the European Commission, the European Baking Federation (EBF), Europol's European Cybercrime Centre (EC3), and its partners, are getting ready for the launch event of the European Cyber Security Month (ECSM), the EU advocacy campaign on cybersecurity which runs throughout October. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/a-week-to-go-for-the-european-c… *** Security Update for Microsoft Office (3185852) *** --------------------------------------------- V.2.0(September 22, 2016): Bulletin revised to announce the availability of the 14.6.8 update for Microsoft Office for Mac 2011 (3186805) and the 15.25 update for Microsoft Office 2016 for Mac (3186807). Customers running affected Mac software should install the appropriate update for their product to be protected from the vulnerabilities discussed in this bulletin. --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS16-107 *** Cisco Email Security Appliance Internal Testing Interface Vulnerability *** --------------------------------------------- A vulnerability in Cisco IronPort AsyncOS for Cisco Email Security Appliances (ESA) could allow an unauthenticated, remote attacker to obtain complete control of an affected device.The vulnerability is due to the presence of a Cisco internal testing and debugging interface (intended for use during product manufacturing only) on customer-available software releases. An attacker could exploit this vulnerability by connecting to this testing and debugging interface. An exploit could allow an... --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** IDM 4.5 Notes Driver Version 4.0.1.0 *** --------------------------------------------- Abstract: This patch is for Identity Manger Notes Driver. It can be installed on IDM 4.5. This patch will take the version of the Notes Driver to version 4.0.1.0.Document ID: 5255110Security Alert: YesDistribution Type: Field Test FileEntitlement Required: NoFiles:IDM45_Notes_4010.zip (1.12 MB)Products:Identity Manager 4.5Superceded Patches:IDM 4.5 Notes Driver Version 4.0.0.4 --------------------------------------------- https://download.novell.com/Download?buildid=aLUafJcAJps~ *** DSA-3674 firefox-esr - security update *** --------------------------------------------- Multiple security issues have been found in the Mozilla Firefox webbrowser: Multiple memory safety errors, buffer overflows and otherimplementation errors may lead to the execution of arbitrary code orinformation disclosure. --------------------------------------------- https://www.debian.org/security/2016/dsa-3674 *** Microsoft Internet Explorer 11 CORS Disrespect *** --------------------------------------------- Topic: Microsoft Internet Explorer 11 CORS Disrespect Risk: Low Text:IE11 is not following CORS specification for local files like Chrome and Firefox. Ive contacted Microsoft and they say this i... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016090165 *** DFN-CERT-2016-1560/">LibreSSL: Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-1560/ *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983). *** http://www-01.ibm.com/support/docview.wss?uid=swg21990060 --------------------------------------------- *** IBM Security Bulletin: Security vulnerability has been identified in IBM WebSphere Portal (CVE-2016-5954) *** http://www-01.ibm.com/support/docview.wss?uid=swg21989993 --------------------------------------------- *** IBM Security Bulletin: IBM DB2 LUW on AIX and Linux Affected by Multiple Vulnerabilities in GPFS (CVE-2016-2984, CVE-2016-2985). *** http://www-01.ibm.com/support/docview.wss?uid=swg21989842 --------------------------------------------- *** IBM Security Bulletin: IBM Security Guardium Database Activity Monitor is affected by Open Source XMLsoft Libxml2 Vulnerabilities (CVE-2016-4483) *** http://www-01.ibm.com/support/docview.wss?uid=swg21990364 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Commons FileUpload affects IBM Algo Credit Manager (CVE-2016-3092) *** http://www-01.ibm.com/support/docview.wss?uid=swg21988586 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Tomcat affects IBM Algo Credit Administrator (CVE-2016-3092) *** http://www.ibm.com/support/docview.wss?uid=swg21988585 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Struts affects FileNet Content Manager and IBM Content Foundation (CVE-2016-1181, CVE-2016-1182) *** http://www.ibm.com/support/docview.wss?uid=swg21987189 --------------------------------------------- *** IBM Security Bulletin: IBM Security Guardium is affected by Open Source XMLsoft Libxml2 Vulnerabilities (CVE-2016-4447 CVE-2016-4448 CVE-2016-4449) *** http://www-01.ibm.com/support/docview.wss?uid=swg21986710 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Network Security (NSS) affects IBM SAN Volume Controller and Storwize Family (CVE-2016-1978) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009280 --------------------------------------------- *** IBM Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed (CVE-2016-0377) *** http://www-01.ibm.com/support/docview.wss?uid=swg21990525 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Tivoli LWI impacts pConsole and WebSM for AIX (CVE-2016-6038) *** http://http://aix.software.ibm.com/aix/efixes/security/pconsole_mitigation.… --------------------------------------------- *** IBM Security Bulletin: The Elastic Storage Server and the GPFS Storage Server are affected by a vulnerability in IBM Spectrum Scale (CVE-2016-2985 and CVE-2016-2984) *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1024336 --------------------------------------------- *** IBM Security Bulletin: Multiple security vulnerabilities affect Liberty for Java for IBM Bluemix *** http://www.ibm.com/support/docview.wss?uid=swg21990527 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in libpng affect NVIDIA Linux device drivers for System x, Flex and BladeCenter Systems (CVE-2015-8472, CVE-2015-7981, CVE-2015-8126) *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099471 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 22-09-2016
by Daily end-of-shift report 22 Sep '16

22 Sep '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 21-09-2016 18:00 − Donnerstag 22-09-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Fake-Abmahnung von RA Jörg Schmidt im Umlauf *** --------------------------------------------- Haushalte erhalten eine Abmahnung der Rechtsanwaltskanzlei Jörg Schmidt. Darin heißt es, dass es zu einer Verletzung von Urheberrechten der abbywinters.com BV gekommen sei, weil Empfänger/innen den Erotikfilm "Girl & Girl Pee Marigold & Christiana" verwertet haben. Aus diesem Grund sollen sie 950.00 Euro zahlen. Es handelt sich um einen Betrugsversuch. --------------------------------------------- https://www.watchlist-internet.at/sonstiges/fake-abmahnung-von-ra-joerg-sch… *** More than 840,000 Cisco devices are vulnerable to NSA-related exploit *** --------------------------------------------- More than 840,000 Cisco networking devices from around the world are exposed to a vulnerability thats similar to one exploited by a hacking group believed to be linked to the U.S. National Security Agency.The vulnerability was announced by Cisco last week and it affects the IOS, IOS XE, and IOS XR software that powers many of its networking devices. The flaw allows hackers to remotely extract the contents of a devices memory, which can lead to the exposure of sensitive information. --------------------------------------------- http://www.cio.com/article/3122868/more-than-840000-cisco-devices-are-vulne… *** Bug that hit Firefox and Tor browsers was hard to spot - now we know why *** --------------------------------------------- The curious case of Firefoxs (now fixed) certificate pinning failure. --------------------------------------------- http://arstechnica.com/security/2016/09/bug-that-hit-firefox-and-tor-browse… *** Hacked Website Report - 2016/Q2 *** --------------------------------------------- Today we're releasing our quarterly Hacked Website Report for 2016/Q2. The data in this report is based on compromised websites we worked on, with insights and analysis performed by our Incident Response Team (IRT) and Malware Research Team (MRT). CMS Analysis Our analysis consisted of over 9,000 infected websites. The graphs below show a side-by-side... --------------------------------------------- https://blog.sucuri.net/2016/09/hacked-website-report-2016q2.html *** KrebsOnSecurity Hit With Record DDoS *** --------------------------------------------- On Tuesday evening, KrebsOnSecurity.com was the target of an extremely large and unusual distributed denial-of-service (DDoS) attack designed to knock the site offline. The attack did not succeed thanks to the hard work of the engineers at Akamai, the company that protects my site from such digital sieges. But according to Akamai, it was nearly double the size of the largest attack theyve seen previously, and was among the biggest assaults the Internet has ever witnessed. --------------------------------------------- http://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/ *** Controlling Kerio Control - When your firewall turns against you. *** --------------------------------------------- IntroductionThis blog post describes two different attacks which can be used to compromise companies which use Kerio Control in their network. Kerio Control is a hardware appliance which can be used as network firewall, router and VPN gateway. Both attacks spawn a reverse shell on Kerio Control. Since both attack payloads are delivered via CSRF (cross site request forgery) or XSS (cross site scripting) no ports must be open from the Internet. --------------------------------------------- http://blog.sec-consult.com/2016/09/controlling-kerio-control-when-your.html *** Future attack scenarios against ATM authentication systems *** --------------------------------------------- The report comprises two papers in which we analyze all existing methods of authentication used in ATMs and those expected to be used in the near future, including: contactless authentication through NFC, one-time password authentication and biometric authentication systems, as well as potential vectors of attacks using malware, through to network attacks and attacks on hardware components. --------------------------------------------- http://securelist.com/analysis/publications/76099/future-attack-scenarios-a… *** Cisco plugs two Cloud Services Platform system compromise flaws *** --------------------------------------------- Cisco has patched two serious vulnerabilities in Cisco Cloud Services Platform 2100, both of which could allow a remote attacker to execute arbitrary code on a targeted system. Both vulnerabilities affect version 2.0 of the platform and there are no workarounds to address them, so administrators are advised to update to release 2.1.0 and later to plug the holes. What's the problem? Cisco Cloud Services Platform 2100 is a popular Linux Kernel-based Virtual Machine software... --------------------------------------------- https://www.helpnetsecurity.com/2016/09/22/cisco-plugs-cloud-services-platf… *** Fixing the mixed content problem with Automatic HTTPS Rewrites *** --------------------------------------------- CloudFlare aims to put an end to the unencrypted Internet. But the web has a chicken and egg problem moving to HTTPS. Long ago it was difficult, expensive, and slow to set up an HTTPS capable web site. Then along came services like CloudFlare's Universal SSL that made switching... --------------------------------------------- https://blog.cloudflare.com/fixing-the-mixed-content-problem-with-automatic… *** OpenSSL Update Released, (Thu, Sep 22nd) *** --------------------------------------------- As announced earlier this week,OpenSSLreleased an update today for all currently supported versions (1.0.1, 1.0.2, 1.1.0). The update fixes 14 different vulnerabilities. Only one vulnerability is rated High. This vulnerability,CVE-2016-6304, can lead to memory exhaustion and a denial of service if the client sends multiple largeOCSP">OCSP">">">SWEET32">">OOB write in">">MalformedSHA512">">">">Pointer... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21509&rss *** OpenSSL Security Advisory [22 Sep 2016] *** --------------------------------------------- OCSP Status Request extension unbounded memory growth (CVE-2016-6304) SSL_peek() hang on empty record (CVE-2016-6305) SWEET32 Mitigation (CVE-2016-2183) OOB write in MDC2_Update() (CVE-2016-6303) Malformed SHA512 ticket DoS (CVE-2016-6302) OOB write in BN_bn2dec() (CVE-2016-2182) OOB read in TS_OBJ_print_bio() (CVE-2016-2180) Pointer arithmetic undefined behaviour (CVE-2016-2177) Constant time flag not preserved in DSA signing (CVE-2016-2178) DTLS buffered message DoS (CVE-2016-2179) DTLS... --------------------------------------------- https://www.openssl.org/news/secadv/20160922.txt *** Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2016-004 *** --------------------------------------------- Description Users who have rights to edit a node, can set the visibility on comments for that node. Advisory ID: DRUPAL-SA-CORE-2016-004Project: Drupal core Version:li 8.xDate: 2016-September-21Security risk: 18/25 ( Critical) AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: DescriptionUsers without "Administer comments" can set comment visibility on nodes they can edit. (Less critical) Users who have rights to edit a node, can set the visibility on comments for that --------------------------------------------- https://www.drupal.org/SA-CORE-2016-004 *** ZDI-16-526: (0Day) Google Chrome Protocol Handler Logic Error Restrictions Bypass Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to bypass restrictions on vulnerable installations of Google Chrome. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-526/ *** ZDI-16-525: (0Day) Fatek Automation PM Designer Heap Memory Corruption Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Fatek Automation PM Designer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-525/ *** [2016-09-22] Potential backdoor access through multiple vulnerabilities in in Kerio Control Unified Threat Management *** --------------------------------------------- Kerio Control contains multiple vulnerabilities which can be used by an attacker to obtain a reverse root shell to the internal firewall system of a network. An attacker can use this reverse root shell to further compromise the victims local network, sniff VPN traffic (including VPN credentials) or just backdoor the firewall/VPN gateway. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016… *** HPSBGN03649 rev.1 - HPE Network Automation using Java Deserialization, Remote Code Execution *** --------------------------------------------- A vulnerability in Apache Commons-Collections and Commons-BeanUtils library used for handling Java object deserialization was addressed by HPE Network Automation. The vulnerability could be exploited remotely to allow remote code execution. --------------------------------------------- https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05279098 *** SSA-342135 (Last Update 2016-09-22): Web Vulnerability in SCALANCE M-800 / S615 *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-342135… *** SSA-301706 (Last Update 2016-09-22): GNU C Library Vulnerability in Industrial Products *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-301706… *** Cisco Security Advisories *** --------------------------------------------- *** Cisco Application Policy Infrastructure Controller Binary Privilege Escalation Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco IOS and IOS XE iox Command Injection Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Firepower Management Center and FireSIGHT System Software SSLIinspection Bypass Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco IOS and IOS XE Software Data in Motion Component Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Cloud Services Platform 2100 Remote Command Execution Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Cloud Services Platform 2100 Command Injection Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Prime Home Web-Based User Interface XML External Entity Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Application-Hosting Framework HTTP Header Injection Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco IOS and IOS XE Software Application-Hosting Framework Unauthorized File Access Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 21-09-2016
by Daily end-of-shift report 21 Sep '16

21 Sep '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 20-09-2016 18:00 − Mittwoch 21-09-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Spear Phishing: Deutsche Politiker mit Malware-Mails angegriffen *** --------------------------------------------- Politiker aller Parteien waren im August Ziel von Spear-Phishing-Angriffen. Angebliche Nato-Informationen zum Putsch in der Türkei und zum Erdbeben in Italien sollten zum Klicken auf Malware verleiten. --------------------------------------------- http://www.golem.de/news/spear-phishing-deutsche-politiker-mit-malware-mail… *** Windows Events log for IR/Forensics ,Part 2, (Tue, Sep 20th) *** --------------------------------------------- In a previous diary[i] I talked about Windows Events and I gave some examples about some of the most useful events for Forensics/IR. In this diary I will talk about how to use Windows PowerShell to search for events Get-WinEvent The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs, and the event logs that are generated by the Windows Event Log technology introduced in Windows Vista. It also gets events in log files generated by... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21501&rss *** ISAKMP Scanning and Potential Vulnerabilities *** --------------------------------------------- Introduction As many of you are aware, we scan the Internet on a daily basis for many different protocols. We have added several new ones over time mostly depending on our own time available to engineer a scan for that protocol. Occasionally, we add one that is more topical and addresses a recent vulnerability or... --------------------------------------------- http://blog.shadowserver.org/2016/09/20/isakmp-scanning-and-potential-vulne… *** Mamba Ransomware Encrypts Hard Drives Rather Than Files *** --------------------------------------------- A new ransomware strain called Mamba opts to encrypts hard drives rather than individual files and folders stored on the local disk. --------------------------------------------- http://threatpost.com/mamba-ransomware-encrypts-hard-drives-rather-than-fil… *** Should you trust your security software? *** --------------------------------------------- The complaint that security is broken isn't new and even industry insiders are joining the chorus. Companies spent an estimated $75 billion last year on security products and yet cyber attacks and data breaches are still a common occurrence. Now, we're finding that security tools themselves have vulnerabilities that are putting organizations at risk. Given that vulnerabilities in software are the root cause of most attacks and security tools are inherently intrusive in order to... --------------------------------------------- https://www.helpnetsecurity.com/2016/09/21/security-software/ *** macOS Sierra beseitigt fast 70 Sicherheitslücken *** --------------------------------------------- Mit der neuen Version 10.12 hat Apple 68 Schwachstellen in macOS respektive OS X behoben, darunter kritische. Für ältere OS-X-Versionen liegt derzeit kein Sicherheits-Update vor. --------------------------------------------- http://heise.de/-3328701 *** Considerations on the Traffic Light Protocol *** --------------------------------------------- The Traffic Light Protocol (TLP) is a means for someone sharing information to inform their audience about any limitations in further spreading this information. It is used in almost all CSIRT communities and some Information Analysis and Sharing Centres (ISACs). The TLP can be used in all forms of communication, whether written or oral. This Glossary Entry presents the TLP and its possible variants, and proposes some considerations on its use and its limitations. --------------------------------------------- https://www.enisa.europa.eu/topics/national-csirt-network/glossary/consider… *** Did You Really Lock that Door? *** --------------------------------------------- One of my favorite books about information security is Ghost in the Wires, by Kevin Mitnick. Kevin, of course is one of the notorious early hackers whose exploits are brilliant and quite entertaining. If you have not already done so, add that book to your reading list. This post however is not a book review. I was reminded of Kevin's book the other evening when my son went dashing to the door in the middle of the night to make sure that he locked it. Normally, like all teenagers, he just... --------------------------------------------- https://feeds.feedblitz.com/~/200516044/0/alienvault-blogs~Did-You-Really-L… *** InfoArmor Uncovers Malicious Torrent Distribution Network *** --------------------------------------------- InfoArmor has identified a special tool used by cybercriminals to distribute malware by packaging it with the most popular torrent files on the Internet. The bad actors have analyzed trends on video, audio, software and other digital content downloads from around the globe and have created seeds on famous torrent trackers using weaponized torrents packaged with malicious code. --------------------------------------------- https://www.infoarmor.com/infoarmor-uncovers-malicious-torrent-distribution… *** Opportunistic Encryption: Bringing HTTP/2 to the unencrypted web *** --------------------------------------------- Encrypting the web is not an easy task. Various complexities prevent websites from migrating from HTTP to HTTPS, including mixed content, which can prevent sites from functioning with HTTPS. Opportunistic Encryption provides an additional level of security to websites that have not yet moved to HTTPS and the performance benefits... --------------------------------------------- https://blog.cloudflare.com/opportunistic-encryption-bringing-http-2-to-the… *** Bugtraq: ESA-2016-093: RSA Adaptive Authentication (On-Premise) Cross-Site Scripting Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/539432 *** DSA-3671 wireshark - security update *** --------------------------------------------- Multiple vulnerabilities were discovered in the dissectors for H.225,Catapult DCT2000, UMTS FP and IPMI, which could result in denial ofservice or the execution of arbitrary code. --------------------------------------------- https://www.debian.org/security/2016/dsa-3671 *** Filr 2.0 - Hot Patch 3 *** --------------------------------------------- Abstract: This patch provides a number of general bug fixes and security updates for Novell Filr, Search and MySQL 2.0.0 appliances including an updated Filr 2.0 Desktop client.Document ID: 5255170Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:preinstall-Search-20HP3.zip (24.95 MB)preinstall-MySQL-20HP3.zip (24.18 MB)preinstall-Filr-20HP3.zip (34.59 MB)Filr-2.0.0.474.HP.zip (155.89 MB)Search-2.0.0.417.HP.zip (10.67 MB)MySQL-2.0.0.197.HP.zip (1.44 kB)Products:Filr... --------------------------------------------- https://download.novell.com/Download?buildid=LMP8JAI5Lrc~ *** Security Advisory - DoS Vulnerability in Multiple Huawei Products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160921-… *** Security Advisory - DoS Vulnerability in Multiple Huawei Products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160921-… *** Security Advisory - DOS Vulnerability in Video Driver of Huawei Smart Phone *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160921-… *** Apple Security Updates *** --------------------------------------------- *** Safari 10 *** https://support.apple.com/kb/HT207157 --------------------------------------------- *** macOS Sierra 10.12 *** https://support.apple.com/kb/HT207170 --------------------------------------------- *** tvOS 10 *** https://support.apple.com/kb/HT207142 --------------------------------------------- *** iTunes 12.5.1 for Windows *** https://support.apple.com/kb/HT207158 --------------------------------------------- *** macOS Server 5.2 *** https://support.apple.com/kb/HT207171 --------------------------------------------- *** iCloud for Windows 6.0 *** https://support.apple.com/kb/HT207147 --------------------------------------------- *** Vuln: OpenStack Nova Denial of Service Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/93068 *** ShoreTel Connect ONSITE Blind SQL Injection Vulnerability *** --------------------------------------------- Topic: ShoreTel Connect ONSITE Blind SQL Injection Vulnerability Risk: Medium Text:ShoreTel Connect ONSITE Blind SQL Injection Vulnerability == vulnerability type: Unauthenticated Blin... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016090154 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Rational Software Architect, Rational Software Architect for WebSphere Software and Rational Software Architect RealTime Edition *** http://www-01.ibm.com/support/docview.wss?uid=swg21990374 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2016-2119) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009255 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in XML processing affect IBM DataPower Gateways *** http://www-01.ibm.com/support/docview.wss?uid=swg21990046 --------------------------------------------- *** IBM Security Bulletin: Multiple security vulnerabilities affect IBM WebSphere Application Server for Bluemix *** http://www.ibm.com/support/docview.wss?uid=swg21990236 --------------------------------------------- *** IBM Security Bulletin: IBM WebSphere MQ Invalid client protocol flows could cause denial of service (CVE-2016-0379) *** http://www-01.ibm.com/support/docview.wss?uid=swg21984565 --------------------------------------------- *** IBM Security Bulletin: IBM WebSphere Cast Iron Solution is affected by Apache Tomcat vulnerability CVE-2015-5174 *** http://www-01.ibm.com/support/docview.wss?uid=swg21988742 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 20-09-2016
by Daily end-of-shift report 20 Sep '16

20 Sep '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 19-09-2016 18:00 − Dienstag 20-09-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** European Cyber Security Month - NIS Quiz *** --------------------------------------------- This tool is designed to help you update your internet security knowledge, begin whenever you feel ready. It will take max 10 minutes and we hope youll enjoy the quiz and learn something useful! --------------------------------------------- https://cybersecuritymonth.eu/references/quiz-demonstration/intro *** The banker that can steal anything *** --------------------------------------------- The use of root privileges is not typical for banking malware attacks, because money can be stolen in numerous other ways that dont require exclusive rights. However, in early February 2016, Kaspersky Lab discovered Trojan-Banker.AndroidOS.Tordow.a, whose creators decided that root privileges would come in handy. --------------------------------------------- http://securelist.com/blog/mobile/76101/the-banker-that-can-steal-anything/ *** Erpressungs-Trojaner HDDCryptor soll Computer von Opfern abriegeln *** --------------------------------------------- HDDCryptor verschlüsselt nicht nur Daten, sondern überschreibt offensichtlich auch den MBR von Windows-Computern und gibt infizierte Rechner erst nach einer Lösegeld-Zahlung wieder frei, warnen Sicherheitsforscher. --------------------------------------------- http://heise.de/-3327880 *** Encryption Week *** --------------------------------------------- Since CloudFlare's inception, we have worked tirelessly to make encryption as simple and as accessible as possible. Over the last two years, we've made CloudFlare the easiest way to enable encryption for web properties and internet services. From the launch of Universal SSL, which gives HTTPS to millions --------------------------------------------- https://blog.cloudflare.com/encryption-week/ *** Mozilla und Tor schließen Certificate-Pinning-Lücke *** --------------------------------------------- Durch einen Fehler beim Bau neuer Versionen von Firefox und des Tor Browsers waren diese anfällig gegen Man-in-the-Middle-Angriffe, über die Schadcode eingeschleust werden konnte. --------------------------------------------- http://heise.de/-3328039 *** Hacking WordPress Sites on Shared Servers *** --------------------------------------------- A website is only as safe as the weakest link on its shared server. Once a hacker gains access to one site on the server, they can easily infect other sites that share the same server permissions. This is called cross-site contamination. When it comes to WordPress websites, the core structure is well known by... --------------------------------------------- https://blog.sucuri.net/2016/09/hacking-wordpress-sites-shared-servers.html *** Steganography... what is that? *** --------------------------------------------- When people think about Information Security the first word that generally comes mind is "Hacking", but there are many disciplines in security and one of them is called "Steganography", an offshoot of encryption and "data hiding". The word "steganography" can... --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/Steganography----what-i… *** Vulnerability Patched in WordPress Theme That Allows Unrestricted Uploads *** --------------------------------------------- A vulnerability has been patched in a popular WordPress theme called Neosense that allows an attacker to upload code without authentication. --------------------------------------------- http://threatpost.com/vulnerability-patched-in-wordpress-theme-that-allows-… *** High-Tech Bridge releases a new version of its free SSL testing service *** --------------------------------------------- The new version of the service enables companies to easily test any SSL/TLS-based services for compliance with PCI DSS, HIPAA and NIST, while the new API provides much more flexibility for software developers. --------------------------------------------- https://www.htbridge.com/news/ssl-testing-service-api-hipaa-compliance.html *** Bugtraq: ESA-2016-096: EMC Celerra, VNX1, VNX2 and VNXe SMB NTLM Authentication Weak Nonce Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/539424 *** Bugtraq: ESA-2016-065: EMC Avamar Data Store and Avamar Virtual Edition Multiple Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/539423 *** VMSA-2016-0014 *** --------------------------------------------- VMware ESXi, Workstation, Fusion, and Tools updates address multiple security issues --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2016-0014.html *** VMSA-2016-0010.1 *** --------------------------------------------- VMware product updates address multiple important security issues --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2016-0010.html *** ZDI-16-517: AlienVault Unified Security Management Remote Authentication Bypass Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to bypass authentication requirements on vulnerable installations of AlienVault Unified Security Manager. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-517/ *** ZDI-16-518: Rockwell Automation RSLogix Micro Starter Lite Project File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Rockwell Automation RSLogix Micro Starter Lite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-518/ *** Vuln: QEMU hw/usb/hcd-xhci.c Information Disclosure Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/93029 *** Security Advisories Relating to Symantec Products - Symantec Decomposer Engine Security Update *** --------------------------------------------- Symantec has released an update to address two issues in the RAR file parser component of the antivirus decomposer engine used by multiple Symantec products. Parsing of maliciously formatted RAR container files may cause an application-level denial of service condition. --------------------------------------------- https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=s… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Rational DOORS Next Generation with potential for Cross-Site Scripting attack (CVE-2016-5955) *** http://www.ibm.com/support/docview.wss?uid=swg21990054 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in libtiff affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1024132 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in libxml2 affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1024088 --------------------------------------------- *** IBM Security Bulletin: Rational Asset Analyzer (CVE-2016-5967) *** http://www-01.ibm.com/support/docview.wss?uid=swg21990215 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in node.js processing affect IBM DataPower Gateways *** http://www-01.ibm.com/support/docview.wss?uid=swg21990050 --------------------------------------------- *** IBM Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed (CVE-2016-1181 and CVE-2016-1182) *** http://www.ibm.com/support/docview.wss?uid=swg21989496 --------------------------------------------- *** IBM Security Bulletin: IBM Connections Security Update for Multiple Vulnerabilities *** http://www-01.ibm.com/support/docview.wss?uid=swg21989067 --------------------------------------------- *** IBM Security Bulletin: Information Disclosure in IBM WebSphere Application Server Liberty (CVE-2016-0378) *** http://www-01.ibm.com/support/docview.wss?uid=swg21981529 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 19-09-2016
by Daily end-of-shift report 19 Sep '16

19 Sep '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 16-09-2016 18:00 − Montag 19-09-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** The Week in Ransomware - September 16 2016 - Stampado, Locky, Atom, and More *** --------------------------------------------- Thankfully, it was a slow week this week when it comes to ransomware. For this week we had 3 new variants of existing ransomware, 2 new ransomware infections, and an updated decryptor. [...] --------------------------------------------- http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-septem… *** Windows Events log for IR/Forensics ,Part 1, (Sun, Sep 18th) *** --------------------------------------------- In the time of incidents, Windows Event logs provide a plenty of useful information for the Incident responder.As you know Windows can generate thousands of events in few minutes ,in this diary I will talk about some of the most useful events and in the next diary I would discuss how to use PowerShell to search for them . Here is of the most useful events for Forensics/Incident response: Event ID Description Log Name 4624 Successful Logon Security 4625 Failed Login... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21493&rss *** Mozilla will patch zero-day Firefox bug to fiddle man-in-the-middle diddle *** --------------------------------------------- Researcher revealed Tor flaw after initially being ignored Mozilla will patch a flaw in its Firefox browser that could allow well-resourced attackers to launch man-in-the-middle impersonation attacks that also affects the Tor anonymity network. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/09/18/mozilla_tor… *** Untangling the Ripper ATM Malware *** --------------------------------------------- Last August , security researchers released a blog discussing a new ATM malware family called Ripper which they believe was involved in the recent ATM attacks in Thailand. Large numbers of ATMs were also temporarily shut down as a precautionary measure.During our analysis we noticed some additional details that where not called out, or which appear to contradict this earlier analysis. We highlight these differences in this blog post. We have also included technical indicators such as code... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/ddt8SN3uzhs/ *** Periscope ATM Skimmers *** --------------------------------------------- "Periscope skimmers" are the most sophisticated kind of ATM skimmers. They are entirely inside the ATM, meaning theyre impossible to notice.Theyre been found in the US. --------------------------------------------- https://www.schneier.com/blog/archives/2016/09/periscope_atm_s.html *** 324,000 payment cards breached, CVVs included, source still unknown! *** --------------------------------------------- When you decide to add debugging logs to your payment application, the PCI DSS rules about what you are allowed to store DO NOT CHANGE! --------------------------------------------- http://feedproxy.google.com/~r/nakedsecurity/~3/NpR-rDlVOj0/ *** Does it Matter If You Cover Your Webcam?, (Mon, Sep 19th) *** --------------------------------------------- During security conferences, laptops with tape covering the webcam has certainly been a common sight. But recently, covering webcams has become somewhat of a main-stream phenomenon, after Mark Zuckerberg was sighted with a covered webcam [1], and even the FBI director suggests people covering their cameras [2]. Laptops are often used in private spaces, and an attacker, with access to the camera, is expected to be able to spy on the user of the laptop. Attacks like this have happened, and even... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21497&rss *** Reverse Engineering Cisco ASA for EXTRABACON Offsets *** --------------------------------------------- [...] One of the zero-day vulnerabilities released was a remote code execution in the Cisco Adaptive Security Appliance (ASA) device. The Equation Groups exploit for this was named EXTRABACON. [...] At RiskSense we had spare ASAs lying around in our red team lab, and my colleague Zachary Harding was extremely interested in exploiting this vulnerability. I told him if he got the ASAs properly configured for remote debugging I would help in the exploitation process. --------------------------------------------- https://zerosum0x0.blogspot.cz/2016/09/reverse-engineering-cisco-asa-for.ht… *** BENIGNCERTAIN-like flaw affects various Cisco networking devices *** --------------------------------------------- The leaking of BENIGNCERTAIN, an NSA exploit targeting a vulnerability in legacy Cisco PIX firewalls that allows attackers to eavesdrop on VPN traffic, has spurred Cisco to search for similar flaws in other products - and they found one. CVE-2016-6415 arises from insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. The IKE protocol is used in the Internet Protocol Security (IPsec) protocol suite to negotiate cryptographic... --------------------------------------------- https://www.helpnetsecurity.com/2016/09/19/beningcertain-cisco-networking-d… *** IKEv1 Information Disclosure Vulnerability in Multiple Cisco Products *** --------------------------------------------- A vulnerability in IKEv1 packet processing code in Cisco IOS, Cisco IOS XE and Cisco IOS XR Software could allow an unauthenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information.The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept... --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** iPrint Appliance 2.1 Hot Patch 2 *** --------------------------------------------- Abstract: iPrint Appliance 2.1 Hot Patch 2 is the first patch set for the iPrint Appliance version 2.1. Document ID: 5254950Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:iPrint-2.1.0.68.HP.zip (755.2 MB)Products:iPrint Appliance 2.1Superceded Patches: None --------------------------------------------- https://download.novell.com/Download?buildid=AJTQmn_Q1yk~ *** iPrint Appliance 2.0 Hot Patch 2 *** --------------------------------------------- Abstract: Hot Patch 2 includes bug fixes, security fixes and a consolidation of previously released patches, including iPrint Appliance 2.0 Patch 2. Document ID: 5254970Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:iPrint-2.0.0.533.HP.zip (881.14 MB)Products:iPrint Appliance 2Superceded Patches: None --------------------------------------------- https://download.novell.com/Download?buildid=C1Xh-X9MGcc~ *** Forthcoming OpenSSL releases *** --------------------------------------------- The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.1.0a, 1.0.2i, 1.0.1u. These releases will be made available on 22nd September 2016 at approximately 0800 UTC. They will fix several security defects: one classfied as severity "high", one as "moderate", and the rest "low". --------------------------------------------- https://mta.openssl.org/pipermail/openssl-announce/2016-September/000076.ht… *** IBM Security Bulletin: Spice-server vulnerabilities affect IBM SmartCloud Entry (CVE-2016-0749 CVE-2016-2150 ) *** --------------------------------------------- SmartCloud Entry is vulerable to Spice-server vulnerabilities. Attackers could exploit them to cause improper bounds checking by smartcard interaction or bypass security restrictions CVE(s): CVE-2016-0749, CVE-2016-2150 Affected product(s) and affected version(s): IBM SmartCloud Entry 3.2 through Appliance fix pack 21 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www.ibm.com/support/docview.wss?uid=isg3T1024006X-Force... --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1024006 *** IBM Security Bulletin: Vulnerability in openssl affects IBM System Networking Switch products (CVE-2016-2108) *** --------------------------------------------- IBM System Networking Switch products have addressed the following vulnerability in openssl. CVE(s): CVE-2016-2108 Affected product(s) and affected version(s): Product Affected Version IBM Flex System Fabric EN4093R 10Gb Scalable Switch 7.8.14.0 IBM Flex System Fabric CN4093 10Gb Converged Scalable Switch 7.8.14.0 IBM Flex System Fabric SI4093 System Interconnect Module 7.8.14.0 IBM Flex System EN2092 1Gb... --------------------------------------------- https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099464 *** BINOM3 Electric Power Quality Meter Vulnerabilities *** --------------------------------------------- Topic: BINOM3 Electric Power Quality Meter Vulnerabilities Risk: Medium Text:*Universal multifunctional Electric Power Quality Meter BINOM3 - Multiple Vulnerabilities* *About* The meters are designed... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016090122 *** MyBB 1.8.6 Improper validation of data passed to eval *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2016090124 *** MyBB 1.8.6 CSRF Weak Hashing, Plaintext Passwords *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2016090126 *** MyBB 1.8.6 SQL Injection *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2016090125

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily September 2016