=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 02-09-2015 18:00 − Donnerstag 03-09-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Neuer Banking-Trojaner taucht auch in Österreich auf ***
---------------------------------------------
IBM-Forscher haben mit "Shifu" einen neuen Trojaner identifiziert, der es auf Banken aus Deutschland, Japan und Österreich abgesehen hat.
---------------------------------------------
http://futurezone.at/digital-life/neuer-banking-trojaner-taucht-auch-in-oes…
*** New Versions of Carbanak Banking Malware Seen Hitting Targets in U.S. and Europe ***
---------------------------------------------
New variants of the notorious Carbanak Trojan has surfaced in Europe and the United States, and researchers say that the malware now has its own proprietary communications protocol and the samples seen so far have been digitally signed. Carbanak has been in use for several years, and researchers at Kaspersky Lab earlier this year revealed the...
---------------------------------------------
http://threatpost.com/new-versions-of-carbanak-banking-malware-seen-hitting…
*** Cross-Site-Scripting: Netflix stellt Tool zum Auffinden von Sicherheitslücken vor ***
---------------------------------------------
Der Streamingdienst Netflix erstellt nicht nur aufwendige Eigenproduktionen, sondern entwickelt auch Sicherheitstools. Jetzt hat das Unternehmen ein Werkzeug zum Auffinden von Schwächen von Cross-Site-Scripting vorgestellt.
---------------------------------------------
http://www.golem.de/news/cross-site-scripting-netflix-stellt-tool-zum-auffi…
*** New Android Ransomware Communicates over XMPP ***
---------------------------------------------
A new strain of Android ransomware disguised as a video player app uses an instant messaging protocol called XMPP to receive commands and communicate with the command and control server.
---------------------------------------------
http://threatpost.com/new-android-ransomware-communicates-over-xmpp/114530
*** CVE-2015-5722: Parsing malformed keys may cause BIND to exit due to a failed assertion in buffer.c ***
---------------------------------------------
Parsing a malformed DNSSEC key can cause a validating resolver to exit due to a failed assertion in buffer.c. It is possible for a remote attacker to deliberately trigger this condition, for example by using a query which requires a response from a zone containing a deliberately malformed key.
---------------------------------------------
https://www.isc.org/blogs/cve-2015-5722-parsing-malformed-keys-may-cause-bi…
*** CVE-2015-5986: An incorrect boundary check can trigger a REQUIRE assertion failure in openpgpkey_61.c ***
---------------------------------------------
An incorrect boundary check in openpgpkey_61.c can cause named to terminate due to a REQUIRE assertion failure. This defect can be deliberately exploited by an attacker who can provide a maliciously constructed response in answer to a query.
---------------------------------------------
https://www.isc.org/blogs/cve-2015-5986-an-incorrect-boundary-check-can-tri…
*** Cisco Integrated Management Controller Supervisor and Cisco UCS Director Remote File Overwrite Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Symantec Ghost Explorer Utility Tool Out-of-Bounds Array Indexing ***
---------------------------------------------
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se…
*** EMC Atmos XML External Entity Processing Flaw Lets Remote Users Obtain Potentially Sensitive Information ***
---------------------------------------------
http://www.securitytracker.com/id/1033456
*** Bugtraq: [SYSS-2015-016] Avaya one-X Agent - Hard-coded Cryptographic Key ***
---------------------------------------------
http://www.securityfocus.com/archive/1/536386
*** Bugtraq: Checkmarx CxQL Sandbox bypass (CVE-2014-8778) ***
---------------------------------------------
http://www.securityfocus.com/archive/1/536387
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in IBM Java Runtime affect Watson Explorer, Watson Content Analytics, and OmniFind Enterprise Edition (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931) ***
http://www.ibm.com/support/docview.wss?uid=swg21965348
*** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Security Proventia Network Enterprise Scanner (CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792, CVE-2015-3216) ***
http://www.ibm.com/support/docview.wss?uid=swg21965845
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Security Network Controller (CVE-2015-1793) ***
http://www.ibm.com/support/docview.wss?uid=swg21965725
*** IBM Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects IBM Security Network Controller (CVE-2015-4000) ***
http://www.ibm.com/support/docview.wss?uid=swg21964035
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Sterling Connect:Direct Browser User Interface ***
http://www.ibm.com/support/docview.wss?uid=swg21965448
*** IBM Security Bulletin: Multiple Security Issues in IBM Media Server Due to OpenSSL Issues ***
http://www.ibm.com/support/docview.wss?uid=swg21963783
*** IBM Security Bulletin: Multiple security vulnerabilities have been identified in IBM Security Identity Manager Virtual Appliance (CVE-2015-1788 and CVE-2015-1885) ***
http://www.ibm.com/support/docview.wss?uid=swg21964241
*** IBM Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects Flex System Power Compute Node Firmware (CVE-2015-4000) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022656
*** ZDI-15-418: (0Day) Borland AccuRev Reprise License Server edit_lf_process Remote Code Execution Vulnerability ***
---------------------------------------------
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/Ejh3XZSEdr0/
*** ZDI-15-417: (0Day) Borland AccuRev Reprise License Server edit_lf_get_data Command lf Parameter Path Traversal Read Vulnerability ***
---------------------------------------------
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/hC9GLRY4Jiw/
*** ZDI-15-416: (0Day) Borland AccuRev Reprise License Server service_setup_doit Command Stack Buffer Overflow Vulnerability ***
---------------------------------------------
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/BQougUpI_Ys/
*** ZDI-15-415: (0Day) Borland AccuRev Reprise License Management Server Path Traversal Remote Code Execution Vulnerability ***
---------------------------------------------
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/WM0upaoUI1c/
*** ZDI-15-414: (0Day) Borland AccuRev Reprise License Server activate_doit Command actserver Parameter Stack Buffer Overflow Vulnerability ***
---------------------------------------------
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/Nr36Je9oEJU/
*** ZDI-15-413: (0Day) Borland AccuRev Reprise License Server diagnostics_doit Command outputfile Parameter File Overwrite Denial of Service Vulnerability ***
---------------------------------------------
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/fhh7V-Xsyjc/
*** ZDI-15-412: (0Day) Borland AccuRev Reprise License Server activate_doit Command akey Parameter Stack Buffer Overflow Vulnerability ***
---------------------------------------------
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/q60XWhjbHKo/
*** ZDI-15-411: (0Day) Borland AccuRev SaveContentServiceImpl Servlet Path Traversal Remote File Read And Deletion Vulnerabilities ***
---------------------------------------------
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/oMSmmw2PaFA/
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 01-09-2015 18:00 − Mittwoch 02-09-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Demystifying File and Folder Permissions ***
---------------------------------------------
If you have poked around a server before you have probably encountered file permissions. In fact, all computer file systems offer permissions based on the same core ideas. The file permissions in Linux, Mac, and Windows computers are very similar to the file and folder permissions in Apache, Nginx, and IIS servers. You can right-clickRead More The post Demystifying File and Folder Permissions appeared first on Sucuri Blog.
---------------------------------------------
https://blog.sucuri.net/2015/09/demystifying-file-and-folder-permissions.ht…
*** Whats the situation this week for Neutrino and Angler EK?, (Wed, Sep 2nd) ***
---------------------------------------------
Introduction Last month in mid-August 2015, an actor using Angler exploit kit (EK) switched to Neutrino EK [1]. A few days later, we found that actor using Angler again [2]. This week, were back to seeingNeutrino EK from the same actor. Neutrino EK from this actor is sending TeslaCrypt 2.0 as the payload. We also saw another actor use Angler EK to pushBedep during the same timeframe. Todays diary looks at two infection chains from Tuesday 2015-09-01, one for Angler EK and another for Neutrino.
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20101&rss
*** Verschlüsselung: Microsoft, Google und Mozilla schalten RC4 2016 ab ***
---------------------------------------------
Es ist ein überfälliger Schritt: Microsoft, Google und Mozilla haben angekündigt, den unsicheren Verschlüsselungsalgorithmus RC4 ab 2016 in ihren Produkten endgültig nicht mehr zu verwenden. Ein konkretes Datum nennt bislang jedoch nur Mozilla.
---------------------------------------------
http://www.golem.de/news/verschluesselung-microsoft-google-und-mozilla-scha…
*** Per Web und USB-Stick: Smart-TVs vielfältig angreifbar ***
---------------------------------------------
Mit vergleichsweise simplen Methoden haben Sicherheitsforscher App-Nutzerdaten von Medienabspielern und Smart TVs ausgelesen. Dabei konnten sie auch die Kamera aktivieren und bis auf die Root-Ebene vordringen.
---------------------------------------------
http://heise.de/-2797227
*** Router-Lücken: Belkin N600 DB macht es den Hackern einfach ***
---------------------------------------------
Die Beschreibung der Lücken in Belkins Heimrouter liest sich wie ein Handbuch mit Negativbeispielen der Firmware-Programmierung. Angreifer können die Nutzer des Routers unter anderem auf beliebige Webseiten umleiten. Abhilfe gibt es nicht.
---------------------------------------------
http://heise.de/-2800853
*** IBM: CoreBot malware - simple but dangerous info stealer ***
---------------------------------------------
IBMs X-Force research team has uncovered a new piece of data-swiping malware whose modular design allows it to be quickly altered and made even more dangerous.
---------------------------------------------
http://www.scmagazine.com/x-force-team-uncovers-data-swiping-malware/articl…
*** Factoring RSA Keys With TLS Perfect Forward Secrecy ***
---------------------------------------------
What is being disclosed today? Back in 1996, Arjen Lenstra described an attack against an optimization (called the Chinese Remainder Theorem optimization, or RSA-CRT for short). If a fault happened during the computation of a signature (using the RSA-CRT optimization),...
---------------------------------------------
https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perf…
*** Adware-Installer erschleicht Zugriff auf den Mac-Schlüsselbund ***
---------------------------------------------
Ein neuer Adware-Installer nutzt nach Angabe von Sicherheitsforschern einen simplen Trick, um sich ohne weiteres Zutun des Nutzers Zugang zum Schlüsselbund von OS X einzuräumen.
---------------------------------------------
http://heise.de/-2802238
*** Cisco NX-OS Malformed ARP Header Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=40748
*** VU#903500: Seagate 36C wireless hard-drive contains multiple vulnerabilities ***
---------------------------------------------
Vulnerability Note VU#903500 Seagate 36C wireless hard-drive contains multiple vulnerabilities Original Release date: 01 Sep 2015 | Last revised: 01 Sep 2015 Overview The Seagate 36C wireless hard-drive contains multiple vulnerabilities. Description CWE-798: Use of Hard-coded Credentials - CVE-2015-2874 The Seagate 36C wireless hard-drive provides undocumented Telnet services accessible by using the default credentials of root as username and the default password.CWE-425: Direct Request
---------------------------------------------
http://www.kb.cert.org/vuls/id/903500
*** ZDI-15-408: Hewlett-Packard LoadRunner Controller Scenario File Stack Buffer Overflow Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability could allow attackers to execute arbitrary code on vulnerable installations of HP LoadRunner. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-15-408/
*** Siemens RUGGEDCOM ROS IP Forwarding Vulnerability ***
---------------------------------------------
This advisory provides mitigation details for an IP forwarding vulnerability in older versions of Siemens RUGGEDCOM ROS.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-244-01
*** Edimax BR6228nS/BR6228nC - Multiple vulnerabilities ***
---------------------------------------------
Topic: Edimax BR6228nS/BR6228nC - Multiple vulnerabilities Risk: Medium Text:# Title: Edimax BR6228nS/BR6228nC - Multiple vulnerabilities # Date: 01.09.15 # Vendor: edimax.com # Firmware version: 1.22 ...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015090013
*** Security Advisory - No Authentication Vulnerability on the Serial Port of the UAP2105 ***
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor…
*** [HTB23269]: Cross-Site Request Forgery in Cerb ***
---------------------------------------------
Product: Cerb v7.0.3Vulnerability Type: Cross-Site Request Forgery [CWE-352]Risk level: Medium Creater: Webgroup Media LLCAdvisory Publication: August 12, 2015 [without technical details]Public Disclosure: September 2, 2015 CVE Reference: CVE-2015-6545 CVSSv2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P) Vulnerability Details: High-Tech Bridge Security Research Lab discovered CSRF vulnerability in Cerb platform, which can be exploited to perform Cross-Site Request Forgery attacks against
---------------------------------------------
https://www.htbridge.com/advisory/HTB23269
*** DFN-CERT-2015-1353: Xen: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2015-1353/
*** Bugtraq: ESA-2015-137: EMC Atmos XML External Entity Injection Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/536377
*** SiS Windows VGA Display Manager Multiple Privilege Escalation ***
---------------------------------------------
Topic: SiS Windows VGA Display Manager Multiple Privilege Escalation Risk: Medium Text:KL-001-2015-003 : SiS Windows VGA Display Manager Multiple Privilege Escalation Title: SiS Windows VGA Display Manager Mult...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015090019
*** XGI Windows VGA Display Manager Arbitrary Write Privilege Escalation ***
---------------------------------------------
Topic: XGI Windows VGA Display Manager Arbitrary Write Privilege Escalation Risk: Medium Text:KL-001-2015-004 : XGI Windows VGA Display Manager Arbitrary Write Privilege Escalation Title: XGI Windows VGA Display Manag...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015090018
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM SONAS (CVE-2015-2613) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005343
*** IBM Security Bulletin: HTTP Request smuggling vulnerability may affect IBM HTTP Server (CVE-2015-3183) ***
http://www.ibm.com/support/docview.wss?uid=swg21963361
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Tealeaf Customer Experience ***
http://www.ibm.com/support/docview.wss?uid=swg21960713
*** IBM Security Bulletin: IBM WebSphere MQ 7.0.1 potential denial of service (CVE-2015-2013) ***
http://www.ibm.com/support/docview.wss?uid=swg21962479
*** IBM Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects TS3100/TS3200 (CVE-2015-4000) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005368&myns=s034&m…
*** IBM Security Bulletin: IBM Maximo Asset Management could allow a local attacker to obtain information due to the autocomplete feature on password input fields (CVE-2015-1933) ***
http://www.ibm.com/support/docview.wss?uid=swg21965080
*** IBM Security Bulletin: Default Password Requirements are weak on new installations of IBM Maximo Asset Management (CVE-2015-1934) ***
http://www.ibm.com/support/docview.wss?uid=swg21964855
*** Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Flex System Manager (FSM) ***
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098599
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 31-08-2015 18:00 − Dienstag 01-09-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** How the SIEM Solution Can Help in Achieving PCI-DSS ***
---------------------------------------------
We all know that PCI-DSS is one of the toughest compliances/certifications to hold, but organizations that seek to be PCI-DSS compliant can greatly benefit if they incorporate a SIEM solution around the Card Holder Data Environment (CDE). In this article, we will learn how the SIEM solution can be leveraged to satisfy a majority of...
---------------------------------------------
http://resources.infosecinstitute.com/how-the-siem-solution-can-help-in-ach…
*** Microsoft accused of adding spy features to Windows 7, 8 ***
---------------------------------------------
The privacy impact of Windows telemetry features continues to be scrutinized.
---------------------------------------------
http://arstechnica.com/information-technology/2015/08/microsoft-accused-of-…
*** ORX Locker, the new Darknet Ransomware-as-a-service platform ***
---------------------------------------------
Security experts at Sensecy have uncovered ORX-Locker, a Darknet Ransomware-as-a-service platform that could allow everyone to become a cyber criminal. It is becoming even easier to become a cyber-criminal thanks to the model of sale known as malware-as-a-service that offers off-the-shelf malware for rent or sale. Recently malware authors started to offer also Ransomware-as-a-Service (RaaS), in...
---------------------------------------------
http://securityaffairs.co/wordpress/39753/cyber-crime/orx-locker-raas.html
3430
*** l+f: Simuliertes Firmennetz als Spielwiese für Hacker ***
---------------------------------------------
Im simulierten Netzwerk des Penetration Test Lab kann man virtuellen Systemen mit echten Pentesting-Tools auf den Zahn fühlen.
---------------------------------------------
http://heise.de/-2795897
*** Android: Mehr Smartphones mit vorinstallierter Malware ***
---------------------------------------------
Zwischenhändler sollen immer mehr Modelle aus dem Android-Lager vor dem Verkauf manipulieren, indem sie beliebte Apps mit Malware-Komponenten ausstatten und auf den Geräten installieren.
---------------------------------------------
http://heise.de/-2794608
*** MassVet finds unknown malicious apps in app stores in 10 Sec ***
---------------------------------------------
A group of researchers have developed a method dubbed Mass Vetting (MassVet) to find unknown malicious apps in app stores in 10 Seconds. A group of University researchers has created a new method for detecting malicious apps running on an Android devices called MassVet. MassVet doesn't use the old method of signatures scanning, instead it compares...
---------------------------------------------
http://securityaffairs.co/wordpress/39762/malware/massvet-android-scan.html
*** iOS-Trojaner ermöglichte Einkauf im App Store mit gehackten Accounts ***
---------------------------------------------
Palo Alto Networks hat Details zu der letzte Woche entdeckten Hintertür in mehreren in China verteilten Jailbreak-Apps und Tweaks genannt. Demnach arbeitet die Malware äußerst trickreich. Gestohlen wurden 225.000 iCloud-Accounts.
---------------------------------------------
http://heise.de/-2795857
*** Tired of memorizing passwords? A Turing Award winner came up with this algorithmic trick ***
---------------------------------------------
Passwords are a bane of life on the Internet, but one Turing Award winner has an algorithmic approach that he thinks can make them not only easier to manage but also more secure.The average user has some 20 passwords today, and in general the easier they are to remember, the less secure they are. When passwords are used across multiple websites, they become even weaker.Manuel Blum, a professor of computer science at Carnegie Mellon University who won the Turing Award in 1995, has been working...
---------------------------------------------
http://www.csoonline.com/article/2978170/data-protection/tired-of-memorizin…
*** What Can you Learn from Metadata? ***
---------------------------------------------
An Australian reporter for the ABC, Will Ockenden published a bunch of his metadata, and asked people to derive various elements of his life. They did pretty well, even though they were amateurs, which should give you some idea what professionals can do....
---------------------------------------------
https://www.schneier.com/blog/archives/2015/09/what_can_you_le.html
*** Cisco AsyncOS for Cisco Email Security Appliance and Cisco Web Security Appliance Cluster Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=39785
*** Cisco ASR 1000 Series Aggregation Services Routers Data-Plane Processing Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=40708
*** DSA-3346 drupal7 - security update ***
---------------------------------------------
Several vulnerabilities were discovered in Drupal, a content managementframework:
---------------------------------------------
https://www.debian.org/security/2015/dsa-3346
*** IBM Security Bulletins ***
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/?lang=en_gb
*** Bugtraq: [security bulletin] HPSBMU03401 rev.1 - HP Operations Manager for UNIX and Linux, Remote Unauthorized Modification, Disclosure of Information ***
---------------------------------------------
http://www.securityfocus.com/archive/1/536363
*** Bugtraq: [security bulletin] HPSBGN03403 rev.1 - HP Virtualization Performance Viewer, Remote Unauthorized Disclosure of Information ***
---------------------------------------------
http://www.securityfocus.com/archive/1/536364
*** DFN-CERT-2015-1329: MediaWiki: Mehrere Schwachstellen ermöglichen u.a. einen Denial-of-Service-Angriff ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2015-1329/
*** Security Advisory: Apache HTTP server vulnerability CVE-2008-0455 ***
---------------------------------------------
(SOL17201)
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/17000/200/sol17201.htm…
*** USN-2727-1: GnuTLS vulnerabilities ***
---------------------------------------------
Ubuntu Security Notice USN-2727-11st September, 2015gnutls28 vulnerabilitiesA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.04SummaryGnuTLS could be made to crash or run programs if it processed a speciallycrafted certificate.Software description gnutls28 - GNU TLS library DetailsIt was discovered that GnuTLS incorrectly handled parsing CRL distributionpoints. A remote attacker could possibly use this issue to cause a denialof service, or execute arbitrary
---------------------------------------------
http://www.ubuntu.com/usn/usn-2727-1/
*** USN-2726-1: Expat vulnerability ***
---------------------------------------------
Ubuntu Security Notice USN-2726-131st August, 2015expat vulnerabilityA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.04 Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummaryExpat could be made to crash or run programs as your login if it opened aspecially crafted file.Software description expat - XML parsing C library DetailsIt was discovered that Expat incorrectly handled malformed XML data. If auser or application linked against Expat were tricked into opening acrafted
---------------------------------------------
http://www.ubuntu.com/usn/usn-2726-1/
*** VU#361684: Router devices do not implement sufficient UPnP authentication and security ***
---------------------------------------------
Vulnerability Note VU#361684 Router devices do not implement sufficient UPnP authentication and security Original Release date: 31 Aug 2015 | Last revised: 31 Aug 2015 Overview Home routers implementing the UPnP protocol do not sufficiently randomize UUIDs in UPnP control URLs, or implement other UPnP security measures. Description The UPnP protocol allows automatic device discovery and interaction with devices on a network. The UPnP protocol was originally designed with the threat model of
---------------------------------------------
http://www.kb.cert.org/vuls/id/361684
*** VU#201168: Belkin N600 DB Wireless Dual Band N+ router contains multiple vulnerabilities ***
---------------------------------------------
Vulnerability Note VU#201168 Belkin N600 DB Wireless Dual Band N+ router contains multiple vulnerabilities Original Release date: 31 Aug 2015 | Last revised: 31 Aug 2015 Overview Belkin N600 DB Wireless Dual Band N+ router, model F9K1102 v2 with firmware version 2.10.17 and possibly earlier, contains multiple vulnerabilities. Description CWE-330: Use of Insufficiently Random Values - CVE-2015-5987DNS queries originating from the Belkin N600, such as those to resolve the names of firmware
---------------------------------------------
http://www.kb.cert.org/vuls/id/201168
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 28-08-2015 18:00 − Montag 31-08-2015 18:00
Handler: Stephan Richter
Co-Handler: Alexander Riepl
*** OWASP veröffentlicht Handbuch zum Schutz gegen automatisierte Angriffe ***
---------------------------------------------
Als Hilfe für das Absichern von Webanwendungen hat die Non-Profit-Organisation OWASP ein Handbuch für Entwickler herausgebracht, das bislang wenig beachtete Angriffe beschreibt.
---------------------------------------------
http://heise.de/-2794167
*** Spionage-Trojaner Regin: Symantec entdeckt 49 weitere Module ***
---------------------------------------------
Das Sicherheitsunternehmen Symantec hatte Ende des vergangenen Jahres die Ausspähungssoftware "Regin" entdeckt. Nun warten die Experten mit neuen Einzelheiten auf.
---------------------------------------------
http://heise.de/-2794176
*** Linux Foundation releases PARANOID internal infosec guide ***
---------------------------------------------
Workstation security tips for system administrators. Linux Foundation project director Konstantin Ryabitsev has publicly-released the penguinistas internal hardening requirements to help sysadmins and other paranoid tech bods and system administrators secure their workstations.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2015/08/31/harden_like…
*** Detecting file changes on Microsoft systems with FCIV, (Mon, Aug 31st) ***
---------------------------------------------
Microsoft releases often interesting tools to help system administrators and incident handlers to investigate suspicious activities on Windows systems. In 2012, they released a free tool called FCIV(File Checksum Integrity Verifier)(1). It is a stand alone executable which does not require any DLL or other resources. Just launch it from any location.Its goal is to browse a file system or some directories recursively and to generate MD5/SHA1 hashes of all the files found. The results are saved in a...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20091&rss
*** Schwachstellen in Kontrollsoftware von Kraftwerken und Raffinerien ***
---------------------------------------------
Siemens und Schneider Electric haben eine Reihe von Lücken in SCADA-Systemen geschlossen. Zum Teil kommt die betroffene Software auch in deutschen Kraftwerken zum Einsatz.
---------------------------------------------
http://heise.de/-2794724
*** Security: Standardpasswörter bei Heimroutern entdeckt ***
---------------------------------------------
Mindestens fünf Router diverser Hersteller haben leicht zu erratene Standardpasswörter für den administrativen Zugang. Mit ihnen lassen sich die Geräte aus der Ferne manipulieren.
---------------------------------------------
http://www.golem.de/news/security-standardpasswoerter-bei-heimroutern-entde…
*** Contributor Conference: Owncloud führt Programm für Bug-Bounties ein ***
---------------------------------------------
Hacker können nun auch mit der Sicherheitsprüfung von Owncloud Geld verdienen. Die Prämien können sich allerdings noch nicht mit denen von großen Unternehmen wie Google oder Microsoft messen.
---------------------------------------------
http://www.golem.de/news/contributor-conference-owncloud-fuehrt-programm-fu…
*** Whos afraid of shadow IT? ***
---------------------------------------------
One of the biggest disruptions in the IT world is the quantity and quality of SaaS tools. From email and storage, to phone systems and infrastructure, it has never been easier to use top of the range ...
---------------------------------------------
http://www.net-security.org/article.php?id=2373
*** KeyRaider Malware Steals Certificates, Keys and Account Data From Jailbroken iPhones ***
---------------------------------------------
Researchers have discovered a new strain of iOS malware dubbed KeyRaider that targets jailbroken devices and has the ability to steal certificates, private keys, and Apple account information. The malware already has claimed the private Apple account data of more than 225,000 victims. The KeyRaider malware was discovered by researchers at Palo Alto Networks, who...
---------------------------------------------
http://threatpost.com/keyraider-malware-steals-certificates-keys-and-accoun…
*** SSD Advisory - AppLock Multiple Vulnerabilities ***
---------------------------------------------
The following report describes three ( 3 ) different vulnerabilities found in the AppLock, an Android application, with over 10 Millions of downloads, used to secure pictures, videos and application with a PIN code.
---------------------------------------------
https://blogs.securiteam.com/index.php/archives/2558
*** DRDoS, UDP-Based protocols and BitTorrent ***
---------------------------------------------
On July 1st, 2015, the security team at BitTorrent received a report [1] from Florian Adamsky about Distributed Reflective Denial of Service (DRDoS) vulnerabilities affecting several BitTorrent products making use of UDP-based [2] protocols. uTorrent, BitTorrent and BitTorrent Sync use the Micro Transport Protocol (µTP) [3] implementation in libuTP [4] as the preferred transport backend running on top of UDP. While these vulnerabilities have been described before in other alerts [5] in...
---------------------------------------------
http://engineering.bittorrent.com/2015/08/27/drdos-udp-based-protocols-and-…
*** Patch für Schwachstelle in Hewlett Packard lt4112 LTE/HSPA+ Gobi 4G Module (Remote Execution of Arbitrary Code) ***
---------------------------------------------
Hewlett Packard hat ein Security Bulletin zu einer Sicherheitslücke im HP lt4112 LTE/HSPA+ Gobi 4G Module veröffentlicht. Die Schwachstelle erlaubt einem entfernten Angreifer das Ausführen beliebigen Codes. Ein Firmware-Update, welches das Problem behebt, ist verfügbar. CVE-Nummern: CVE-2015-5367, CVE-2015-5367 CVSS2 Base Score: 6.9...
---------------------------------------------
http://www.cert.at/services/blog/20150831172201-1588.html
*** TA15-240A: Controlling Outbound DNS Access ***
---------------------------------------------
Original release date: August 28, 2015 Systems Affected Networked systems Overview US-CERT has observed an increase in Domain Name System (DNS) traffic from client systems within internal networks to publically hosted DNS servers. Direct client access to Internet DNS servers, rather than controlled access through enterprise DNS servers, can expose an organization to unnecessary security risks and system inefficiencies. This Alert provides recommendations for improving security related to...
---------------------------------------------
https://www.us-cert.gov/ncas/alerts/TA15-240A
*** NetIQ Access Manager 4.1 Support Pack 1 Hot Fix 1 4.1.1.1-9 ***
---------------------------------------------
Abstract: NetIQ Access Manager 4.1 Support Pack 1 Hot Fix 1 build (version 4.1.1.1-9). This file contains updates for services contained in the NetIQ Access Manager 4.1 product and requires 4.1 SP1 to be installed as a minimum. NetIQ recommends that all customers running Access Manager 4.1 release code apply this patch. The purpose of the patch is to provide a bundle of fixes for security issues that have surfaced since NetIQ Access Manager 4.1 SP1 was released. These fixes include updates to...
---------------------------------------------
https://download.novell.com/Download?buildid=ceIVdhBEV2o~
*** Edimax PS-1206MF Web Admin Auth Bypass ***
---------------------------------------------
Topic: Edimax PS-1206MF Web Admin Auth Bypass Risk: High Text:# Title: Edimax PS-1206MF - Web Admin Auth Bypass # Date: 30.08.15 # Vendor: edimax.com # Firmware version: 4.8.25 # Author...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015080183
*** HPSBMU03416 rev.1 - HP Data Protector, Remote Disclosure of Information ***
---------------------------------------------
A potential security vulnerability has been identified with HP Data Protector. This is the SSLv3 vulnerability known as "Padding Oracle on Downgraded Legacy Encryption" also known as "Poodle", which could be exploited remotely to allow disclosure of information.
---------------------------------------------
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04776510
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Potential Information Disclosure vulnerability could expose user personal data in WebSphere Commerce (CVE-2015-4980) ***
http://www.ibm.com/support/docview.wss?uid=swg21965013
*** IBM Security Bulletin: Java CVE-2015-2590 ***
http://www.ibm.com/support/docview.wss?uid=nas8N1020888
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect Sterling Connect:Direct for HP NonStop (CVE-2015-1792, CVE-2015-1789, CVE-2015-1790) ***
http://www.ibm.com/support/docview.wss?uid=swg21963603
*** IBM Security Bulletin: Apache Tomcat Vulnerability in Algo Audit and Compliance (CVE-2014-0230 ) ***
http://www.ibm.com/support/docview.wss?uid=swg21963664
*** IBM Security Bulletin: Apache Tomcat vulnerability affects IBM Storwize V7000 Unified (CVE-2014-0230) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005258
*** IBM Security Bulletin: Vulnerability in Rational DOORS Next Generation and Rational Requirements Composer with potential for Cross Site Scripting attack (CVE-2015-1917) ***
http://www.ibm.com/support/docview.wss?uid=swg21713610
*** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Storwize V7000 Unified (CVE-2013-7423) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005316
*** Security Bulletin: Multiple vulnerabilities in libxml2 affect IBM Flex System Manger (FSM) (CVE-2013-2877, CVE-2014-0191, CVE-2014-3660) ***
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098592
*** Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Flex System Manager (FSM) (Multiple CVEs) ***
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098591
*** WordPress Responsive Thumbnail Slider 1.0 Shell Upload ***
---------------------------------------------
Topic: WordPress Responsive Thumbnail Slider 1.0 Shell Upload Risk: High Text:<!-- # Exploit Title: Wordpress Responsive Thumbnail Slider Arbitrary File Upload # Date: 2015/8/29 # Exploit Author: Arash ...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015080170
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 27-08-2015 18:00 − Freitag 28-08-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Security Update: Hotfix Available for ColdFusion (APSB15-21) ***
---------------------------------------------
A Security Bulletin (APSB15-21) has been published regarding a hotfix for ColdFusion. This hotfix addresses an important vulnerability that could result in information disclosure. Adobe recommends users apply the hotfix using the instructions provided ..
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1262
*** DSA-3344 php5 - security update ***
---------------------------------------------
https://www.debian.org/security/2015/dsa-3344
*** Cisco Identity Services Engine Guest Portal Unauthorized Access Vulnerability ***
---------------------------------------------
A vulnerability in the Cisco Identity Services Engine (ISE) guest portal could allow an unauthenticated, remote attacker to view a customized page on the guest portal. The vulnerability is due to lack of access control for the uploaded HTML files. An attacker could exploit this vulnerability ..
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=40691
*** BitTorrent kills bug that turns networks into a website-slaying weapon ***
---------------------------------------------
Reflective technique would let attacker amplify traffic and flood targets BitTorrent has fixed a flaw in its technology that quietly turns file-sharing networks into weapons ..
---------------------------------------------
www.theregister.co.uk/2015/08/28/bittorrent_blasts_bug/
*** Google makes it official: Chrome will freeze Flash ads on sight from Sept 1 ***
---------------------------------------------
Browser to make most stuff click-to-play by default Google is making good on its promise to strangle Adobe Flashs ability to ..
---------------------------------------------
www.theregister.co.uk/2015/08/28/google_says_flash_ads_out_september/
*** BSI warnt vor Risiko bei Intels Fernwartungstechnik AMT ***
---------------------------------------------
Das Bundesamt für Sicherheit in der Informationstechnik rät dazu, die Konfiguration von Notebooks und Desktop-PCs mit Intels Active Management Technology zu prüfen: Bei manchen ..
---------------------------------------------
http://heise.de/-2792791
*** Business Email Scams: A Growing Threat ***
---------------------------------------------
Business Email Scams: is that email from the CEO asking for a wire transfer the real deal? Learn to spot ..
---------------------------------------------
https://blog.malwarebytes.org/online-security/2015/08/business-email-scams-…
*** Moxa SoftCMS Buffer Overflow Vulnerabilities ***
---------------------------------------------
This advisory provides mitigation details for buffer overflow vulnerabilities in the Moxa SoftCMS software package.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-239-01
*** Siemens SIMATIC S7-1200 CSRF Vulnerability ***
---------------------------------------------
This advisory provides mitigation details for Cross-Site Request Forgery vulnerability in the SIMATIC S7 1200 CPUs.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-239-02
*** Innominate mGuard VPN Vulnerability ***
---------------------------------------------
This advisory provides mitigation details for a denial-of-service vulnerability in the Innominate mGuard device
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-239-03
*** This PUP Alerts You of a Zombie Invasion ***
---------------------------------------------
Apps are constantly created to address certain needs. The more helpful an app claims to be, especially in times of crisis, the more users would likely take interest in ..
---------------------------------------------
https://blog.malwarebytes.org/online-security/2015/08/draft-this-pup-alerts…
*** Fake EFF site serving espionage malware was likely active for 3+ weeks ***
---------------------------------------------
A spear-phishing campaign some researchers say is linked to the Russian government masqueraded as the Electronic Frontier Foundation in an attempt to infect targets with malware ..
---------------------------------------------
http://arstechnica.com/security/2015/08/fake-eff-site-serving-espionage-mal…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 26-08-2015 18:00 − Donnerstag 27-08-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Paper: Not a GAMe maKER ***
---------------------------------------------
Raul Alvarez performs low-level analysis of information-stealing trojan.The Gamker information-stealing trojan (also known as Shiz) has been around for a few years. It made the news back in 2013 when it was found to target SAP ..
---------------------------------------------
http://www.virusbtn.com/blog/2015/08_26.xml
*** Patched Ins0mnia Vulnerability Keeps Malicious iOS Apps Hidden ***
---------------------------------------------
Apple's monster security update of Aug. 13 included a patch for an iOS vulnerability that could beacon out location data and other personal information from a device, even if a ..
---------------------------------------------
http://threatpost.com/patched-ins0mnia-vulnerability-keeps-malicious-ios-ap…
*** Concerns new Tor weakness is being exploited prompt dark market shutdown ***
---------------------------------------------
A dark market website that relies on the Tor privacy network to keep its operators anonymous is temporarily shutting down amid concerns attackers are exploiting a newly reported weakness ..
---------------------------------------------
http://arstechnica.com/security/2015/08/concerns-new-tor-weakness-is-being-…
*** Cisco ACE 4710 Application Control Engine CLI Privilege Escalation Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=40666
*** PDF + maldoc1 = maldoc2 ***
---------------------------------------------
I received another example of a PDF file that contains a malicious MS Office document. Sample (MD5 0c044fd59cc6ccc28a48937bc69cc0c4). This time I want to focus on the analysis of such a sample. First we run pdfid to identify the sample. It contains ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20079
*** Taking root ***
---------------------------------------------
We analyzed the statistics we had collected from May to August 2015 and identified three main Trojan families that use root privileges on the device to achieve their goals.
---------------------------------------------
http://securelist.com/blog/mobile/71981/taking-root/
*** Throwback Thursday: Safe Hex in the 21st Century ***
---------------------------------------------
This Throwback Thursday, we turn the clock back to July 2000, when we were already being warned that virus scanners were no longer enough.How many times have we heard commentators claim that anti-virus is dead? After all, in the current ..
---------------------------------------------
http://www.virusbtn.com/blog/2015/08_27.xml
*** Phisher greifen iranische Aktivisten an, umgehen Googles Multifaktor-Anmeldung ***
---------------------------------------------
Eine Serie von Phishing-Angriffen hat es anscheinend auf iranische Aktivisten und Dissidenten abgesehen. Auch eine hochrangige Mitarbeiterin der EFF wurde angegriffen.
---------------------------------------------
http://heise.de/-2792580
*** Important Notice Regarding Public Availability of Stable Patches ***
---------------------------------------------
Grsecurity has existed for over 14 years now. During this time it has been the premier solution for hardening Linux against security exploits and served as a role model for many mainstream commercial applications elsewhere. All modern OSes took our lead and implemented to varying degrees a number of security ..
---------------------------------------------
https://grsecurity.net/announce.php
*** Angler Exploit Kit Strikes on MSN.com via Malvertising Campaign ***
---------------------------------------------
The same actors behind the recent Yahoo and Azure malvertising attacks went after MSN.com this time.
---------------------------------------------
https://blog.malwarebytes.org/malvertising-2/2015/08/angler-exploit-kit-str…
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 25-08-2015 18:00 − Mittwoch 26-08-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Windows 10^H^H Symbolic Link Mitigations ***
---------------------------------------------
For the past couple of years I've been researching Windows elevation of privilege attacks. This might be escaping sandboxing or gaining system privileges. One of the techniques I've used multiple times is abusing the symbolic link facilities of the Windows operating system to redirect privileged code to create ..
---------------------------------------------
http://googleprojectzero.blogspot.com/2015/08/windows-10hh-symbolic-link-mi…
*** VB2015 preview: advanced persistent threats ***
---------------------------------------------
There was a time when analyses of malware and viruses at the Virus Bulletin conference used the number of infections as a measure of the harm done. And while there are still many talks on what is now referred to as opportunistic malware, targeted ..
---------------------------------------------
http://www.virusbtn.com/blog/2015/08_25.xml
*** Dropbox Phishing via Compromised Wordpress Site, (Tue, Aug 25th) ***
---------------------------------------------
I got a couple of emails today notifying me of a Compulsory Email Account Update for my Dropbox account. The e-mails do overall mimic the Dropbox look and feel, and use dropbox(a)smtp.com ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20073
*** Cisco TelePresence Video Communication Server Expressway TFTP Information Disclosure Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=40620
*** FunWebProducts UserAgent Bloating Traffic ***
---------------------------------------------
Every once in a while we get a case that makes us dig deep to find answers. We have spoken before about the trouble with forensics and reasons why websites get hacked. Sometimes though, the answer is not clear and we can only gather clues to make ..
---------------------------------------------
https://blog.sucuri.net/2015/08/funwebproducts-useragent-bloating-traffic.h…
*** Actor that tried Neutrino exploit kit now back to Angler ***
---------------------------------------------
Last week, we saw the group behind a significant amount of Angler exploit kit (EK) switch to Neutrino EK. We didnt know if the change was permanent, and I also noted that criminal groups using EKs have quickly changed tactics ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20075
*** l+f: https-fuer-Fortgeschrittene ***
---------------------------------------------
Googles Chrome und die Open-Source-Basis Chromium laden eine Reihe von Web-Seiten immer via gesichertem HTTPS - darunter auch viele deutsche.
---------------------------------------------
http://heise.de/-2790788
*** Endress+Hauser HART Device DTM Vulnerability ***
---------------------------------------------
Alexander Bolshev and Svetlana Cherkasova of Digital Security have identified an improper input vulnerability in the CodeWrights GmbH HART Device Type Manager (DTM) library used in Endress+Hauser HART Device DTM. CodeWrights GmbH has addressed the vulnerability with a new library, which Endress+Hauser has begun to integrate.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-237-01
*** Dynamic DNS and You Part 2: Identifying the Threat ***
---------------------------------------------
Greetings! You all really seemed to like my last post on Dynamic DNS, so Ive been invited to come back and talk more about it. In part 1 , we discussed the uses of Dynamic DNS, as well as the various providers of the service and how it all ..
---------------------------------------------
https://www.alienvault.com/blogs/security-essentials/dynamic-dns-and-you-pa…
*** Netflix Is Dumping Anti-Virus, Presages Death Of An Industry ***
---------------------------------------------
For years, nails have been hammering down on the coffin of anti-virus. But none have really put the beast to bed. An industry founded in the 1980s, a time when John McAfee was known as a pioneer rather than a tequila-downing rascal, ..
---------------------------------------------
http://www.forbes.com/sites/thomasbrewster/2015/08/26/netflix-and-death-of-…
*** CryptoGirl on StageFright: A Detailed Explanation ***
---------------------------------------------
Detecting the PoCs published by Zimperium is not difficult: you can fingerprint the PoCs, for example. Detecting variants of the PoCs, i.e., MP4s that use one of the discovered vulnerabilities, is far more difficult. Ill explain why in a ..
---------------------------------------------
http://blog.fortinet.com/post/cryptogirl-on-stagefright-a-detailed-explanat…
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 24-08-2015 18:00 − Dienstag 25-08-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Signed Dridex Campaign ***
---------------------------------------------
Malware authors use various means to make their malware look similar to legitimate software. One such approach involves signing a malware sample with a digital certificate. Recently we saw Dridex malware authors using this technique while ..
---------------------------------------------
http://research.zscaler.com/2015/08/signed-dridex-campaign.htm
*** AlienSpy RAT Resurfaces as JSocket ***
---------------------------------------------
The dismantled AlientSpy remote access Trojan, the same malware found on the phone of dead Argentine prosecutor Alberto Nisman, has resurfaced with new crypto and a new name.
---------------------------------------------
http://threatpost.com/alienspy-rat-resurfaces-as-jsocket/114385
*** Cisco Prime Infrastructure Web Interface Cross-Site Request Forgery Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=40652
*** RTF Exploit Installs Italian RAT: uWarrior ***
---------------------------------------------
Unit 42 researchers have observed a new Remote Access Tool (RAT) constructed by an unknown actor of Italian origin. This RAT, referred to as uWarrior because of embedded PDB strings, has been previously described ..
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2015/08/rtf-exploit-installs-ita…
*** Multiple vulnerabilities in Hewlett-Packard KeyView IDOL ***
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-15-405http://www.zerodayinitiative.com/advisories/ZDI-15-404http://www.zerodayinitiative.com/advisories/ZDI-15-403http://www.zerodayinitiative.com/advisories/ZDI-15-402http://www.zerodayinitiative.com/advisories/ZDI-15-401http://www.zerodayinitiative.com/advisories/ZDI-15-400http://www.zerodayinitiative.com/advisories/ZDI-15-399http://www.zerodayinitiative.com/advisories/ZDI-15-398http://www.zerodayinitiative.com/advisories/ZDI-15-397
*** Ask Sucuri: How Did My WordPress Website Get Hacked? ***
---------------------------------------------
With the proliferation of Infrastructure and Platform as a Service providers, it is no surprise that a majority of today's websites are hosting in the proverbial cloud. This is great because it allows organizations and individuals alike to quickly deploy their websites, with relatively little overhead ..
---------------------------------------------
https://blog.sucuri.net/2015/08/ask-sucuri-how-did-my-wordpress-website-get…
*** What I learned from cracking 4000 Ashley Madison passwords ***
---------------------------------------------
When the Ashley Madison database first got dumped, there was an interesting contingent of researchers talking about how pointless it would be to crack the passwords, ..
---------------------------------------------
http://www.pxdojo.net/2015/08/what-i-learned-from-cracking-4000.html
*** Browsefox variant High Stairs ***
---------------------------------------------
https://blog.malwarebytes.org/security-threat/2015/08/browsefox-variant-hig…
*** Datenschutz: Ashley Madison wusste von gravierenden Sicherheitsmängeln ***
---------------------------------------------
Einige Wochen vor dem Angriff des Impact Teams warnten interne Sicherheitsexperten vor gravierenden Mängeln in der Infrastruktur der Webseite.
---------------------------------------------
http://www.golem.de/news/datenschutz-ashley-madison-wusste-von-gravierenden…
*** Ashley Madison: Gehackte Seitensprung-Site hackte eigene Konkurrenz ***
---------------------------------------------
Die Dating-Webseite, die vor kurzem Opfer eines Hacker-Angriffs und Datenleck wurde, hat vor einigen Jahren selbst eine Konkurrenzplattform angegriffen. Dabei soll der Technikchef von Ashley Madison die Datenbank der Konkurrenz kopiert haben.
---------------------------------------------
http://heise.de/-2790189
*** Are Data Breaches Getting Larger? ***
---------------------------------------------
This research says that data breaches are not getting larger over time. "Hype and Heavy Tails: A Closer Look at Data Breaches," by Benjamin Edwards, Steven Hofmeyr, and Stephanie Forrest: Abstract: Recent widely publicized data breaches have ..
---------------------------------------------
https://www.schneier.com/blog/archives/2015/08/are_data_breach.html
*** You are the weakest link - goodbye! ***
---------------------------------------------
On my first visit to Team Cymru's HQ in Lake Mary, Florida, I found myself reading the wall hangings and looking at the pictures depicting specific times in history. Many of them depicting the inspiring words of leaders such as Churchill. It lead me to think about the many lessons that can we learn from ..
---------------------------------------------
https://blog.team-cymru.org/2015/08/you-are-the-weakest-link-goodbye/
*** Github Mitigates DDoS Attack ***
---------------------------------------------
Github said it turned back a distributed denial of service attack; it's unknown whether this attack is related to a similar attack this March.
---------------------------------------------
http://threatpost.com/github-mitigates-ddos-attack/114403
*** Gehackter Samsung-Kühlschrank verrät Gmail-Anmeldedaten ***
---------------------------------------------
Auf der Hackerkonferenz DEFCON wurde eine Methode präsentiert, mit der ein Kühlschrank-Modell von Samsung dazu gebracht werden kann, Gmail-Log-ins zu verraten.
---------------------------------------------
http://futurezone.at/digital-life/gehackter-samsung-kuehlschrank-verraet-gm…
*** Certifi-Gate: Missbräuchliche App im Google Play Store entdeckt ***
---------------------------------------------
Sicherheitsforscher präsentierten vor wenigen Wochen eine Schwachstelle, die Fernverwaltungs-Software wie Teamviewer betrifft. Im Nachgang fanden die Forscher eine App in Googles Play Store, die genau diese Schwäche ausnutzt.
---------------------------------------------
http://heise.de/-2790706
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 21-08-2015 18:00 − Montag 24-08-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Extortionists Target Ashley Madison Users ***
---------------------------------------------
People who cheat on their partners are always open to extortion by the parties involved. But when the personal details of millions of cheaters gets posted online for anyone to download - as is the case with the recent hack of infidelity hookup ..
---------------------------------------------
http://krebsonsecurity.com/2015/08/extortionists-target-ashley-madison-user…
*** Exploring a 'Malwarebytes Anti-Malware for Windows 10 - website' ***
---------------------------------------------
Here at Malwarebytes, we offer support for a wide variety of Windows Operating Systems - from XP right up to Windows 10. The latter OS is the starting point for this blog post, with a website located ..
---------------------------------------------
https://blog.malwarebytes.org/online-security/2015/08/exploring-an-mbam-for…
*** One font vulnerability to rule them all #4: Windows 8.1 64-bit sandbox escape exploitation ***
---------------------------------------------
This is the final part #4 of the 'One font vulnerability to rule them all' blog post series. In the previous posts, we introduced the 'blend' PostScript operator vulnerability and successfully used it to first exploit Adobe Reader, and later escape ..
---------------------------------------------
http://googleprojectzero.blogspot.com/2015/08/one-font-vulnerability-to-rul…
*** Cisco Wireless LAN Controller IPv6 IAPP WIPS Report Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=40586
*** BSI: Richtlinie für sicheren Mail-Transport zeigt bereits Wirkung ***
---------------------------------------------
Mit dem Erscheinen der Richtlinie wird leichter verständlich, weshalb Web.de und GMX nicht nur die PGP-Verschlüsselung für Mails eingeführt haben, sondern überraschend auch auf die Sicherheitstechniken DNSSEC und DANE setzen.
---------------------------------------------
http://heise.de/-2788316
*** MMD-0039-2015 - ChinaZ made new malware: ELF Linux/BillGates.Lite ***
---------------------------------------------
There are tweets I posted which is related to this topic, Our team spotted the sample a week ago. And this post is the promised details, I am sorry for the delay for limited resource that we have since for a week I focused to help ..
---------------------------------------------
http://blog.malwaremustdie.org/2015/08/mmd-0039-2015-chinaz-made-new-malwar…
*** Google Analyticator <= 6.4.9.4 - Multiple Cross-Site Scripting (XSS) ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8159
*** Sending Windows Event Logs to Logstash ***
---------------------------------------------
This topic is not brand new, there exists plenty of solutions to forward Windows event logs to Logstash (OSSEC, Snare or NXlog amongst many others). They perform a decent job to collect events on running systems ..
---------------------------------------------
https://blog.rootshell.be/2015/08/24/sending-windows-event-logs-to-logstash/
*** Mass FTP Crawling ***
---------------------------------------------
The combination of interesting files one can find on public FTP servers plus the technical expertise required to make a decent search engine motivated me to write Findex and ultimately this article.
---------------------------------------------
http://findex.cedsys.nl/research/mass-ftp-crawling/
*** Bundestags-IT nach Reparatur wieder online ***
---------------------------------------------
Das IT-System des Deutschen Bundestags ist nach mehrtägigen Reparaturarbeiten am Montag wieder hochgefahren worden. Nach Behebung der Folgen eines Hackerangriffs ging das System wieder ans Netz, wie eine Parlamentssprecherin bestätigte. Die Abgeordneten und Mitarbeiter wurden demnach per Lautsprecher am Montagvormittag über den Neustart des Systems informiert.
---------------------------------------------
http://derstandard.at/2000021189218
*** Compromising a honeypot network through the Kippo password when logstash exec is used ***
---------------------------------------------
We have been playing with Honeypots lately (shoutout to Theo and Sebastian for adding their honeypots to the network), collecting and visualizing the data from the honeypots is done ..
---------------------------------------------
https://forsec.nl/2015/08/compromising-a-honeypot-network-through-the-kippo…
*** Exploiting the Mercury Browser for Android ***
---------------------------------------------
The Mercury Browser for Android suffers from an insecure Intent URI scheme implementation and a path traversal vulnerability within a custom web server used to support its WiFi Transfer feature. Chaining these vulnerabilities together can allow a ..
---------------------------------------------
http://rotlogix.com/2015/08/23/exploiting-the-mercury-browser-for-android/
*** Username Enumeration against OpenSSH/SELinux with CVE-2015-3238 ***
---------------------------------------------
I recently disclosed a low-risk vulnerability in Linux-PAM versions prior to 1.2.1 which allows attackers to conduct username enumeration and denial of service attacks. The purpose of this post is to provide more technical details around this vulnerability.
---------------------------------------------
https://www.trustwave.com/Resources/SpiderLabs-Blog/Username-Enumeration-ag…
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 20-08-2015 18:00 − Freitag 21-08-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Top 3 biggest mistakes enterprises make in application security ***
---------------------------------------------
Enterprise information security encompasses a broad set of disciplines and technologies, but at the highest level it can be broken down into three main categories: network security, endpoint security ...
---------------------------------------------
http://www.net-security.org/article.php?id=2362
*** Apple Patches QuickTime Crash and Code Execution Flaws ***
---------------------------------------------
Apple pushed out a new version of QuickTime that patched nine vulnerabilities, including a handful of denial of service and code execution bugs.
---------------------------------------------
http://threatpost.com/apple-patches-quicktime-crash-and-code-execution-flaw…
*** Security Awareness for Managers: Protecting Yourself and Your Company ***
---------------------------------------------
Nowadays, security awareness training (SAT) is a top priority for organizations of any sizes. Thanks to SAT, management and employees can understand IT governance issues and control solutions as well as recognize concerns, understand their relevance and respond accordingly. Many companies invest heavily in cybersecurity education programs for employees to learn how to protect their...
---------------------------------------------
http://resources.infosecinstitute.com/security-awareness-for-managers-prote…
*** WordPress Compromises Behind Spike in Neutrino EK Traffic ***
---------------------------------------------
A rash of compromised WordPress websites is behind this week's surge in Neutrino Exploit Kit traffic
---------------------------------------------
http://threatpost.com/wordpress-compromises-behind-spike-in-neutrino-ek-tra…
*** National Cyber Security Strategies: the latest news ***
---------------------------------------------
http://www.enisa.europa.eu/media/news-items/national-cyber-security-strateg…
*** APPLE-SA-2015-08-20-1 QuickTime 7.7.8 ***
---------------------------------------------
APPLE-SA-2015-08-20-1 QuickTime 7.7.8QuickTime 7.7.8 is now available and addresses the following:QuickTimeAvailable for: Windows 7 and Windows VistaImpact: Processing a maliciously crafted file may lead to anunexpected application termination or arbitrary code execution [...]
---------------------------------------------
http://prod.lists.apple.com/archives/security-announce/2015/Aug/msg00004.ht…
*** ZDI-15-395: Foxit Reader GIF Conversion Heap Corruption Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-15-395/
*** ZDI-15-396: ManageEngine Service Desk File Upload Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine ServiceDesk. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-15-396/
*** Splunk Input Validation Flaw in Splunk Web Lets Remote Conduct Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1033339
*** Bugtraq: ESA-2015-132: EMC Documentum D2 Fail Open Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/536278
*** Bugtraq: [oCERT-2015-009] VLC arbitrary pointer dereference ***
---------------------------------------------
http://www.securityfocus.com/archive/1/536287