=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 21-01-2016 18:00 − Freitag 22-01-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Scanning for Fortinet ssh backdoor, (Thu, Jan 21st) ***
---------------------------------------------
On 11 Jan, a Python script was posted on the full-disclosure mailing list that took advantage of a hardcoded ssh password in some older versions of various products from Fortinet (see complete list in Ref [1] below). Looking at our collected ssh data, weve seen an increase in scanning for those devices in the days since the revelation of the vulnerability. Nearly all of this scanning has come from two IPs in China (124.160.116.194 and 183.131.19.18). So if you...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20635&rss
*** Unknown attackers are infecting home routers via dating sites ***
---------------------------------------------
Damballa researchers have spotted an active campaign aimed at infecting as many home routers possible with a worm. A variant of the TheMoon worm, it works by taking advantage of a weakness in the H...
---------------------------------------------
http://www.net-security.org/malware_news.php?id=3192
*** Security: Auch Kreditkarten mit Chip und PIN können kopiert werden ***
---------------------------------------------
Bislang war bekannt, dass Kreditkarten mit Magnetstreifen mit trivialen Mitteln kopierbar sind. Aktuelle Recherchen zeigen, dass auch Karten mit dem besser gesicherten Chip-und-PIN-Verfahren kopiert werden können - weil einige Banken schlampen.
---------------------------------------------
http://www.golem.de/news/security-auch-kreditkarten-mit-chip-und-pin-koenne…
*** Fraunhofer ESK: Skype ist Sicherheitsrisiko für Firmen ***
---------------------------------------------
Wissenschaftler des Fraunhofer-ESK-Instituts haben Microsofts Instant-Messaging-Dienst Skype untersucht und raten Firmen vom Einsatz ab. Vor allem wegen der Netzarchitektur und der Verschlüsselung haben sie Sicherheitsbedenken.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Fraunhofer-ESK-Skype-ist-Sicherheits…
*** Extracting pcap from memory , (Fri, Jan 22nd) ***
---------------------------------------------
I have talked many times about memory forensics and how useful its. In this diary I am going to talk about how to extract a pcap file from a memory image using bulk_extractor. Of course when we are extracting a pcap file from a memory image we are going to not have everything but there will be some remanence that can help in our investigation bulk_extractor is a computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20639&rss
*** Trojan.DNSChanger circumvents Powershell restrictions ***
---------------------------------------------
We take a close look at the functionality of a new variant of the DNS-changer adware family. Especially the use of encoded scripts as a way to bypass the Powershell execution protection.Categories: Security ThreatTags: adwarechangerdnsPieter Arntzpowershellrestrictedrestrictionstrojan(Read more...)
---------------------------------------------
https://blog.malwarebytes.org/security-threat/2016/01/trojan-dnschanger-cir…
*** Citrix XenServer Security Update for CVE-2016-1571 ***
---------------------------------------------
A security vulnerability has been identified in Citrix XenServer that could, if exploited, allow a malicious administrator of a guest VM to crash the host in certain deployments. This vulnerability affects all currently supported versions of Citrix XenServer up to and including Citrix XenServer 6.5 Service Pack 1.
---------------------------------------------
https://support.citrix.com/article/CTX205496
*** Multiple Buffalo network devices vulnerable to cross-site scripting ***
---------------------------------------------
Multiple network devices provided by BUFFALO INC. contain a cross-site scripting vulnerability.
---------------------------------------------
http://jvn.jp/en/jp/JVN49225722/
*** Multiple Buffalo network devices vulnerable to cross-site request forgery ***
---------------------------------------------
Multiple network devices provided by BUFFALO INC. contain a cross-site request forgery vulnerability.
---------------------------------------------
http://jvn.jp/en/jp/JVN09268287/
*** DSA-3451 fuse - security update ***
---------------------------------------------
Jann Horn discovered a vulnerability in the fuse (Filesystem inUserspace) package in Debian. The fuse package ships an udev ruleadjusting permissions on the related /dev/cuse character device, makingit world writable.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3451
*** DFN-CERT-2016-0129: NTP: Eine Schwachstelle ermöglicht das Erlangen von Administratorrechten ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0129/
*** DFN-CERT-2016-0125: Red Hat JBoss Web Server: Mehrere Schwachstellen ermöglichen Denial-of-Service-Angriffe und das Umgehen von Sicherheitsvorkehrungen ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0125/
*** USN-2879-1: rsync vulnerability ***
---------------------------------------------
Ubuntu Security Notice USN-2879-121st January, 2016rsync vulnerabilityA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.10 Ubuntu 15.04 Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummaryrsync could be made to write files outside of the expected directory.Software description rsync - fast, versatile, remote (and local) file-copying tool DetailsIt was discovered that rsync incorrectly handled invalid filenames. Amalicious server could use this issue to write files outside of...
---------------------------------------------
http://www.ubuntu.com/usn/usn-2879-1/
*** CAREL PlantVisor Enhanced Authentication Bypass Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for an authorization bypass vulnerability in CAREL's PlantVisor application.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-021-01
*** Security Advisory: NTP vulnerabilities CVE-2015-5194 and CVE-2015-5195 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/02/sol02360853.html?…
*** Bugtraq: January 2016 - Bamboo - Critical Security Advisory ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537347
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 20-01-2016 18:00 − Donnerstag 21-01-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Asacub Android Trojan: Financial fraud and information stealing ***
---------------------------------------------
Asacub is a new malware that targets Android users for financial gain. When first identified, Asacub displayed all the signs of an information stealing malware; however, some versions of the Trojan ar...
---------------------------------------------
http://www.net-security.org/malware_news.php?id=3190
*** TeslaCrypt Decrypted: Flaw in TeslaCrypt allows Victims to Recover their Files ***
---------------------------------------------
For a little over a month, researchers and previous victims have been quietly helping TeslaCrypt victims get their files back using a flaw in the TeslaCrypts encryption key storage algorithm. The information that the ransomware could be decrypted was being kept quiet so that that the malware developer would not learn about it and fix the flaw. Since the recently released TeslaCrypt 3.0 has fixed this flaw, we have decided to publish the information on how a victim could...
---------------------------------------------
http://www.bleepingcomputer.com/news/security/teslacrypt-decrypted-flaw-in-…
*** El Chapos Opsec ***
---------------------------------------------
Ive already written about Sean Penns opsec while communicating with El Chapo. Heres the technique of mirroring, explained: El chapo then switched to a complex system of using BBM (Blackberrys Instant Messaging) and Proxies. The way it worked was if you needed to contact The Boss, you would send a BBM text to an intermediary (who would spend his days...
---------------------------------------------
https://www.schneier.com/blog/archives/2016/01/el_chapos_opsec.html
*** Cyber fraudsters steal over $50 million from airplane systems manufacturer ***
---------------------------------------------
Austrian company FACC, which develops and produces components and systems made of composite materials for aircraft and aircraft engine manufacturers such as Boeing and Airbus, has been hit by hackers who managed to steal approximately 50 million euros (around $54,5 million).
---------------------------------------------
http://www.net-security.org/secworld.php?id=19356http://www.net-security.org/secworld.php?id=18808 (An emerging global threat: BEC scams hitting more and more businesses)
*** Linux-Root-Exploit: Android-Bedrohung überschaubar ***
---------------------------------------------
Ein Mitglied des Android-Sicherheitsteams geht davon aus, dass nur wenige Android-Versionen durch die lokale Rechtausweitungslücke im Linux-Kernel verwundbar sind. Ein Patch ist in Arbeit.
---------------------------------------------
http://heise.de/-3080760
*** Captive-Portals: Das iPhone verrät Cookies ***
---------------------------------------------
Die Nutzung von WLANs mit Captive-Portals kann für iPhone-Nutzer zur Sicherheitsgefahr werden. Einen entsprechenden Bug haben israelische Sicherheitsforscher gefunden. Apple hat die Sicherheitslücke mittlerweile behoben.
---------------------------------------------
http://www.golem.de/news/captive-portals-das-iphone-verraet-cookies-1601-11…
*** Deliberately hidden backdoor account in several AMX (HARMAN Professional) devices ***
---------------------------------------------
Your conference room, a watchful protector."AMX (www.amx.com) is part of the HARMAN Professional Division, and the leading brand for the business, education, and government markets for the company. As such, AMX is dedicated to integrating AV solutions for an IT World. AMX solves the complexity of managing technology with reliable, consistent and scalable systems comprising control and automation, system-wide switching and AV signal distribution, digital signage and technology management.
---------------------------------------------
http://blog.sec-consult.com/2016/01/deliberately-hidden-backdoor-account-in…
*** "Ermittlungen" ***
---------------------------------------------
"Ermittlungen" | 21. Jänner 2016 | Wir (mit Hut GovCERT) sind mal wieder vor Ort im Einsatz und helfen einer Organisation bei der Ursachenforschung und bei der Wiederherstellung der Services nach einem Sicherheitsvorfall. So weit so gut, dafür sind wir da, das ist unsere Aufgabe. Die Strafverfolgung ist aber definitiv nicht unsere Aufgabe. Das ist ganz klar und da behauptet auch keiner was anderes. Problematisch wird es dann, wenn Begriffe verwendet werden, die im normalen...
---------------------------------------------
http://www.cert.at/services/blog/20160121173915-1656.html
*** OpenVAS Greenbone Security Assistant Cross Site Scripting ***
---------------------------------------------
Topic: OpenVAS Greenbone Security Assistant Cross Site Scripting Risk: Low Text:Vulnerability information Date: 13th January 2016 Product: Greenbone Security Assistant ≥ 6.0.0 and < 6.0.8 Vendor:...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016010133
*** Security Advisory: BIG-IP file validation vulnerability CVE-2015-8021 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/49/sol49580002.html?…
*** Security Advisory: SNTP vulnerability CVE-2015-5219 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/60/sol60352002.html?…
*** LiteSpeed Web Server Input Validation Flaw Lets Remote Users Inject HTTP Headers ***
---------------------------------------------
http://www.securitytracker.com/id/1034746
*** DFN-CERT-2016-0118: Moodle: Zwei Schwachstellen ermöglichen u.a. einen Cross-Site-Scripting-Angriff ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0118/
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 19-01-2016 18:00 − Mittwoch 20-01-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Survey shows many businesses aren't encrypting private employee data ***
---------------------------------------------
Many companies arent encrypting their own employees private data, according to a Sophos survey of IT decision makers in six countries.
---------------------------------------------
https://nakedsecurity.sophos.com/2016/01/19/survey-shows-many-businesses-ar…
*** Android Malware Steals Voice-Based Two-Factor Authentication Codes (January 13 and 18, 2016) ***
---------------------------------------------
Symantec has detected malware created for Android devices that steals single-use passcodes generated to add a layer of security to online banking authentication procedures...
---------------------------------------------
http://www.sans.org/newsletters/newsbites/r/18/5/201
*** Dridex banking malware adds a new trick ***
---------------------------------------------
Dridex, the banking malware that wont go away, has been improved upon once again.IBMs X-Force researchers have found that the latest version of Dridex uses a DNS (Domain Name System) trick to direct victims to fake banking websites.The technique, known as DNS cache poisoning, involves changing DNS settings to direct someone asking for a legitimate banking website to a fake site.DNS cache poisoning is a powerful attack. Even if a person types in the correct domain name for a bank, the fake...
---------------------------------------------
http://www.cio.com/article/3024244/dridex-banking-malware-adds-a-new-trick.…
*** /tmp, %TEMP%, ~/Desktop, T:\, ... A goldmine for pentesters!, (Wed, Jan 20th) ***
---------------------------------------------
When you are performing a penetration test, you need to learn how your target is working: What kind of technologies and tools are used, how internal usernames are generated, email addresses format, ... Grabbing for such information is called the reconnaissance phase. Once you collected enough details, you can prepare your different scenarios to attack the target.All pentesters have their personal toolbox that has been enhanced day after day. In many cases, there is no real magic: to abuse or...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20631&rss
*** Critical Patch Update: Oracle stellt 248 Sicherheitspatches bereit ***
---------------------------------------------
Die bislang größte Sicherheitsptach-Sammlung von Oracle ist da und fixt Lücken in Database, Java, MySQL und Co. Dieses Mal steht Oracles E-Business Suite im Mittelpunkt.
---------------------------------------------
http://heise.de/-3077692
*** Apple Releases Patches for iOS, OS X and Safari ***
---------------------------------------------
Apple released security updates for iOS, OS X and Safari, patching a number of kernel-level code-execution vulnerabilities.
---------------------------------------------
http://threatpost.com/apple-releases-patches-for-ios-os-x-and-safari/115946/
*** Trojan for Android preinstalled on Phillips s307 firmware ***
---------------------------------------------
January 20, 2016 The past year was marked by a big number of firmware Trojans for Android capable to covertly download and install various software and display annoying advertisements. Android.Cooee.1 incorporated into the graphical shell of some cheap Chinese smartphones was one of them. Virus makers obviously continued to preinstall Android.Cooee.1 into mobile devices. This time, however, Doctor Web security researchers detected the Trojan on firmware of a well-known electronics manufacturer.
---------------------------------------------
http://news.drweb.com/show/?i=9792&lng=en&c=9
*** Primes, parameters and moduli ***
---------------------------------------------
First a brief history of Diffie-Hellman for those not familiar with it The short version of Diffie-Hellman is that two parties (Alice and Bob) want to share a secret so they can encrypt their communications and talk securely without an...
---------------------------------------------
https://securityblog.redhat.com/2016/01/20/primes-parameters-and-moduli/
*** Serious flaw patched in Intel Driver Update Utility ***
---------------------------------------------
A software utility that helps users download the latest drivers for their Intel hardware components contained a vulnerability that could have allowed man-in-the-middle attackers to execute malicious code on computers.The tool, known as the Intel Driver Update Utility, can be downloaded from Intels support website. It provides an easy way to find the latest drivers for various Intel chipsets, graphics cards, wireless cards, desktop boards, Intel NUC mini PCs or the Intel Compute Stick.
---------------------------------------------
http://www.cio.com/article/3024345/serious-flaw-patched-in-intel-driver-upd…
*** Cisco Guide to Harden Cisco IOS Devices ***
---------------------------------------------
This document contains information to help you secure your Cisco IOS system devices, which increases the overall security of your network. Structured around the three planes into which functions of a network device can be categorized, this document provides an overview of each included feature and references to related documentation.
---------------------------------------------
http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html
*** Security Advisory: BIND vulnerability CVE-2015-8704 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/53/sol53445000.html?…
*** Intel Driver Update Utility 2.2.0.5 Man-In-The-Middle ***
---------------------------------------------
Topic: Intel Driver Update Utility 2.2.0.5 Man-In-The-Middle Risk: Medium Text:1. Advisory Information Title: Intel Driver Update Utility MiTM Advisory ID: CORE-2016-0001 Advisory URL: http://www.cores...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016010119
*** Oracle Critical Patch Update Advisory - January 2016 ***
---------------------------------------------
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
*** Oracle Linux Bulletin - January 2016 ***
---------------------------------------------
http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867…
*** HPSBGN03534 rev.1 - HPE Performance Center using Microsoft Report Viewer, Remote Disclosure of Information, Cross-Site Scripting (XSS) ***
---------------------------------------------
A vulnerability in Microsoft Report Viewer was addressed by HPE Performance Center. This is a Cross-Site scripting (XSS) vulnerability that could allow remote information disclosure.
---------------------------------------------
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr…
*** Xen Security Advisory CVE-2016-1571 / XSA-168 ***
---------------------------------------------
VMX: intercept issue with INVLPG on non-canonical address
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-168.html
*** Xen Security Advisory CVE-2016-1570 / XSA-167 ***
---------------------------------------------
PV superpage functionality missing sanity checks
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-167.html
*** Cisco Modular Encoding Platform D9036 Software Default Credentials Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Unified Computing System Manager and Cisco Firepower 9000 Remote Command Execution Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** DFN-CERT-2016-0109: Foxit Reader, Foxit PhantomPDF: Mehrere Schwachstellen ermöglichen Denial-of-Service-Angriffe und das Ausführen beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0109/
*** DFN-CERT-2016-0106: NTP: Mehrere Schwachstellen ermöglichen u.a. das Darstellen falscher Informationen ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0106/
*** APPLE-SA-2016-01-19-3 Safari 9.0.3 ***
---------------------------------------------
APPLE-SA-2016-01-19-3 Safari 9.0.3Safari 9.0.3 is now available and addresses the following:WebKitAvailable for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,OS X El Capitan v10.11 to v10.11.2Impact: Visiting a maliciously crafted website may lead to arbitrarycode execution [...]
---------------------------------------------
http://prod.lists.apple.com/archives/security-announce/2016/Jan/msg00004.ht…
*** APPLE-SA-2016-01-19-2 OS X El Capitan 10.11.3 and Security Update 2016-001 ***
---------------------------------------------
APPLE-SA-2016-01-19-2 OS X El Capitan 10.11.3 and Security Update2016-001OS X El Capitan 10.11.3 and Security Update 2016-001 is now availableand addresses the following:AppleGraphicsPowerManagementAvailable for: OS X El Capitan v10.11 to v10.11. [...]
---------------------------------------------
http://prod.lists.apple.com/archives/security-announce/2016/Jan/msg00003.ht…
*** APPLE-SA-2016-01-19-1 iOS 9.2.1 ***
---------------------------------------------
APPLE-SA-2016-01-19-1 iOS 9.2.1iOS 9.2.1 is now available and addresses the following:Disk ImagesAvailable for: iPhone 4s and later,iPod touch (5th generation) and later, iPad 2 and laterImpact: A local user may be able to execute arbitrary code withkernel privileges [...]
---------------------------------------------
http://prod.lists.apple.com/archives/security-announce/2016/Jan/msg00002.ht…
*** DSA-3449 bind9 - security update ***
---------------------------------------------
It was discovered that specific APL RR data could trigger an INSISTfailure in apl_42.c and cause the BIND DNS server to exit, leading to adenial-of-service.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3449
*** Siemens OZW672 and OZW772 XSS Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a cross-site scripting vulnerability in Siemens OZW672 and OZW772 devices.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-019-01
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM FlashSystem model V840 (CVE-2015-7575) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005584
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM FlashSystem model 840 (CVE-2015-7575) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005585
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSH affect IBM SmartCloud Provisioning for IBM Software Virtual Appliance (CVE-2016-0777, CVE-2016-0778) ***
http://www.ibm.com/support/docview.wss?uid=swg2C1000044
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM SAN Volume Controller and Storwize Family (CVE-2015-7575) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005583
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM Sterling Connect:Express for UNIX (CVE-2015-7575) ***
http://www.ibm.com/support/docview.wss?uid=swg21974473
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM Sterling Connect:Direct for UNIX (CVE-2015-7575) ***
http://www.ibm.com/support/docview.wss?uid=swg21974888
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in the GSKit component of IBM WebSphere MQ (CVE-2016-0201) ***
http://www.ibm.com/support/docview.wss?uid=swg21974466
---------------------------------------------
*** IBM Security Bulletin: IBM Spectrum Scale is affected by a security vulnerability (CVE-2015-7488) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005580
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in IBM SDK for Node.js affect IBM Business Process Manager Configuration Editor (CVE-2015-8027, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196) ***
http://www.ibm.com/support/docview.wss?uid=swg21974459
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Spectrum Scale (CVE-2015-4843, CVE-2015-4805, CVE-2015-4810, CVE-2015-4806, CVE-2015-4871, CVE-2015-4902) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005579
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM API Management (CVE-2015-4872 CVE-2015-4911 CVE-2015-4893 CVE-2015-4803) ***
http://www.ibm.com/support/docview.wss?uid=swg21974673
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SD affect Guardium Data Reduction ***
http://www.ibm.com/support/docview.wss?uid=swg21973724
---------------------------------------------
*** IBM Security Bulletin:Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Composite Application Manager for Transactions (Multiple CVEs) ***
http://www.ibm.com/support/docview.wss?uid=swg21971951
---------------------------------------------
*** IBM Security Bulletin: Multiple Security Vulnerabilities exist in IBM Cognos Express. ***
http://www.ibm.com/support/docview.wss?uid=swg21972376
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 18-01-2016 18:00 − Dienstag 19-01-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** FDA Issues Guidelines on Medical Device Cybersecurity ***
---------------------------------------------
The Food and Drug Administration (FDA) issued a new set of draft guidelines on Friday in hopes medical device manufacturers address cybersecurity risks in their products.
---------------------------------------------
http://threatpost.com/fda-issues-guidelines-on-medical-device-cybersecurity…
*** Good practice guide on disclosing vulnerabilities ***
---------------------------------------------
ENISA published a good practice guide on vulnerability disclosure, aiming to provide a picture of the challenges the security researchers, the vendors and other involved stakeholders are confronted wi...
---------------------------------------------
http://www.net-security.org/secworld.php?id=19342
*** Microsoft asks: We've taken down botnets for you. How about a kill switch? ***
---------------------------------------------
Its like pulling a smoking car off the road... Oh, hang on Last December, Microsoft intercepted traffic on users' PCs and helped break up a botnet. And nobody complained. So the company very tentatively asked at a session on ethics and policy in Brussels this week whether it should do more.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/01/19/microsoft_b…
*** Security: XSS-Lücke in Yahoo-Mail gefixt ***
---------------------------------------------
Eine XSS-Lücke in Yahoo-Mail ermöglichte es Angreifern, fremde Accounts zu übernehmen. Sie hätten alle E-Mails der Nutzer weiterleiten und ausgehende E-Mails mit Viren infizieren können, schreibt ein Sicherheitsforscher. Yahoo hat bereits reagiert.
---------------------------------------------
http://www.golem.de/news/security-xss-luecke-in-yahoo-mail-gefixt-1601-1186…
*** Angler Exploit Kit's January Vacation ***
---------------------------------------------
Since last year, we've been monitoring various redirectors which lead to exploit kits (EK). One of the redirectors in question routes to either Angler EK or Neutrino EK. SANS ISC has also observed this particular redirector switching between these two kits. At the beginning of this year, we noticed a sudden significant drop in our...
---------------------------------------------
https://labsblog.f-secure.com/2016/01/19/angler-exploit-kits-january-vacati…
*** Root-Exploit: Android und Linux anfällig für Rechte-Trickserei ***
---------------------------------------------
Der Schlüsselbund des Kernels stattet mit einem Trick seit 2012 jeden Nutzer mit Root-Rechten aus. Allerdings muss der Nutzer dafür bereits angemeldet sein.
---------------------------------------------
http://heise.de/-3076663
*** MSN Home Page Drops More Malware Via Malvertising ***
---------------------------------------------
Visitors to the MSN homepage may have been exposed to malvertising.Categories: MalvertisingTags: ad spiritappnexusmalvertisingmsn(Read more...)
---------------------------------------------
https://blog.malwarebytes.org/malvertising-2/2016/01/msn-home-page-drops-mo…
*** Cisco Web Security Appliance Security Bypass Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Moodle Bugs Let Remote Users Access Hidden Course and Conduct Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1034694
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 15-01-2016 18:00 − Montag 18-01-2016 18:00
Handler: Stephan Richter
Co-Handler: Alexander Riepl
*** Cisco FireSIGHT Management Center Stored Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
Multiple vulnerabilities in the web framework of Cisco FireSIGHT Management Center could allow an unauthenticated, remote attacker to execute a stored cross-site scripting (XSS) attack against a user of the Cisco FireSIGHT Management Center web interface.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Easily Exploitable Vulnerability Could Cause Physical Damage to Industrial Motors ***
---------------------------------------------
http://www.sans.org/newsletters/newsbites/r/18/4/307
*** Cisco FireSIGHT Management Center DOM-Based Cross-Site Scripting Vulnerability ***
---------------------------------------------
Cisco FireSIGHT Management Center (MC) contains a DOM-based cross-site scripting vulnerability (XSS) in the management page. An unauthenticated, remote attacker could persuade a user to perform a malicious action, allowing the attacker to perform a XSS attack.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** IBM Security Bulletin: Vulnerabilities in GNU grep utility affect IBM Security Network Protection (CVE-2012-5667, and CVE-2015-1345) ***
---------------------------------------------
The grep utility searches through textual input for lines that contain a match to a specified pattern and then prints the matching lines. Security vulnerabilities have been discovered in grep utility used with IBM Security Network Protection.
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21972209
*** IBM Security Bulletin: IBM WebSphere Application Server Liberty Profile vulnerability affects IBM Tivoli Application Dependency Discovery Manager (TADDM) (CVE-2015-2017) ***
---------------------------------------------
WebSphere Application Server Liberty Profile that is embedded in TADDM could allow a remote attacker to has access to the customer app or a form which sends the contents in a header will be able to split the response and add headers to the response. The customer application will allow cross-site scripting, web cache poisoning, and other similar exploits.
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21974782
*** Cisco Adaptive Security Appliance Information Disclosure Vulnerability ***
---------------------------------------------
A vulnerability in the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to access sensitive data. The attacker could use this information to conduct additional attacks.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** The SLOTH attack and IKE/IPsec ***
---------------------------------------------
The IKE daemons in RHEL7 (libreswan) and RHEL6 (openswan) are not vulnerable to the SLOTH attack. But the attack is still interesting to look at . The SLOTH attack released today is a new transcript collision attack against ..
---------------------------------------------
https://securityblog.redhat.com/2016/01/15/the-sloth-attack-and-ikeipsec/
*** Schwere Lücke bei Überwachungskameras von Hofer und Aldi ***
---------------------------------------------
Sicherheitsexperten warnen vor Überwachungskameras der Marke Maginon. Diese erlauben den ungeschützten Zugriff auf Bild und Ton, aber auch WLAN- und E-Mail-Passwörter.
---------------------------------------------
http://futurezone.at/produkte/schwere-luecke-bei-ueberwachungskameras-von-h…
*** LostPass ***
---------------------------------------------
I have discovered a phishing attack against LastPass that allows an attacker to steal a LastPass users email, password, and even two-factor auth code, giving full access to all passwords and documents stored in LastPass.
---------------------------------------------
https://www.seancassidy.me/lostpass.html
*** Privilege Escalation on Windows 7,8,10, Server 2008, Server 2012 - and a new network attack ***
---------------------------------------------
Hot Potato (aka: Potato) takes advantage of known issues in Windows to gain local privilege escalation in default configurations, namely NTLM relay (specifically HTTP->SMB relay) and NBNS spoofing.
---------------------------------------------
http://foxglovesecurity.com/2016/01/16/hot-potato/
*** HTTP Evasions Explained - Part 10 - Lazy Browsers ***
---------------------------------------------
The previous parts of this series looked at firewalls and browsers as black boxes which just behave that way for unknown reason. For this part I took a closer look at the source code of Chromium and Firefox. This way Ive found even more ways to construct HTTP which is insanely broken but still gets accepted by the ..
---------------------------------------------
http://noxxi.de/research/http-evader-explained-10-lazy-browsers.html
*** nic.at bringt "Security-Lock" für Domains ***
---------------------------------------------
Schutz soll verhindern, dass eine Domain irrtümlich unerreichbar oder manipuliert wird
---------------------------------------------
http://derstandard.at/2000029286062
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 14-01-2016 18:00 − Freitag 15-01-2016 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** NCCIC/ICS-CERT Monitor for November-December 2015 ***
---------------------------------------------
The NCCIC/ICS-CERT Monitor for November-December 2015 is a summary of ICS-CERT activities for that period of time.
---------------------------------------------
https://ics-cert.us-cert.gov/monitors/ICS-MM201512
Download: https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT%20Monito…
*** Oracle Critical Patch Update - January 2016 - Pre-Release Announcement ***
---------------------------------------------
[...] This Critical Patch Update contains 248 new security vulnerability fixes across hundreds of Oracle products. Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.
---------------------------------------------
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
*** Creator of MegalodonHTTP DDoS Botnet Arrested ***
---------------------------------------------
Last month, the Norway police arrested five hackers accused of running the MegalodonHTTP Remote Access Trojan (RAT). The arrests came as part of the joint operation between Norway's Kripos National Criminal Investigation Service and Europol, codenamed "OP Falling sTAR." According to the United States security firm, all the five men, aged between 16 and 24 years and located in Romania,...
---------------------------------------------
https://thehackernews.com/2016/01/MegalodonHTTP-DDoS-Botnet.html
*** Kreditkartenhack bei VISA: Unter anderem A1-Kunden betroffen ***
---------------------------------------------
Ein Drittanbieter in Island wurde angegriffen - rund 2.000 A1 Visa-Kunden erhalten neue Karte
---------------------------------------------
http://derstandard.at/2000029114201
*** Updated BlackEnergy Trojan Grows More Powerful ***
---------------------------------------------
In late December, a cyberattack caused a power outage in the Ukraine, plunging hundreds of thousands of citizens into darkness for hours. Threat researchers soon confirmed that the BlackEnergy malware package, first developed in 2007, was the culprit. They also discovered that the malware has been significantly upgraded since its first release.
---------------------------------------------
https://blogs.mcafee.com/mcafee-labs/updated-blackenergy-trojan-grows-more-…
*** Wieder sicher: Authentifizierungsprotokoll OAuth ***
---------------------------------------------
Angreifer sollen abermals Log-in-Daten von Nutzern abgreifen können, wenn diese sich mittels OAuth bei Online-Services anmelden. Die Schwachstellen wurden bereits geschlossen. Sicherheitsforscher attestieren dem Protokoll insgesamt eine hohe Sicherheit.
---------------------------------------------
http://heise.de/-3071639
*** Spamming Someone from PayPal ***
---------------------------------------------
Troy Hunt has identified a new spam vector. PayPal allows someone to send someone else a $0 invoice. The spam is in the notes field. But its a legitimate e-mail from PayPal, so it evades many of the traditional spam filters. Presumably it doesnt cost anything to send a $0 invoice via PayPal. Hopefully, the company will close this loophole...
---------------------------------------------
https://www.schneier.com/blog/archives/2016/01/spamming_someon.html
*** OS Xs Gatekeeper bypassed again ***
---------------------------------------------
Do you remember when, last October, Synack director of research Patrick Wardle found a simple way to evade OS Xs Gatekeeper defense mechanism by bundling up a legitimate Apple-signed app with a malic...
---------------------------------------------
http://www.net-security.org/secworld.php?id=19336
*** Advantech WebAccess Vulnerabilities ***
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01
*** Manage Engine Applications Manager 12 Multiple Vulnerabilities ***
---------------------------------------------
Applications Manager suffers from multiple vulnerabilities including XSS, CSRF and Privilege Escalation.
---------------------------------------------
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5292.php
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 13-01-2016 18:00 − Donnerstag 14-01-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** SlemBunk Part II: Prolonged Attack Chain and Better-Organized Campaign ***
---------------------------------------------
Our follow-up investigation of a nasty Android banking malware we identified at the tail end of last year has not only revealed that the trojan is more persistent than we initially realized - thus making for a much more dangerous threat - but that it is also being used as part of an ongoing and evolving campaign.
---------------------------------------------
https://www.fireeye.com/blog/threat-research/2016/01/slembunk-part-two.html
*** Faulty ransomware renders files unrecoverable, even by the attacker ***
---------------------------------------------
A cybercriminal has built a ransomware program based on proof-of-concept code released online, but messed up the implementation, resulting in victims files being completely unrecoverable.Researchers from antivirus vendor Trend Micro recently ..
---------------------------------------------
http://www.cio.com/article/3022159/faulty-ransomware-renders-files-unrecove…
*** As easy as Citrix123 - hacker claims he popped Citrixs CMS ***
---------------------------------------------
And once he was in, it became possible to pour malware onto all customers, allegedly A Russian hacker claims he broke into systems run by Citrix, and gained access to potentially a huge number of customers.
---------------------------------------------
www.theregister.co.uk/2016/01/13/ruskie_hacker_pops_citrix/
*** Ex-NSA-Chef: Hintertüren für Verschlüsselung sind eine furchtbare Idee ***
---------------------------------------------
Michael Hayden widerspricht den Forderungen von FBI-Boss James Comey
---------------------------------------------
http://derstandard.at/2000029033330
*** RedHen CRM - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-002 ***
---------------------------------------------
The Redhen set of modules allows you to build a CRM features in a Drupal site.When rendering individual Contacts, this module does not properly filter the certain data prior to display. When rendering listing of notes or engagement scores, ..
---------------------------------------------
https://www.drupal.org/node/2649800
*** Cisco kämpft mit statischem Passwort und fixt kritische Lücken ***
---------------------------------------------
In Ciscos Identity Services Engine klafft eine als kritisch und eine als hoch eingestufte Schwachstelle. Neben der Wireless-LAN-Controller-Software sind auch noch Aironet-Basisstationen der 1800-Serie verwundbar. Sicherheitsupdates stehen bereit.
---------------------------------------------
http://heise.de/-3070756
*** Angriff der Cyber-Eichhörnchen ***
---------------------------------------------
Eichhörnchen sind eine größere Gefahr für Internet- und Stromleitungen als Hacker. Das zeigt die Webseite CyberSquirrel1 auf augenzwinkernde Art und Weise.
---------------------------------------------
http://www.golem.de/news/internet-und-stromausfaelle-angriff-der-cyber-eich…
*** OpenSSL version 1.1.0 pre release 2 published ***
---------------------------------------------
OpenSSL 1.1.0 is currently in alpha. OpenSSL 1.1.0 pre release 2 has now been made available. For details of changes and known issues see the release ..
---------------------------------------------
https://mta.openssl.org/pipermail/openssl-announce/2016-January/000057.html
*** Triple-Seven: OpenSSH-Schwachstelle leakt geheime Schlüssel ***
---------------------------------------------
Eine unfertige Option, die bei OpenSSH seit 2010 standardmäßig aktiviert ist, führt dazu, dass gekaperte Server die geheimen Schlüssel der sich verbindenden Nutzer auslesen können. Updates, welche die Lücke schließen, stehen bereit.
---------------------------------------------
http://heise.de/-3071372
*** Ransomware a Threat to Cloud Services, Too ***
---------------------------------------------
Ransomware -- malicious software that encrypts the victims files and holds them hostage unless and until the victim pays a ransom in Bitcoin -- has emerged as a potent and increasingly common threat online. But many Internet users are unaware that ransomware also can just as easily seize control over files stored on cloud services.
---------------------------------------------
http://krebsonsecurity.com/2016/01/ransomware-a-threat-to-cloud-services-to…
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 12-01-2016 18:00 − Mittwoch 13-01-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Security Bulletins Posted for Adobe Acrobat and Reader ***
---------------------------------------------
Security Bulletins for Adobe Acrobat and Reader (APSB16-02) have been published. These updates address critical vulnerabilities, and Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant security bulletin. This posting ..
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1311
*** There Goes The Neighborhood - Bad Actors on GMHOST Alexander Mulgin Serginovic ***
---------------------------------------------
Whether they encourage it or not, some network operators become known and favored by criminals such as those that operate exploit kit (EK) and malware infrastructure. After ..
---------------------------------------------
http://research.zscaler.com/2016/01/there-goes-neighborhood-bad-actors-on.h…
*** MS16-JAN - Microsoft Security Bulletin Summary for January 2016 - Version: 1.0 ***
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/MS16-JAN
*** Raising the Dead ***
---------------------------------------------
It's a bit late for Halloween but the ability to resurrect the dead (processes that is) is an interesting type of security issue when dealing with multi-user Windows systems such as Terminal Servers. Specifically this blog is about this issue which I reported to Microsoft and was fixed in bulletin ..
---------------------------------------------
http://googleprojectzero.blogspot.com/2016/01/raising-dead.html
*** FortiOS SSH Undocumented Interactive Login Vulnerability ***
---------------------------------------------
http://www.fortiguard.com/advisory/fortios-ssh-undocumented-interactive-log…
*** Ransomware Strikes Websites ***
---------------------------------------------
Ransomware is one of the most insidious types of malware that one can come across. These infections will encrypt all files on the target computer as well as any hard drives connected to the machine - pictures, videos, text files - you ..
---------------------------------------------
https://blog.sucuri.net/2016/01/ransomware-strikes-websites.html
*** Triaging the exploitability of IE/EDGE crashes ***
---------------------------------------------
Both Internet Explorer (IE) and Edge have seen significant changes in order to help protect customers from security threats. This work has featured a number of mitigations that together have not only rendered classes of vulnerabilities not-exploitable, but also dramatically raised the cost ..
---------------------------------------------
http://blogs.technet.com/b/srd/archive/2016/01/12/triaging-the-exploitabili…
*** Die smarte Türklingel verrät das WLAN-Passwort ***
---------------------------------------------
Eine Gegensprechanlage, die mit dem Smartphone zusammenarbeitet. Klingt eigentlich praktisch, doch leider weist das Gerät Sicherheitsmängel auf, wie Hacker jetzt herausfanden.
---------------------------------------------
http://www.golem.de/news/internet-of-things-die-smarte-tuerklingel-verraet-…
*** Backdoor bei Fortinet vermutet: Firma spricht von Lücke ***
---------------------------------------------
Alternative Login-Methode in Software entdeckt – Patch bereits 2014 veröffentlicht
---------------------------------------------
http://derstandard.at/2000028972976
*** A Case of Too Much Information: Ransomware Code Shared Publicly for 'Educational Purposes', Used Maliciously Anyway ***
---------------------------------------------
Researchers, whether independent or from security vendors, have a responsibility to properly disseminate the information they gathered to help the industry as well as users. Even with the best intentions, improper disclosure of sensitive information ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/a-case-of-too-mu…
*** Security: Verizon routet 4 Millionen Spammer-IPs ***
---------------------------------------------
IPv4-Adressen sind ein knappes Gut. Doch der US-Anbieter Verizon reagiere trotzdem nicht auf Missbrauchsmitteilungen, kritisiert eine Sicherheitsfirma.
---------------------------------------------
http://www.golem.de/news/security-verizon-routet-4-millionen-spammer-ips-16…
*** [HTB23279]: Multiple SQL Injection Vulnerabilities in mcart.xls Bitrix Module ***
---------------------------------------------
High-Tech Bridge Security Research Lab discovered multiple SQL Injection vulnerabilities in mcart.xls Bitrix module, which can be exploited to execute arbitrary SQL queries and obtain potentially sensitive data, modify information in database and gain complete control over the vulnerable website.
---------------------------------------------
https://www.htbridge.com/advisory/HTB23279
*** [HTB23283]: Remote Code Execution in Roundcube ***
---------------------------------------------
High-Tech Bridge Security Research Lab discovered a path traversal vulnerability in a popular webmail client Roundcube. Vulnerability can be exploited to gain access to sensitive information and under certain circumstances to execute arbitrary code and totally compromise the vulnerable server.
---------------------------------------------
https://www.htbridge.com/advisory/HTB23283
*** Hacking Team's Leak Helped Researchers Hunt Down a Zero-Day ***
---------------------------------------------
Researchers at Kaspersky Lab have, for the first time, discovered a valuable zero-day exploit after intentionally going on the hunt for it.
---------------------------------------------
http://www.wired.com/2016/01/hacking-team-leak-helps-kaspersky-researchers-…
*** Denial-of-Service Flaw Patched in DHCP ***
---------------------------------------------
The Internet Systems Consortium (ISC) on Tuesday patched a denial-of-service vulnerability in numerous versions of DHCP.
---------------------------------------------
http://threatpost.com/denial-of-service-flaw-patched-in-dhcp/115875/
*** The SLOTH attack and IKE/IPsec ***
---------------------------------------------
Executive Summary: The IKE daemons in RHEL7 (libreswan) and RHEL6 (openswan) are not vulnerable to the SLOTH attack. But the attack is still interesting to look at . The SLOTH attack released today is a new transcript collision attack against ..
---------------------------------------------
https://securityblog.redhat.com/2016/01/13/the-sloth-attack-and-ikeipsec/
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 11-01-2016 18:00 − Dienstag 12-01-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Angler Exploit Kit Continues to Evade Detection: Over 90,000 Websites Compromised ***
---------------------------------------------
Exploit Kits (EK), arguably the most impactful malicious infrastructure on the Internet, constantly evolve to evade detection by security technology. Tremendous effort has been spent on tracking new variations of different EK families. In ..
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2016/01/angler-exploit-kit-conti…
*** Mac OS X, iOS, and Flash Had the Most Discovered Vulnerabilities in 2015 ***
---------------------------------------------
Interesting analysis: Which software had the most publicly disclosed vulnerabilities this year? The winner is none other than Apples Mac OS X, with 384 vulnerabilities. The runner-up? Apples iOS, with 375 vulnerabilities. Rounding out the top five are Adobes Flash Player, with 314 vulnerabilities; Adobes AIR ..
---------------------------------------------
https://www.schneier.com/blog/archives/2016/01/mac_os_x_ios_an.html
*** DSA-3440 sudo - security update ***
---------------------------------------------
When sudo is configured to allow a user to edit files under a directory that they can already write to without using sudo, they can actuallyedit (read and write) arbitrary files. Daniel Svartman reported that aconfiguration like this might ..
---------------------------------------------
https://www.debian.org/security/2016/dsa-3440
*** Ransom32 - look at the malicious package ***
---------------------------------------------
Ransom32 is a new ransomware implemented in a very atypical style. In our post, we will focus on some implementation details of the malicious package.
---------------------------------------------
https://blog.malwarebytes.org/intelligence/2016/01/ransom32-look-at-the-mal…
*** Say 'Cyber' again - Ars cringes through CSI: Cyber ***
---------------------------------------------
CBS endangered cyber-procedural: Plane hacking! Software defined radio! White noise! OMG!
---------------------------------------------
http://arstechnica.com/the-multiverse/2016/01/say-cyber-again-ars-cringes-t…
*** McAfee Application Control - The dinosaurs want their vuln back ***
---------------------------------------------
The experts of the SEC Consult Vulnerability Lab conducted research in the field of the security of application whitelisting in critical infrastructures. In the course of that research the security of McAfee Application Control was checked.The experts developed several methods to bypass the provided protections ..
---------------------------------------------
http://blog.sec-consult.com/2016/01/mcafee-application-control-dinosaurs.ht…
*** (ISC)2 SecureAustria ***
---------------------------------------------
How can we know what we are protecting if we struggle to understand and keep up with how we and our organizations are changing? It�s time to get a grip on the far-reaching and fundamental changes that are occurring in business today.
---------------------------------------------
https://www.sba-research.org/events/isc2-secureaustria/
*** Sicherheit: Aus für alte IE-Versionen trifft jeden fünften Webnutzer ***
---------------------------------------------
Über die Jahre hat Microsoft eine Fülle unterschiedlicher Versionen des Internet Explorers veröffentlicht. Nun entledigt man sich der Support-Pflichten für einen großen Teil derselben: Ab sofort liefert Microsoft keinerlei Updates mehr für Internet Explorer 8 bis 10.
---------------------------------------------
http://derstandard.at/2000028882047
*** Cops Say They Can Access Encrypted Emails on So-Called PGP BlackBerrys ***
---------------------------------------------
Dutch investigators have confirmed to Motherboard that they are able to read encrypted messages sent on PGP BlackBerry phones�custom, security-focused BlackBerry devices that come complete with an encrypted email feature, and which reportedly may be used by organized criminal groups.
---------------------------------------------
https://motherboard.vice.com/read/cops-say-they-can-access-encrypted-emails…
*** Ongoing Sophisticated Malware Campaign Compromising ICS (Update C) ***
---------------------------------------------
This alert update is a follow-up to the updated NCCIC/ICS-CERT Alert titled ICS-ALERT-14-281-01B Ongoing Sophisticated Malware Campaign Compromising ICS that was published December 10, 2014, on the ICS-CERT web site. | ICS-CERT has identified a sophisticated malware campaign that has compromised numerous ..
---------------------------------------------
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-281-01B
*** Experts warn Neutrino and RIG exploit kit activity spike ***
---------------------------------------------
Security experts at Heimdal Security are warning a spike in cyber attacks leveraging the popular Neutrino and RIG exploit kit. Cyber criminals always exploit new opportunities and users' bad habits, now crooks behind the recent campaigns relying on Neutrino and RIG exploit kits are ramping up attacks ..
---------------------------------------------
http://securityaffairs.co/wordpress/43482/cyber-crime/neutrino-rig-exploit-…
*** Group using DDoS attacks to extort business gets hit by European law enforcement ***
---------------------------------------------
On 15 and 16 December, law enforcement agencies from Austria, Bosnia and Herzegovina, Germany and the United Kingdom joined forces with Europol in the framework of an operation against the ...
---------------------------------------------
http://www.net-security.org/secworld.php?id=19314
*** Schwere Sicherheitslücken im Passwort-Manager von Trend Micro ***
---------------------------------------------
Google-Forscher Tavis Ormandy deckt wieder einmal Schwachstellen in Anti-Viren-Software auf. Bei Trend Micro stellt er konsterniert fest: "Das Lächerlichste, was ich je gesehen habe."
---------------------------------------------
http://heise.de/-3069140
*** UPC: Standard-WLAN-Passwörter kinderleicht zu knacken ***
---------------------------------------------
Neuer Hack erlaubt Berechnung basierend auf der ESSID – UPC prüft Klage gegen Sicherheitsforscher.
---------------------------------------------
http://derstandard.at/2000028921659
*** An Easy Way for Hackers to Remotely Burn Industrial Motors ***
---------------------------------------------
Devices that control the speed of industrial motors operating water plant pumps and other equipment can be remotely hacked and destroyed.
---------------------------------------------
http://www.wired.com/2016/01/an-easy-way-for-hackers-to-remotely-burn-indus…
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 08-01-2016 18:00 − Montag 11-01-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** GM Asks Friendly Hackers to Report Its Cars' Security Flaws ***
---------------------------------------------
The auto giant becomes the first in Detroit to extend an olive branch to car hackers.
---------------------------------------------
http://www.wired.com/2016/01/gm-asks-friendly-hackers-to-report-its-cars-se…
*** STIX - Looking at a Campaign, Part 1 ***
---------------------------------------------
Now we come to a useful application of STIX: characterizing a campaign.
---------------------------------------------
http://www.scmagazine.com/stix--looking-at-a-campaign-part-1/article/464093/
*** ZDI-16-007: McAfee Application Control Kernel Driver Memory Corruption Privilege Escalation Vulnerability ***
---------------------------------------------
This vulnerability allows local attackers to execute arbitrary code on vulnerable installations of McAfee Application Control. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-007/
*** Advancing the Security of Juniper Products ***
---------------------------------------------
BOB WORRALL, SVP CHIEF INFORMATION OFFICER makes provides more detail on the ScreenOS investigation and security steps being taken with Junos and across Juniper.
---------------------------------------------
http://forums.juniper.net/t5/Security-Incident-Response/Advancing-the-Secur…
*** Virtual Bitlocker Containers, (Sat, Jan 9th) ***
---------------------------------------------
This week, I gotan interestingquestion from a customer: What do you recommend to safely store files in a directoryon my laptop?. They are plenty of ways to achievethis, the right choice depending on the encryption reliability, the ease of use and ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20593
*** MMD-0049-2016 - A case of java trojan (downloader/RCE) for remote minerd hack ***
---------------------------------------------
This is a short post for supporting the takedown purpose. Warning: Sorry, theres nothing fancy nor "in-depth analysis" in here :-) The scheme is so bad, so I think its best for all to know for mitigation and hardening purpose. In this case, a bad actor was ..
---------------------------------------------
http://blog.malwaremustdie.org/2016/01/mmd-0049-2016-case-of-java-trojan.ht…
*** Studie: Mittelstand unterschätzt Gefahr durch Cyber-Kriminalität ***
---------------------------------------------
Die Schäden steigen, das Bewusstsein für IT-Sicherheit nicht: Laut einer Studie schützen sich Mittelständler nur unzureichend gegen IT-Angriffe. Dabei zwingt sie der Gesetzgeber längst zum Handeln.
---------------------------------------------
http://heise.de/-3067640
*** Jänner-Update: Google schließt kritische Lücken in Android ***
---------------------------------------------
Google scheint seinen Sicherheits-Update-Rhythmus gefunden zu haben – zumindest wenn es um die eigenen Geräte geht. Aktuell liefert Google das Jänner-Update für Android an die Smartphones und Tablets der Nexus-Linie aus.
---------------------------------------------
http://derstandard.at/2000028786638
*** NSA-Spionagevorwürfe: Juniper verspricht weitere Updates ***
---------------------------------------------
Vom US-Geheimdienst eingebrachter Zufallszahlengenerator wird aus Netzwerk-Betriebssystem entfernt
---------------------------------------------
http://derstandard.at/2000028789875
*** A Look Inside Cybercriminal Call Centers ***
---------------------------------------------
Crooks who make a living via identity theft schemes, dating scams and other con games often run into trouble when presented with a phone-based challenge that requires them to demonstrate mastery of a language they dont speak fluently. Enter the ..
---------------------------------------------
http://krebsonsecurity.com/2016/01/a-look-inside-cybercriminal-call-centers/
*** Android: Schadsoftware aus Play Store hunderttausendfach installiert ***
---------------------------------------------
Geht es um Android-Malware fällt der Ratschlag für die Nutzer meist recht simpel aus: Wer auf die Installation von Apps aus unsicheren Quellen verzichtet, ist üblicherweise auch nicht gefährdet. Doch in einem aktuellen Fall ist es Angreifern nun gelungen, die Sicherheitschecks des Play Store auszutricksen.
---------------------------------------------
http://derstandard.at/2000028774967
*** Hackerangriff auf Rechenzentrumsbetreiber Interxion ***
---------------------------------------------
Im Dezember kam es zu einem Einbruch auf das eigene CRM-System
---------------------------------------------
http://derstandard.at/2000028816801
*** Klickbetrug: Unter dem Deckmantel der Cookie-Warnung ***
---------------------------------------------
Online-Gauner verstecken sich im wahrsten Sinne des Wortes hinter Cookie-Warnungen und sammeln so Klicks auf Werbeanzeigen ein.
---------------------------------------------
http://heise.de/-3067995
*** OAuth2 & OpenID - HTTPS Bicycle Attack ***
---------------------------------------------
The OAuth 2.0 protocol allows users to grant relying parties access to resources at identity providers. In addition to being used for this kind of authorization, OAuth is also often employed for authentication in single sign-on (SSO) systems. OAuth 2.0 is, in fact, one of the most widely used ..
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016010064
*** PHP-Updates über alle Versionen beheben einige Sicherheitsprobleme ***
---------------------------------------------
Die Macher der Skriptsprache empfehlen den Nutzern von PHP 7.0, 5.5 und 5.6 die Installation der aktuellen Security-Releases. Gleichzeitig gibt ein Blick auf GitHub und das PHP-Wiki eine Vorschau auf kommende Funktionen in PHP 7.1.
---------------------------------------------
http://heise.de/-3068170
*** DSA-3438 xscreensaver - security update ***
---------------------------------------------
It was discovered that unplugging one of the monitors in a multi-monitorsetup can cause xscreensaver to crash. Someone with physical access toa machine could use this problem to bypass a locked session.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3438
*** Unverschlüsselte CMS-Updates: Drupal gelobt Besserung ***
---------------------------------------------
Das Update-Verfahren des beliebten Content Management Systems Drupal liefert Aktualisierungen unverschlüsselt aus. Ein Problem, das seit Jahren bekannt ist und von Angreifern missbraucht werden kann, um Seiten zu kapern.
---------------------------------------------
http://heise.de/-3068105
*** About CVE-2015-8518: SAP Adaptive Server Enterprise Extended Stored Procedure Unauthorized Invocation ***
---------------------------------------------
SAP released an update for SAP ASE 16.0 and 15.7 that addresses a serious security flaw discovered by Martin Rakhmanov, lead security researcher at Trustwave, that has been around for a long time. Suppose there is a user joe in...
---------------------------------------------
http://trustwave.com/Resources/SpiderLabs-Blog/About-CVE-2015-8518--SAP-Ada…
*** How Nvidia breaks Chrome Incognito ***
---------------------------------------------
When I launched Diablo III, I didn't expect the pornography I had been looking at hours previously to be splashed on the screen. But that's exactly what replaced the black loading screen. Like a scene from hollywood, the game temporarily froze as it launched, preventing any attempt to clear the screen. The game unfroze just before clearing the screen, and I was able to grab a screenshot (censored with bright red):
---------------------------------------------
https://charliehorse55.wordpress.com/2016/01/09/how-nvidia-breaks-chrome-in…
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 07-01-2016 18:00 − Freitag 08-01-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Upcoming Security Updates for Adobe Acrobat and Reader (APSB16-02) ***
---------------------------------------------
A prenotification Security Advisory (APSB16-02) has been posted regarding upcoming updates for Adobe Acrobat and Reader scheduled for Tuesday, January 12, 2016. We will continue to provide updates on the upcoming release via the Security Advisory as well as the...
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1308
*** Android-powered smart TVs targeted by malicious apps ***
---------------------------------------------
Smart TVs running older versions of Android are being targeted by several websites offering apps containing malware, according to Trend Micro.The security vendor wrote on Thursday that it found a handful of app websites targeting people in the U.S. and Canada by offering the malicious apps.The apps are exploiting a flaw in Android that dates to 2014, showing that many smart TVs do not have the latest patches."Most smart TVs today use older versions of Android, which still contain this...
---------------------------------------------
http://www.cio.com/article/3020357/android-powered-smart-tvs-targeted-by-ma…
*** Good news, OAuth is almost secure ***
---------------------------------------------
Boffins turn up a couple of protocol vulns in Facebooks login stanard German boffins believe there are protocol flaws in Facebooks ubiquitous OAuth protocol that render it vulnerable to attack.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/01/08/good_news_o…
*** Anschlussmissbrauch durch schwerwiegende Lücke bei o2 ***
---------------------------------------------
Seit über einem Jahr versucht o2 eine Schwachstelle im DSL-Netz zu schließen, durch die man fremde VoIP-Anschlüsse kapern kann. Bisher ist das nur zum Teil gelungen.
---------------------------------------------
http://heise.de/-3066225
*** Checkpoint chaps hack whacks air-gaps flat ***
---------------------------------------------
Bought a shiny IP KVM? Uh-oh 32c3 Checkpoint malware men Yaniv Balmas and Lior Oppenheim have developed an air gap-hopping malware system that can quietly infect, plunder, and maintain persistence on networked and physically separated computers.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/01/08/checkpoint_…
*** Streaming-Dongle EZCast öffnet Hintertür ins Heimnetzwerk ***
---------------------------------------------
Sicherheitsforscher haben Schwachstellen im HDMI-Dongle EZCast entdeckt. Über die können sich Angreifer Zugang zum Heimnetzwerk des Anwenders verschaffen - unabhängig davon, wie gut das Netz sonst geschützt ist.
---------------------------------------------
http://heise.de/-3066210
*** Sicherheitspatches: VMware unterbindet Rechteausweitung ***
---------------------------------------------
VMware dichtet seine Anwendungen ESXi, Fusion, Player und Workstation ab. Die abgesicherten Versionen stehen für Linux, OS X und Windows bereit. Von der Lücke scheint aber nur Windows bedroht zu sein.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Sicherheitspatches-VMware-unterbinde…
*** Blocking Shodan isnt some sort of magical fix that will protect your data ***
---------------------------------------------
Earlier this week, a threat alert from Check Point singled out Shodan as a risk to enterprise operations. The advisory warns Check Point customers about the service, highlighting some of the instances where sensitive data was exposed to the public because Shodan indexed it. When asked about the advisory [archive], Ron Davidson, Head of Threat Intelligence and Research at Check Point, said the company was seeing an increase in the variety and frequency of suspect scans, "including scanners...
---------------------------------------------
http://www.csoonline.com/article/3020108/techology-business/blocking-shodan…
*** Apple beseitigt gravierende QuickTime-Sicherheitslücken für Windows ***
---------------------------------------------
Angreifer können mit Hilfe einer manipulierten Videodatei Schadcode einschleusen, erklärt Apple. Das Update beseitigt die Schwachstellen in Windows 7 und Vista.
---------------------------------------------
http://heise.de/-3067145
*** Cracking Damn Insecure and Vulnerable App (DIVA) - Part 2: ***
---------------------------------------------
In the previous article, we have seen the solutions for the first two challenges. In this article we will discuss the insecure data storage vulnerabilities in DIVA.
---------------------------------------------
http://resources.infosecinstitute.com/cracking-damn-insecure-and-vulnerable…
*** rt-sa-2015-005 ***
---------------------------------------------
o2/Telefonica Germany: ACS Discloses VoIP/SIP Credentials
---------------------------------------------
https://www.redteam-pentesting.de/advisories/rt-sa-2015-005.txt
*** VMSA-2016-0001 ***
---------------------------------------------
VMware ESXi, Fusion, Player, and Workstation updates address important guest privilege escalation vulnerability
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2016-0001.html
*** PHP Bugs May Let Remote Users Obtain Potentially Sensitive Information, Gain Elevated Privileges, or Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1034608
*** APPLE-SA-2016-01-07-1 QuickTime 7.7.9 ***
---------------------------------------------
APPLE-SA-2016-01-07-1 QuickTime 7.7.9[Re-sending with a valid signature]QuickTime 7.7.9 is now available and addresses the following:QuickTimeAvailable for: Windows 7 and Windows VistaImpact: Viewing a maliciously crafted movie file may lead to an [...]
---------------------------------------------
http://prod.lists.apple.com/archives/security-announce/2016/Jan/msg00001.ht…
*** DFN-CERT-2016-0001: Mozilla Firefox, Network Security Services, OpenSSL, GnuTLS: Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0001/
*** USN-2865-1: GnuTLS vulnerability ***
---------------------------------------------
Ubuntu Security Notice USN-2865-18th January, 2016gnutls26, gnutls28 vulnerabilityA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.04 Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummaryGnuTLS could be made to expose sensitive information over the network.Software description gnutls26 - GNU TLS library gnutls28 - GNU TLS library DetailsKarthikeyan Bhargavan and Gaetan Leurent discovered that GnuTLS incorrectlyallowed MD5 to be used for TLS 1.2 connections. If a remote...
---------------------------------------------
http://www.ubuntu.com/usn/usn-2865-1/
*** Bugtraq: [security bulletin] HPSBUX03435 SSRT102977 rev.1 - HP-UX Web Server Suite running Apache, Remote Denial of Service (DoS) ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537254
*** Security Advisory: Privilege escalation vulnerability CVE-2015-7393 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/75/sol75136237.html?…
*** Security Advisory: BIG-IP AOM password sync vulnerability CVE-2015-8611 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/05/sol05272632.html?…
*** Security Advisory: F5 Path MTU Discovery vulnerability CVE-2015-7759 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/22/sol22843911.html?…
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 05-01-2016 18:00 − Donnerstag 07-01-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Ab Dienstag: Aus für Internet Explorer 8, 9 und 10 ***
---------------------------------------------
Microsoft stellt ab dem 12. Jänner den Support für die veralteten Internet-Explorer-Versionen 8,9 und 10 ein. Diese erhalten künftig keine Updates mehr.
---------------------------------------------
http://futurezone.at/produkte/ab-dienstag-aus-fuer-internet-explorer-8-9-un…https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support
*** Site Updates: ISC/DShield API and ipinfo_ascii.html Page, (Wed, Jan 6th) ***
---------------------------------------------
We are planning a couple of updates to the ways data can be retrieved automatically from this site. The main reason for this is to make it easier for us to maintain and support some of these features. The main idea will be that we focus automatic data retrieval to our API (isc.sans.edu/api or dshield.org/api). It should be the only place that is used to have scripts retrieve data. In the past, we had a couple of other pages that supported automatic data retrieval. For example, ipinfo_ascii.html...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20577&rss
*** How long is your password? HTTPS Bicycle attack reveals that and more ***
---------------------------------------------
Get your 2FA on, slackers A new attack on supposedly secure communication streams raises questions over the resilience of passwords, security researchers warn.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/01/06/https_bicyc…
*** Mozilla warns Firefox fans its SHA-1 ban could bork their security ***
---------------------------------------------
Protection mechanism screws other protection mechanisms. What a tangled web we weave Mozilla has warned Firefox users they may be cut off from more of the web than expected - now that the browser rejects new HTTPS certificates that use the weak SHA-1 algorithm.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/01/07/mozilla_war…https://blog.mozilla.org/security/2016/01/06/man-in-the-middle-interfering-…
*** MD5/SHA1: Sloth-Angriffe nutzen alte Hash-Algorithmen aus ***
---------------------------------------------
Neue Angriffe gegen TLS: Krypto-Forscher präsentieren mit Sloth mehrere Schwächen in TLS-Implementierungen und im Protokoll selbst. Am kritischsten ist ein Angriff auf Client-Authentifizierungen mit RSA und MD5.
---------------------------------------------
http://www.golem.de/news/md5-sha1-sloth-angriffe-nutzen-alte-hash-algorithm…
*** Encrypted Blackphone Patches Serious Modem Flaw ***
---------------------------------------------
msm1267 writes: Silent Circle, makers of the security and privacy focused Blackphone, have patched a vulnerability that could allow a malicious mobile application or remote attacker to access the devices modem and perform any number of actions. Researchers at SentinelOne discovered an open socket on the Blackphone that an attacker could abuse to intercept calls, set call forwarding, read SMS messages, mute the phone and more. Blackphone is marketed toward privacy-conscious users; it includes...
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/ocmLGjQf8XY/encrypted-black…
*** OS-X-Security-and-Privacy-Guide ***
---------------------------------------------
This is a collection of thoughts on securing a modern Apple Mac computer using OS X 10.11 "El Capitan", as well as steps to improving online privacy. This guide is targeted to "power users" who wish to adopt enterprise-standard security, but is also suitable for novice users with an interest in improving their privacy and security on a Mac.
---------------------------------------------
https://github.com/drduh/OS-X-Security-and-Privacy-Guide
*** Drupal - Insecure Update Process ***
---------------------------------------------
Just a few days after installing Drupal v7.39, I noticed there was a security update available: Drupal v7.41. This new version fixes an open redirect in the Drupal core. In spite of my Drupal update process checking for updates, according to my local instance, everything was up to date: Issue #1: Whenever the Drupal update process fails, Drupal states that everything is up to date instead of giving a warning.
---------------------------------------------
http://blog.ioactive.com/2016/01/drupal-insecure-update-process.html
*** Jetzt Update installieren: WordPress behebt XSS-Lücke ***
---------------------------------------------
Über eine Cross-Site-Scripting-Schwachstelle können Angreifer WordPress-Installationen kompromittieren. Betroffen sind alle Versionen bis einschließlich WordPress 4.4.
---------------------------------------------
http://heise.de/-3065193https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance…
*** AVM-Router: Fritzbox-Lücke erlaubt Telefonate auf fremde Kosten ***
---------------------------------------------
Durch eine kritische Lücke in den Fritzboxen können Angreifer etwa Telefonate auf fremde Rechnung führen und Code als Root ausführen. Die Lücke hat AVM bereits geschlossen, die Details wurden jedoch bis heute unter Verschluss gehalten.
---------------------------------------------
http://heise.de/-3065588
*** A new, open source tool proves: Even after patching, deserializing will still kill you ***
---------------------------------------------
Whats the problem here? ... When deserializing most objects, the code calls ObjectInputStream#resolveClass() as part of the process. This method is where all the patches and hardening against recent exploits take place. Because that method is never involved in deserializing Strings, anyone can use this to attack an application thats "fully patched" against the recent spate of attacks.
---------------------------------------------
https://www.contrastsecurity.com/security-influencers/java-deserializing-op…
*** rt-sa-2015-001 ***
---------------------------------------------
AVM FRITZ!Box: Remote Code Execution via Buffer Overflow
---------------------------------------------
https://www.redteam-pentesting.de/advisories/rt-sa-2015-001.txt
*** rt-sa-2014-014 ***
---------------------------------------------
AVM FRITZ!Box: Arbitrary Code Execution Through Manipulated Firmware Images
---------------------------------------------
https://www.redteam-pentesting.de/advisories/rt-sa-2014-014.txt
*** Bugtraq: [SYSS-2015-062] ownCloud Information Exposure Through Directory Listing (CVE-2016-1499) ***
---------------------------------------------
[SYSS-2015-062] ownCloud Information Exposure Through Directory Listing (CVE-2016-1499)
---------------------------------------------
http://www.securityfocus.com/archive/1/537244
*** DFN-CERT-2016-0023: Node.js-WS: Eine Schwachstelle ermöglicht das Ausspähen von Informationen ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0023/
*** DFN-CERT-2016-0028: Shotwell: Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0028/
*** DFN-CERT-2016-0004: Mozilla Thunderbird, Debian Icedove: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ***
---------------------------------------------
Version 3 (2016-01-05 17:52) | Debian stellt für die Distributionen Wheezy (old stable), Jessie (stable) und Stretch (testing) Sicherheitsupdates auf die Icedove Version 38.5.0 bereit. Die Schwachstellen CVE-2015-7210 und CVE-2015-7222 werden von diesen nicht adressiert.
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0004/
*** Security Advisory: QEMU vulnerability CVE-2012-3515 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/13/sol13405416.html?…
*** Security Advisory: Out-of-bounds memory vulnerability with the BIG-IP APM system CVE-2015-8098 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/43/sol43552605.html?…
*** DSA-3435 git - security update ***
---------------------------------------------
Blake Burkhart discovered that the Git git-remote-ext helper incorrectlyhandled recursive clones of git repositories. A remote attacker couldpossibly use this issue to execute arbitary code by injecting commandsvia crafted URLs.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3435
*** Advantech EKI Vulnerabilities (Update B) ***
---------------------------------------------
This updated advisory is a follow-up to the updated advisory titled ICSA-15-344-01A Advantech EKI Vulnerabilities that was published December 15, 2015, on the NCCIC/ICS-CERT web site. This advisory provides information regarding several vulnerabilities in Advantech's EKI devices.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-344-01
*** D-Link DCS-931L Arbitrary File Upload ***
---------------------------------------------
Topic: D-Link DCS-931L Arbitrary File Upload Risk: High Text:## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-f...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016010028
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 04-01-2016 18:00 − Dienstag 05-01-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** ProxieBack sneakily uses the victims server to bypass its own security ***
---------------------------------------------
Palo Alto Networks has come across a new family of proxy-creating malware, called ProxyBack, that the company believes has been in the wild since 2014 and may have more than 20 versions now running.
---------------------------------------------
http://www.scmagazine.com/proxieback-sneakily-uses-the-victims-server-to-by…
*** Hocus-pocus! The stupidity of cybersecurity predictions ***
---------------------------------------------
Every year, some publication asks me to come up with a list of my top 10 predictions for the security field, and every year I tell them they might as well just dust off an article I wrote a year earlier, with maybe a couple of buzzwords and a new technology added on. What you can generally expect in any given year is more of the same, with some slight variations.That doesn't stop people from making predictions, though. Vendors and supposed experts can't seem to control the urge, but...
---------------------------------------------
http://www.cio.com/article/3019071/security/hocus-pocus-the-stupidity-of-cy…
*** Matthew Garrett: Apple-Rechner eignen sich nicht für vertrauliche Arbeiten ***
---------------------------------------------
Zwar kann mit UEFI Secure Boot und TPMs der Startprozess von Windows- und Linux-Rechnern einigermaßen abgesichert werden - dies ließe sich aber verbessern, sagt Security-Experte Matthew Garrett. Katastrophal sei die Lage dagegen bei Apple.
---------------------------------------------
http://www.golem.de/news/matthew-garrett-apple-rechner-eignen-sich-nicht-fu…
*** Comcast Home Security System Vulnerable to Attack ***
---------------------------------------------
Comcast's Xfinity Home Security System is vulnerable to attacks that interfere with its ability to detect and alert to home intrusions.
---------------------------------------------
http://threatpost.com/comcast-home-security-system-vulnerable-to-attack/115…
*** Using IDAPython to Make Your Life Easier: Part 3 ***
---------------------------------------------
In the first two posts of this series (Part 1 and Part 2), we discussed using IDAPython to make your life as a reverse engineer easier. Now let's look at conditional breakpoints. While debugging in...
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2016/01/using-idapython-to-make-…
*** HTML5 Security Cheat Sheet ***
---------------------------------------------
This OWASP cheat sheet serves as a guide for implementing HTML5 in a secure fashion. Contents include:Communication APIsStorage APIsGeolocationWeb WorkersSandboxed FramesOffline ApplicationsAnd...
---------------------------------------------
http://www.net-security.org/secworld.php?id=19279
*** Nexus Security Bulletin - January 2016 ***
---------------------------------------------
We have released a security update to Nexus devices through an over-the-air (OTA) update as part of our Android Security Bulletin Monthly Release process. [...] The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files.
---------------------------------------------
https://source.android.com/security/bulletin/2016-01-01.html
*** DSA-3432 icedove - security update ***
---------------------------------------------
Multiple security issues have been found in Icedove, Debians version ofthe Mozilla Thunderbird mail client: Multiple memory safety errors,integer overflows, buffer overflows and other implementation errors maylead to the execution of arbitrary code or denial of service.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3432
*** Puppet Enterprise Configuration Error Lets Remote Non-Whitelisted Users Access the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1034550
*** Cisco Security Advisories ***
---------------------------------------------
*** Cisco Jabber STARTTLS Downgrade Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco IOS XR Software OSPF Link State Advertisement PCE Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Prime Infrastructure Frame Injection Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Unified Communications Manager SQL Injection Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** IBM Security Bulleins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSL affects Rational Tau (CVE-2015-3194) ***
http://www.ibm.com/support/docview.wss?uid=swg21973108
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Apache Commons affects IBM Kenexa LCMS Premier on Cloud (CVE-2015-7450) ***
http://www.ibm.com/support/docview.wss?uid=swg21972649
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSource Dojo ToolKit affects IBM InfoSphere Master Data Management ( CVE-2015-5654) ***
http://www.ibm.com/support/docview.wss?uid=swg21972787
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere Partner Gateway Advanced/Enterprise editions(CVE-2015-4872) ***
http://www.ibm.com/support/docview.wss?uid=swg21973241
---------------------------------------------
*** IBM Security Bulletin: The Elastic Storage Server and the GPFS Storage Server are affected by a vulnerability in IBM Spectrum Scale (CVE-2015-7456) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005574
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM TRIRIGA Application Platform (CVE-2015-7450) ***
http://www.ibm.com/support/docview.wss?uid=swg21972369
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Access Manager for Web and IBM Tivoli Access Manager for e-business ***
http://www.ibm.com/support/docview.wss?uid=swg21973135
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVE-2015-5006, CVE-2015-4872) ***
http://www.ibm.com/support/docview.wss?uid=swg21972446
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in the IBM Java SDK affects IBM Rational Application Developer for WebSphere Software (CVE-2015-4872) ***
http://www.ibm.com/support/docview.wss?uid=swg21973785
---------------------------------------------
*** IBM Security Bulletin: IBM Tealeaf Customer Experience allows unauthorized access to system files (CVE-2015-4988) ***
http://www.ibm.com/support/docview.wss?uid=swg21968868
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in the IBM Java SDK affects IBM Rational Application Developer for WebSphere Software (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931) ***
http://www.ibm.com/support/docview.wss?uid=swg21972455
---------------------------------------------
*** IBM Security Bulletin:Vulnerability in OpenSSL affects IBM PureApplication System. (CVE-2015-1788) ***
http://www.ibm.com/support/docview.wss?uid=swg21974116
---------------------------------------------
*** IBM Security Bulletin: IBM Tealeaf Customer Experience PCA Web UI PHP security issues ***
http://www.ibm.com/support/docview.wss?uid=swg21972384
---------------------------------------------
Next End-of-Shift report on 2016-01-07
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 31-12-2015 18:00 − Montag 04-01-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Identische SSH-Schlüssel auf Hetzner-Servern ***
---------------------------------------------
Aufgrund identischer SSH-Schlüssel können Angreifer verschlüsselte Verbindungen von Servern von Hetzner belauschen.
---------------------------------------------
http://heise.de/-3057777
*** Difficult to block JavaScript-based ransomware can hit all operating systems ***
---------------------------------------------
A new type of ransomware that still goes undetected by the great majority of AV solutions has been spotted and analyzed by Emsisoft researchers (via Google Translate). Ransom32 is delivered on the ...
---------------------------------------------
http://www.net-security.org/malware_news.php?id=3184http://blog.emsisoft.com/de/2016/01/01/meet-ransom32-the-first-javascript-r…
*** Apple had more CVEs than any single MS product in 2015, but it doesnt really matter ***
---------------------------------------------
Meaningless league table sparks silly schadenfreude A count of the number of CVEs issues on different platforms in 2015 has concluded that Apple was the most-advisoried operating system of the year, leading to gloating headlines that OS X is the "most vulnerable" of the lot.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/01/04/apple_had_m…
*** Cisco Jabbers in the clear due to STARTTLS bug ***
---------------------------------------------
Sysadmins get a belated Christmas present Twas the night before Christmas, when sysadmins probably werent watching their advisory feeds, that Cisco announced a vulnerability in its Jabber for Windows.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/01/04/cisco_jabbe…
*** BlackEnergy cyberespionage group adds disk wiper and SSH backdoor to its arsenal ***
---------------------------------------------
A cyberespionage group focused on companies and organizations in the energy sector has recently updated its arsenal with a destructive data-wiping component and a backdoored SSH server.The group is known in the security community as Sandworm or BlackEnergy, after its primary malware tool, and has been active for several years. It has primarily targeted companies that operate industrial control systems, especially in the energy sector, but has also gone after high-level government organizations,...
---------------------------------------------
http://www.cio.com/article/3018790/blackenergy-cyberespionage-group-adds-di…
*** The current state of boot security ***
---------------------------------------------
I gave a presentation at 32C3 this week. One of the things I said was "If any of you are doing seriously confidential work on Apple laptops, stop. For the love of god, please stop." I didnt really have time to go into the details of that at the time, but right now Im sitting on a plane with a ridiculous sinus headache and the pseudoephedrine hasnt kicked in yet so here we go.The basic premise of my presentation was that its very difficult to determine whether your system is in a...
---------------------------------------------
http://mjg59.dreamwidth.org/39339.html
*** A Tip For The Analysis Of MIME Files, (Sat, Jan 2nd) ***
---------------------------------------------
Ive written a diary entry about malicious MS Office documents stored as MIME files. A few days ago a reader contacted me for a problem he had analyzing such a maldoc MIME file. When he used emldump to analyze his sample (f67aa5a3ede3d31c5a68494c0678e2ee), it was not a multipart: $ ./emldump.py f67aa5a3ede3d31c5a68494c0678e2ee.vir 1: boundary=----=_NextPart_Jm9Ovypy.uUh6MCk charset=us-ascii $ You can make emldump skip this first line with option -H: $ ./emldump.py -H...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20561&rss
*** More Internet of Things irony: a security alarm with alarming security ***
---------------------------------------------
Imagine that a crook could change the text ALARM STATUS RED in your intruder alarm alerts to say ALARM STATUS GREEN...
---------------------------------------------
https://nakedsecurity.sophos.com/2016/01/03/more-internet-of-things-irony-a…
*** DFN-CERT-2016-0001: Mozilla Firefox, Network Security Services: Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen ***
---------------------------------------------
Bitte beachten Sie: Zur Behebung der hier genannten Schwachstelle hat Mozilla am 28. Dezember 2015 das Security Advisory MFSA2015-150 veröffentlicht, dieses aber kurze Zeit später, ohne Angaben von Gründen, wieder zurückgezogen. Zeitgleich wurde die Firefox Version 43.0.3 bereitgestellt. Ob die hier genannte Schwachstelle in der Version also tatsächlich behoben ist, ist unklar. In den Release Notes zur Firefox Version 43.0.3 wird die Schwachstelle nicht genannt.
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0001/
*** Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1034541
*** DFN-CERT-2016-0004: Mozilla Thunderbird: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0004/
*** Bugtraq: OSS-2016-03: Insufficient Integrity Protection in Winkhaus Bluesmart locking systems using Hitag S ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537223
*** Bugtraq: OSS-2016-02: Weak authentication in NXP Hitag S transponder allows an attacker to read, write and clone any tag ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537224
*** Bugtraq: Confluence Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537232
*** DSA-3433 samba - security update ***
---------------------------------------------
Several vulnerabilities have been discovered in Samba, a SMB/CIFS file,print, and login server for Unix. The Common Vulnerabilities andExposures project identifies the following issues:
---------------------------------------------
https://www.debian.org/security/2016/dsa-3433
*** PCRE Heap Overflow in pcre_compile2() in Processing Certain Regex Patterns May Let Remote Users Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1034555
*** #2015-012 Ganeti multiple issues ***
---------------------------------------------
Ganeti, an open source virtualization manager, suffers from multiple issues in its RESTful control interface (RAPI).
---------------------------------------------
http://www.ocert.org/advisories/ocert-2015-012.html
=======================
= End-of-Shift Report =
=======================
Timeframe: Dienstag 29-12-2015 18:00 − Mittwoch 30-12-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Microsoft may have your encryption key; here's how to take it back ***
---------------------------------------------
It doesnt require you to buy a new copy of Windows.
---------------------------------------------
http://arstechnica.com/information-technology/2015/12/microsoft-may-have-yo…
*** Actor using Rig EK to deliver Qbot - update, (Wed, Dec 30th) ***
---------------------------------------------
Introduction This diary is a follow-up to my previous diary on the actor using Rig exploit kit (EK) to deliver Qbot [1]. For this diary, Ive infected more Windows hosts from other compromised websites, so we have additional data on this actor. As previously noted, this actor has been delivering Qbot (also known as Qakbot) malware. The actor uses a gate to route traffic from the compromised website to the EK landing page. In this case, the gate returns a variable that is translated to a URL for...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20551&rss
*** The Truth is in Your Logs! ***
---------------------------------------------
[The post The Truth is in Your Logs! has been first published on /dev/random]Keeping an eye on logs is boring... but mandatory! Hopefully, sometimes it can reveal funny stuffs! It looks like people at the CCC are having some fun too while their annual conference is ongoing... Here is what I got in my Apache logs this morning: 151.217.177.200 - - [30/Dec/2015:06:51:22 +0100] "DELETE your logs. \ Delete your installations. Wipe everything clean. Walk out into the...
---------------------------------------------
https://blog.rootshell.be/2015/12/30/the-truth-is-in-your-logs/
*** Killed by Proxy: Analyzing Client-end TLS Interception Software ***
---------------------------------------------
Topic: Killed by Proxy: Analyzing Client-end TLS Interception Software Risk: Medium Text:Abstract—To filter SSL/TLS-protected traffic, some antivirus and parental-control applications interpose a TLS proxy in the...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2015120310
*** 32C3: Automatisierte Sicherheitstests für das Internet der Dinge ***
---------------------------------------------
Ein französisch-deutsches Forscherteam hat eine Emulationsumgebung entwickelt, mit der sich dynamische Penetrationstests von Firmware vernetzter Elektronikgeräte maschinell durchführen lassen. Erste Ergebnisse sprechen für sich.
---------------------------------------------
http://heise.de/-3056880
*** Cloud Computing: Attacks Vectors and Counter Measures ***
---------------------------------------------
I can bet that some of you might have missed the news about Star Wars, but there will be hardly any who do not know what Cloud computing is, as this has been the buzz for last several years. In this article, we will learn about various types of attacks that are possible in a...
---------------------------------------------
http://resources.infosecinstitute.com/cloud-computing-attacks-vectors-and-c…
*** Chrome: Google-Entwickler zerpflückt Antiviren-Addon ***
---------------------------------------------
Eine Chrome-Erweiterung des Antiviren-Herstellers AVG habe so viele Sicherheitslücken gehabt, dass es auch Malware hätte sein können, schreibt ein Google-Entwickler. Die Fehler sind zwar behoben, das Addon könnte aber trotzdem aus dem Chrome-Store verbannt werden.
---------------------------------------------
http://www.golem.de/news/chrome-google-entwickler-zerpflueckt-antiviren-add…
*** Misconfigured databases, a growing threat ***
---------------------------------------------
It has become commonplace to find misconfigured databases exposed to the public Internet. Last summer alone - 1,175 terabytes (approximately 1.1 petabytes) of data was left wide open for the amusement of inquiring minds and malicious hackers alike - ranging from SMBs to Fortune 500 companies.
---------------------------------------------
http://darkmatters.norsecorp.com/2015/12/29/misconfigured-databases-a-growi…
*** Mobile malware review for 2015 ***
---------------------------------------------
December 30, 2015 The last year proved to be another challenging period for the smartphones and tablets owners. Cybercriminals continued to target users of Android devices - thus, the majority of "mobile" threats and unwanted software discovered in 2015 were intended for this platform. In particular, banking Trojans, Android ransomware, advertising modules, and SMS Trojans expanded their activity. Besides, this year witnessed a growing number of malware pre-installed into...
---------------------------------------------
http://news.drweb.com/show/?i=9779&lng=en&c=9
*** Using IDAPython to Make Your Life Easier: Part 1 ***
---------------------------------------------
As a malware reverse engineer, I often find myself using IDA Pro in my day-to-day activities. It should come as no surprise, seeing as IDA Pro is the industry standard (although alternatives such as radare2...
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2015/12/using-idapython-to-make-…
*** The weird and wacky of 2015: strange security and privacy stories ***
---------------------------------------------
These wacky stories remind us how important cybersecurity and online privacy have become in all areas of our lives.
---------------------------------------------
https://nakedsecurity.sophos.com/2015/12/29/the-weird-and-wacky-of-2015-str…
*** Steam blows as games websites security collapse ***
---------------------------------------------
Christmas hiccup on gaming platform exposed user information to others
---------------------------------------------
http://www.scmagazine.com/steam-blows-as-games-websites-security-collapse/a…
*** 2755801 - Update for Vulnerabilities in Adobe Flash Player in Internet Explorer and Microsoft Edge - Version: 52.0 ***
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/2755801
*** PHP Class Name Format String Flaw Lets Remote Users Execute Arbitrary C ode ***
---------------------------------------------
http://www.securitytracker.com/id/1034543
*** Security Advisory: Apache HTTPD vulnerability CVE-2010-2791 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/23/sol23332326.html?…
*** Security Advisory: Apache vulnerability CVE-2011-3639 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/20/sol20979231.html?…
*** AVG Anti-Virus Flaws in Web TuneUp Chrome Extension Lets Remote Users Obtain Potentially Sensitive Information on the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1034547
Next End-of-Shift Report on 2016-01-04.
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 28-12-2015 18:00 − Dienstag 29-12-2015 18:00
Handler: L. Aaron Kaplan
Co-Handler: Stephan Richter
*** Security Updates Available for Adobe Flash Player (APSB16-01) ***
---------------------------------------------
A security bulletin (APSB16-01) has been published regarding security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an...
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1305
*** Quick Tips to Protect Your New (and old) Apple Devices ***
---------------------------------------------
Apple has projected yet another record holiday for sales, but this should come as no surprise to fellow "Macheads". I myself, am a huge fan of Apple and have been for a quite...read moreThe post Quick Tips to Protect Your New (and old) Apple Devices appeared first on Webroot Threat Blog.
---------------------------------------------
http://www.webroot.com/blog/2015/12/28/18251/
*** 2016 Reality: Lazy Authentication Still the Norm ***
---------------------------------------------
My PayPal account was hacked on Christmas Eve. The perpetrator tried to further stir up trouble by sending my PayPal funds to a hacker gang that recruits for the terrorist group ISIS. Although the intruder failed to siphon any funds, the successful takeover of the account speaks volumes about why most organizations -- including many financial institutions -- remain woefully behind the times in authenticating their customers and staying ahead of identity thieves.
---------------------------------------------
http://krebsonsecurity.com/2015/12/2016-reality-lazy-authentication-still-t…
*** An Overview of the Upcoming libModSecurity ***
---------------------------------------------
libModSecurity is a major rewrite of ModSecurity. It preserves the rich syntax and feature set of ModSecurity while delivering improved performance, stability, and a new experience in easy integration on different. libModSecurity - Motivations While ModSecurity version 2.9.0 is available...
---------------------------------------------
http://trustwave.com/Resources/SpiderLabs-Blog/An-Overview-of-the-Upcoming-…
*** Forscher: Herzschrittmacher für Hackerangriffe und Softwarefehler anfällig ***
---------------------------------------------
Forscherin und Patientin Marie Moe sprach auf dem Hackerkongress 32C3 über das Thema
---------------------------------------------
http://derstandard.at/2000028215506
*** Lets Encrypt: Ein kostenfreies Zertifikat, alle zwei Sekunden ***
---------------------------------------------
Der Start der neuen Certificate Authority Lets Encrypt hat offenbar recht gut funktioniert. Nach nur rund einem Monat im Betabetrieb ist das Projekt schon die fünftgrößte CA der Welt. Doch es gibt noch einige Aufgaben zu bewältigen.
---------------------------------------------
http://www.golem.de/news/let-s-encrypt-ein-kostenfreies-zertifikat-alle-zwe…
*** 32C3: pushTAN-App der Sparkasse nach wie vor angreifbar ***
---------------------------------------------
Zwischen Erlanger Sicherheitsforschern und dem Sparkassenverband hat sich ein Katz-und-Maus-Spiel um die Online-Banking-App "pushTAN" entwickelt. Die jüngste Version ließe sich weiter recht einfach angreifen, sagen Experten.
---------------------------------------------
http://heise.de/-3056667
*** 32C3: Verschlüsselung gängiger RFID-Schließanlagen geknackt ***
---------------------------------------------
RFID-Transponderkarten, die für die elektronische Zutrittskontrolle genutzt werden, lassen sich Sicherheitsexperten zufolge oft "trivial einfach" klonen.
---------------------------------------------
http://heise.de/-3056646
*** Geldautomaten-Skimming auf dem Rückzug ***
---------------------------------------------
Die Milliardeninvestitionen von Banken und Handel in mehr Sicherheit zeigen Wirkung: Datendiebe kommen am Geldautomat in Deutschland immer seltener zum Zug. Doch noch finden die Kriminellen Löcher im System.
---------------------------------------------
http://heise.de/-3056638
*** Microsoft Has Your Encryption Key If You Use Windows 10 ***
---------------------------------------------
An anonymous reader writes with this bit of news from the Intercept. If you login to Windows 10 using your Microsoft account, your computer automatically uploads a copy of your recovery key to a Microsoft servers. From the article: "The fact that new Windows devices require users to backup their recovery key on Microsofts servers is remarkably similar to a key escrow system, but with an important difference. Users can choose to delete recovery keys from their Microsoft accounts...
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/YfNKeGMMq1o/microsoft-has-y…
*** Voice over LTE: Angriffe auf mobile IP-Telefonie vorgestellt ***
---------------------------------------------
Talks, die Albträume über mobile Kommunikation auslösen, haben beim CCC Tradition. Dieses Mal haben zwei koreanische Studenten Angriffe auf Voice over LTE vorgeführt. In Deutschland soll das angeblich nicht möglich sein.
---------------------------------------------
http://www.golem.de/news/voice-over-lte-mobile-ip-telefonie-kann-abgehoert-…
*** Fixing JavaScripts Broken Random Number Generator ***
---------------------------------------------
szczys writes: It is surprising to learn how broken the JavaScript Random Number Generator has been for the past six years. The problem is compounded by the fact that Node.js uses the same broken Math.random() module. Learning about why this is broken is interesting, but perhaps even more interesting is how the bad code got there in the first place. It seems that a forum thread from way back in 1999 shared two versions of the code. If you read to the end of the thread you got the working
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/GG87DY0k6I4/fixing-javascri…
*** DFN-CERT-2015-2002: Roundcubemail: Zwei Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2015-2002/
*** libtiff bmp file Heap Overflow ***
---------------------------------------------
Topic: libtiff bmp file Heap Overflow Risk: High Text:Details = Product: libtiff Affected Versions: <= 4.0.6 Vulnerability Type: Heap Overflow Security Risk: High Vendor U...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2015120304
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 23-12-2015 18:00 − Montag 28-12-2015 18:00
Handler: L. Aaron Kaplan
Co-Handler: Stephan Richter
*** Malware-Driven Card Breach at Hyatt Hotels ***
---------------------------------------------
Hyatt Hotels Corporation said today it recently discovered malicious software designed to steal credit card data on computers that operate the payment processing systems for Hyatt-managed locations.
---------------------------------------------
http://krebsonsecurity.com/2015/12/malware-driven-card-breach-at-hyatt-hote…
*** Using WPScan: Finding WordPress Vulnerabilities ***
---------------------------------------------
When using WPScan you can scan your WordPress website for known vulnerabilities within the core version, plugins, and themes. You can also find out if any weak passwords, users, and security configuration issues are present. The database at wpvulndb.com is used to check for vulnerable software and the WPScan team maintains the ever-growing list ofRead More The post Using WPScan: Finding WordPress Vulnerabilities appeared first on Sucuri Blog.
---------------------------------------------
https://blog.sucuri.net/2015/12/using-wpscan-finding-wordpress-vulnerabilit…
*** NSA und GCHQ nutzen seit Jahren Hintertüren in Juniper-Firewalls ***
---------------------------------------------
Geheimes Dokument aus 2011 zeigt Zusammenarbeit der zwei Geheimdienste
---------------------------------------------
http://derstandard.at/2000028055853
*** Victims of the Gomasom Ransomware can now decrypt their files for free ***
---------------------------------------------
Fabian Wosar, security researcher at Emsisoft, created a tool for decrypting files locked by the Gomasom Ransomware. Ransomware are the most threatening cyber threats for end-users, but today I have a good news for victims of the Gomasom ransomware, victims can rescue their locked files. The news was spread by the security researcher Fabian Wosar that developed a...
---------------------------------------------
http://securityaffairs.co/wordpress/43074/malware/decrypt-gomasom-ransomwar…
*** Hacker zeigen massive Lücken bei Bankomatkarten ***
---------------------------------------------
Vor Publikum PIN ausgelesen, Prepaid-Karte aufgeladen und Zahlungen umgeleitet
---------------------------------------------
http://derstandard.at/2000028162750
*** 32C3: Hardware-Trojaner als unterschätzte Gefahr ***
---------------------------------------------
Fest in IT-Geräte und Chips eingebaute Hintertüren stellten eine "ernste Bedrohung" dar, warnten Sicherheitsexperten auf der Hackerkonferenz. Sie seien zwar nur mit großem Einwand einzubauen, aber auch schwer zu finden.
---------------------------------------------
http://heise.de/-3056452
*** 32C3: Dieselgate und die omninöse Akustik-Funktion ***
---------------------------------------------
Kann die Manipulation der Abgaswerte bei Volkswagen wirklich das Werk einzelner Ingenieure sein? Auf dem CCC-Congress erteilten ein Insider und ein Hacker dieser Legende eine Absage.
---------------------------------------------
http://heise.de/-3056438
*** 32C3: Automatische Zugsicherung und vernetzte Bahntechnik im Hackervisier ***
---------------------------------------------
Eine Hackergruppe, die sich auf Industrieanlagen konzentriert, hat diverse Angriffsflächen rund um vernetzte Systeme zur Zugkontrolle ausgemacht. Veraltete Software sowie unsichere Passwörter seien dort "überall" zu finden.
---------------------------------------------
http://heise.de/-3056484
*** DSA-3430 libxml2 - security update ***
---------------------------------------------
Several vulnerabilities were discovered in libxml2, a library providingsupport to read, modify and write XML and HTML files. A remote attackercould provide a specially crafted XML or HTML file that, when processedby an application using libxml2, would cause that application to use anexcessive amount of CPU, leak potentially sensitive information, orcrash the application.
---------------------------------------------
https://www.debian.org/security/2015/dsa-3430
*** GIT git-remote-ext Helper URL Processing Lets Remote Users Execute Arbitrary Commands on the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1034501
*** F5 Security Advisory: Apache vulnerability CVE-2010-0434 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/40/sol40284849.html?…
*** EMC Secure Remote Services Virtual Edition Directory Traversal Flaw Lets Remote Authenticated Users View Files on the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1034530
*** Cisco Jabber for Windows STARTTLS Downgrade Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Vuln: Dnsmasq CVE-2015-3294 Remote Denial of Service Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/74452
*** IDM 4.5 - 4.0.2 Midrange Driver Patch 4.0.2 ***
---------------------------------------------
Abstract: Identity Manager Midrange: IBM i (i5/OS and OS/400) driver patch for the Identity Manager versions 4.0.2 or higher. Driver version will show i5os Driver Version 4.0.2 IDM 4.0.2 Build Date 20151207_1437IDM 4.5.x Build Date 201512071006 To see the version run I5OSDRV/I5OSDRV OPTION(*VERSION)Document ID: 5230811Security Alert: YesDistribution Type: Field Test FileEntitlement Required: NoFiles:idm45-402midrangepatch2.tar.gz (96.31 MB)Products:Identity Manager 4.0.2Identity Manager...
---------------------------------------------
https://download.novell.com/Download?buildid=HsE3grsz-TU~
*** DFN-CERT-2015-1999: libvirt: Eine Schwachstelle ermöglicht die Manipulation von Dateien ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2015-1999/
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in Websphere Liberty Profile (WLP) affect Power Management Console (CVE-2015-2017, CVE-2015-1927, CVE-2015-4938) ***
http://www.ibm.com/support/docview.wss?uid=nas8N1021040
---------------------------------------------
*** IBM Security Bulletin: Information disclosure vulnerability affects IBM Sterling B2B Integrator (CVE-2015-7410) ***
http://www.ibm.com/support/docview.wss?uid=swg21972676
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Linux-PAM affects PowerKVM (CVE-2015-3238) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022880
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in pam affect Power Management Console (CVE-2015-3238) ***
http://www.ibm.com/support/docview.wss?uid=nas8N1021041
---------------------------------------------
*** IBM Security Bulletin: A denial of service vulnerability affects IBM Sterling B2B Integrator (CVE-2014-0050) ***
http://www.ibm.com/support/docview.wss?uid=swg21972944
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK including Logjam affect IBM PureApplication System. (CVE-2015-4000, CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, and CVE-2015-1931) ***
http://www.ibm.com/support/docview.wss?uid=swg21973591
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Synergy (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931 and CVE-2015-4872) ***
http://www.ibm.com/support/docview.wss?uid=swg21973439
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM Integration Designer and WebSphere Integration Developer (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931, CVE-2015-4872) ***
http://www.ibm.com/support/docview.wss?uid=swg21972087
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities affects multiple IBM Rational products based on IBM Jazz technology (CVE-2015-4962, CVE-2015-4946) ***
http://www.ibm.com/support/docview.wss?uid=swg21973404
---------------------------------------------
*** IBM Security Bulletin: Malformed ECParameters causes infinite loop (CVE-2015-1788) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023038
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities affect AppScan Enterprise ***
http://www.ibm.com/support/docview.wss?uid=swg21972830
---------------------------------------------
*** IBM Security Bulletin: Clickjack vulnerability affects multiple IBM Rational products based on IBM Jazz technology (CVE-2015-1928) ***
http://www.ibm.com/support/docview.wss?uid=swg21973200
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Content Manager Enterprise Edition (CVE-2015-1788) ***
http://www.ibm.com/support/docview.wss?uid=swg21973416
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect the IBM Tivoli Storage Manager Client and IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware (CVE-2014-3569, CVE-2014-3570, CVE-2014-3572, CVE-2014-8275, ***
http://www.ibm.com/support/docview.wss?uid=swg21973383
---------------------------------------------
*** IBM Security Bulletin: Privilege escalation coverage gap in IBM SPSS Statistics (CVE-2015-7489) ***
http://www.ibm.com/support/docview.wss?uid=swg21973502
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Spectrum Scale RAID/IBM GPFS Native RAID (CVE-2015-4843, CVE-2015-4805, CVE-2015-4810, CVE-2015-4806, CVE-2015-4871, CVE-2015-4902) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023034
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Spectrum Scale RAID/IBM GPFS Native RAID (CVE-2015-4843, CVE-2015-4805, CVE-2015-4810, CVE-2015-4806, CVE-2015-4871, CVE-2015-4902) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005474
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM i. ***
http://www.ibm.com/support/docview.wss?uid=nas8N1021047
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Tivoli Monitoring clients (CVE-2015-2590 plus additional CVEs.) ***
http://www.ibm.com/support/docview.wss?uid=swg21964027
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 22-12-2015 18:00 − Mittwoch 23-12-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** 2015 Ransomware Wrap-Up ***
---------------------------------------------
Heres a rundown of the innovative ransomware that frightened users and earned attackers big bucks this year.
---------------------------------------------
http://www.darkreading.com/endpoint/2015-ransomware-wrap-up/d/d-id/1323424
*** 3-in-1 Malware Infection through Spammed JavaScript Attachments ***
---------------------------------------------
Recently weve observed a massive uptick of malicious spam with JavaScript attachments with an intention to spread and infect Windows systems with variety of malicious executables. The spam usually contains a ZIP file attachment containing only one JavaScript file. The ..
---------------------------------------------
https://www.trustwave.com/Resources/SpiderLabs-Blog/3-in-1-Malware-Infectio…
*** IT bloke: Crooks stole my bikes after cycling app blabbed my address ***
---------------------------------------------
Brit suffers from GPS accuracy An IT manager in Manchester, England, says thieves stole his bikes after a smartphone cycling app pinpointed the location of his garage ..
---------------------------------------------
www.theregister.co.uk/2015/12/22/it_manager_loses_bikes_after_cycling_app_p…
*** Xen Project blunder blows own embargo with premature bug report ***
---------------------------------------------
Malicious guest could eat your virtual rigs from the inside The Xen Project has reported a new bug, XSA-169, that means 'A malicious guest could cause repeated logging to the hypervisor console, leading to a Denial of Service attack.' ..
---------------------------------------------
www.theregister.co.uk/2015/12/23/xen_blunder_blows_own_embargo_with_prematu…
*** Expect Phishers to Up Their Game in 2016 ***
---------------------------------------------
Expect phishers and other password thieves to up their game in 2016: Both Google and Yahoo! are taking steps to kill off the password as we know it.New authentication methods now offered by Yahoo! and to a beta group of Google users let customers log in just by supplying their email address, and then responding to a notification sent to their mobile device.
---------------------------------------------
http://krebsonsecurity.com/2015/12/expect-phishers-to-up-their-game-in-2016
*** Why it's harder to forge a SHA-1 certificate than it is to find a SHA-1 collision ***
---------------------------------------------
It's well known that SHA-1 is no longer considered a secure cryptographic hash function. Researchers now believe that finding a hash collision (two values that result in the same value when SHA-1 is applied) is inevitable and likely to happen in a matter of months. This poses a potential threat to trust on the web, as many websites use certificates that are digitally signed with algorithms that rely on SHA-1. Luckily for everyone, finding a hash collision is not enough to forge a digital
---------------------------------------------
https://blog.cloudflare.com/why-its-harder-to-forge-a-sha-1-certificate-tha…
*** Cyberangriffe auf türkische Internetserver ***
---------------------------------------------
Unklare Hintergründe - Steckt Russland dahinter? Oder Anonymous?
---------------------------------------------
http://derstandard.at/2000028013290
*** Hacker: Filmstars mit Problemen im Netz ***
---------------------------------------------
Brandneue Spielfilme wie der jüngste Western von Quentin Tarantino sind im Internet aufgetaucht. Eine Reihe weiterer Stars hat ganz andere Probleme: Ein Hacker ist an Sexvideos und persönliche Daten von ihnen gelangt - er wurde allerdings nun verhaftet.
---------------------------------------------
http://www.golem.de/news/hacker-filmstars-mit-problemen-im-netz-1512-118179…
*** How a security director used a rootkit to rig the lottery and steal millions of dollars ***
---------------------------------------------
Not too long ago, Eddie Tipton was convicted of hacking into the Multi-State Lottery Association's computer system in order to rig a nearly $17 million jackpot in Iowa. Now comes word that an investigation into Tipton's hacking activities is expanding to include a number of other states. Thus far, lottery officials from Colorado, Wisconsin and Oklahoma have indicated that Tipton may have also gamed lottery jackpots in their respective states.
---------------------------------------------
https://bgr.com/2015/12/23/lottery-hacker-rootkit-stolen-numbers-investigat…
*** Siemens RUGGEDCOM ROX-based Devices NTP Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for NTP daemon vulnerabilities in the Siemens RUGGEDCOM ROX-based devices.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-356-01
Aufgrund der Weihnachtsfeiertage erscheint der nächste End-of-Shift Report erst am 28.12.2015.
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 21-12-2015 18:00 − Dienstag 22-12-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** IBM Security Bulletin: Blind SQL injection vulnerability in IBM OpenPages GRC Platform API (CVE-2015-5049) ***
---------------------------------------------
A blind SQL injection vulnerability has been found in the OpenPages GRC Platform API that could allow retrival or manipulation of information in the database.
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21970590
*** Cisco IOS XE Software Packet Processing Denial of Service Vulnerability ***
---------------------------------------------
The vulnerability is due to incorrect processing of packets that have a source MAC address of 0000:0000:0000. An attacker could exploit this vulnerability by sending a frame that has a source MAC address of all zeros to an affected device. A successful exploit could allow the attacker to cause the device to reload.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** [20151207] - Core - SQL Injection ***
---------------------------------------------
Inadequate filtering of request data leads to a SQL Injection vulnerability.
---------------------------------------------
https://developer.joomla.org/security-centre/640-20151207-core-sql-injectio…
*** [20151206] - Core - Session Hardening ***
---------------------------------------------
The Joomla Security Strike team has been following up on the critical security vulnerability patched last week. Since the recent update it has become clear that the root cause is a bug in PHP itself. This was fixed by PHP in September of 2015 with the releases of PHP 5.4.45, 5.5.29, 5.6.13 (Note that this is fixed in all versions of PHP 7 and has been back-ported in some specific Linux LTS versions of PHP 5.3). This fixes the bug across all supported PHP versions.
---------------------------------------------
https://developer.joomla.org/security-centre/639-20151206-core-session-hard…
*** First Exploit Attempts For Juniper Backdoor Against Honeypot ***
---------------------------------------------
We are detecting numerous login attempts against our ssh honeypots using the ScreenOSbackdoor password. Our honeypot doesnt emulate ScreenOS beyond the login banner, so we do not know what the attackers are up to, but some of the attacks appear to be manual in that we do see the attacker trying different ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20525
*** Protecting Your Sites from Apache.Commons Vulnerabilities ***
---------------------------------------------
A few weeks ago, FoxGlove Security released this important blog post that includes several Proof-of-Concepts for exploiting Java unserialize vulnerabilities. A remote attacker can gain Remote Code Execution by sending specially crafted payload to any endpoint expecting a serialized ..
---------------------------------------------
https://www.trustwave.com/Resources/SpiderLabs-Blog/Protecting-Your-Sites-f…
*** Oracle muss Java-Updates nachbessern ***
---------------------------------------------
Alte Java-Versionen müssen restlos von Computern verschwinden. Dafür muss Oracle sorgen.
---------------------------------------------
http://heise.de/-3052761
*** Shopshifting: Sicherheitsforscher decken Lücken im elektronischen Zahlungsverkehr auf ***
---------------------------------------------
Bezahl-Terminals sprechen übers Netz mit ihrer Kasse und dem Bezahldienstleister. Beide Kommunikationskanäle weisen Schwächen auf, die ein Angreifer nutzen kann, um Kunden oder Ladeninhaber auszuplündern.
---------------------------------------------
http://heise.de/-3052165
*** rt-sa-2015-013 ***
---------------------------------------------
https://www.redteam-pentesting.de/advisories/rt-sa-2015-013.txt
*** Juniper backdoors ***
---------------------------------------------
Juniper hat in einem Advisory (hier unsere unsere Warnung dazu) der Welt gesagt, dass sie bei einem Code-Audit zwei Hintertüren in ScreenOS gefunden haben.Die eine ist eine technisch ziemlich triviale Sache: ein konstantes Passwort erlaubt den Login per ssh oder telnet. Angeblich hat es nur 6 Stunden gebraucht, um dieses ..
---------------------------------------------
http://www.cert.at/services/blog/20151222153859-1646.html
*** IBM Security Bulletin: Multiple XSS Vulnerabilities in IBM UrbanCode Deploy (CVE-2015-7415) ***
---------------------------------------------
IBM UrbanCode Deploy is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker ..
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21970811
*** Bericht: Hacker haben Teile des US-Stromnetzes infiltriert ***
---------------------------------------------
In rund zwölf Fällen sollen Cyberangriffe auf Kontrollzentren von Energieversorgern in den USA während der vergangenen zehn Jahre erfolgreich gewesen sein. Der Hack des Anbieters Calpine ging wohl vom Iran aus.
---------------------------------------------
http://heise.de/-3054887
*** Call for Papers: VB2016 Prague ***
---------------------------------------------
VB seeks submissions for the 26th Virus Bulletin Conference.Virus Bulletin is seeking submissions from those wishing to present papers at VB2016, which will take place 5 to 7 October 2016 at the Hyatt Regency Denver Hotel in Denver, Colorado, USA.Originally started as an annual gathering of anti-virus experts, the ..
---------------------------------------------
http://www.virusbtn.com/blog/2015/12_22.xml
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 18-12-2015 18:00 − Montag 21-12-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Update für Crimeware Kit Microsoft Word Intruder ***
---------------------------------------------
Über Sicherheitslücken in Microsoft Word kann ein Dateianhang schon beim Öffnen Windows-Systeme infizieren. Der Autor des im Untergrund beliebten Crimeware Kits MWI legt jetzt mit neuen Exploits nach.
---------------------------------------------
http://heise.de/-3049547
*** VMSA-2015-0009 ***
---------------------------------------------
VMware product updates address a critical deserialization vulnerability
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2015-0009.html
*** VMSA-2015-0003.15 ***
---------------------------------------------
VMware product updates address critical information disclosure issue in JRE
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2015-0003.html
*** Avira Registry Cleaner DLL Hijacking ***
---------------------------------------------
avira_registry_cleaner_en.exe, available from
<https://www.avira.com/en/download/product/avira-registry-cleaner>
to clean up remnants the uninstallers of their snakeoil products
fail to remove, is vulnerable: it loads and executes WTSAPI32.dll,
UXTheme.dll and RichEd20.dll from its application directory
(tested and verified under Windows XP SP3 and Windows 7 SP1).
---------------------------------------------
https://cxsecurity.com/issue/WLB-2015120223
*** PUPs Masquerade as Installer for Antivirus and Anti-Adware ***
---------------------------------------------
If youre looking for download sites of programs you wish to install onto your machine or simply try out, you, dear Reader, would be better off dropping by their official websites.
---------------------------------------------
https://blog.malwarebytes.org/online-security/2015/12/pups-masquerade-as-in…
*** Joomla 0-Day Exploited In the Wild (CVE-2015-8562) ***
---------------------------------------------
A recent new 0-day in Joomla discovered by Sucuri (Sucuri Blog) has drawn a lot of attention from the Joomla community, as well as attackers. Using knowledge gained from our recent research on Joomla (CVE-2015-7857, SpiderLabs Blog Post) and information ..
---------------------------------------------
https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-0-Day-Exploited-…
*** Google Chrome: Abschied von SHA-1-siginierten SSL-Zertifikaten ***
---------------------------------------------
Ab Anfang nächsten Jahres wird Google Chrome keine neu ausgestellten SHA-1-signierten SSL-Zertifikate von öffentlichen CAs mehr akzeptieren. SHA-1 gilt seit zehn Jahren als unsicher, wird aber immer noch von HTTPS-Sites verwendet.
---------------------------------------------
http://heise.de/-3049749
*** The EPS Awakens - Part 2 ***
---------------------------------------------
https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-t…
*** Facebook hammers another nail into Flashs coffin ***
---------------------------------------------
The Social NetworkTM bins Adobes malware-magnet for video, adopts HTML5 Facebook has hammered puts another nail in to the coffin of Adobe Flash, by switching from the bug-ridden plug-in to HTML5 for all videos on the site.
---------------------------------------------
www.theregister.co.uk/2015/12/21/facebook_dumps_flash_for_video/
*** Hello Kitty: Kinderdaten ungeschützt im Netz ***
---------------------------------------------
Eine MongoDB-Datenbank mit den privaten Informationen zahlreicher Hello-Kitty-Fans wurde veröffentlicht. Vor allem Kinder dürften davon betroffen sein - und sollten ihre Passwörter bei anderen Diensten überprüfen.
---------------------------------------------
http://www.golem.de/news/security-hello-kitty-gehackt-1512-118123.html
*** XXX is Angler EK ***
---------------------------------------------
http://malware.dontneedcoffee.com/2015/12/xxx-is-angler-ek.html
*** Schnüffelcode in Juniper-Netzgeräten: Weitere Erkenntnisse und Spekulationen ***
---------------------------------------------
Die Analysen der ScreenOS-Updates fördern vogelwilde Dinge zu Tage. So gab es zwei unabhängige Hintertüren. Die SSH-Backdoor kann dank des veröffentlichten Passworts jeder ausnutzen; die komplexere VPN-Lücke beruht wohl auf einer bekannten NSA-Backdoor.
---------------------------------------------
http://heise.de/-3051260
*** The many attacks on Zengge WiFi lightbulbs ***
---------------------------------------------
In August I decided to check out the cool new Internet Of Things. I bought a WiFi-enabled colorful LED lightbulb. It was a cheap Chinese one that costs almost nothing on Alibaba, but I paid probably around $50 on Amazon. It's built by a company called Zengge. It turned out that my new lightbulb was a router, an HTTP server, an HTTP proxy, and a lot more.
---------------------------------------------
http://blog.viktorstanchev.com/2015/12/20/the-many-attacks-on-zengge-wifi-l…
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 17-12-2015 18:00 − Freitag 18-12-2015 18:00
Handler: Stephan Richter
Co-Handler: Alexander Riepl
*** JSA10713 - 2015-12 Out of Cycle Security Bulletin: ScreenOS: Multiple Security issues with ScreenOS (CVE-2015-7755) ***
---------------------------------------------
http://kb.juniper.net/index?page=content&id=JSA10713
*** JSA10712 - 2015-12 Out of Cycle Security Bulletin: ScreenOS: Crafted SSH negotiation may trigger system crash (CVE-2015-7754) ***
---------------------------------------------
http://kb.juniper.net/index?page=content&id=JSA10712
*** Cisco Model DPQ3925 Wireless Residential Gateway Information Disclosure Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Schneider Electric Modicon M340 Buffer Overflow Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a buffer overflow vulnerability in Schneider Electric's Modicon M340 PLC product line.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-351-01
*** Motorola MOSCAD SCADA IP Gateway Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for Remote File Inclusion and Cross-Site Request Forgery vulnerabilities in Motorola Solutions MOSCAD IP Gateway.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-351-02
*** eWON Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for several vulnerabilities in the eWON sa industrial router.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-351-03
*** Microsoft will stop trusting certificates from 20 Certificate Authorities ***
---------------------------------------------
Starting on January 2016, Microsofts Trusted Root Certificate Program will no longer include twenty currently trusted CAs and will remove their root certificates removed from the Trusted ..
---------------------------------------------
http://www.net-security.org/secworld.php?id=19252
*** Docker and Enterprise Security: Establishing Best Practices ***
---------------------------------------------
Virtualization containers, with their extraordinarily efficient hardware utilization, can be like a dream come true for development teams. While containerization will probably ..
---------------------------------------------
http://resources.infosecinstitute.com/docker-and-enterprise-security-establ…
*** IBM Security Bulletins ***
---------------------------------------------
*** Infosphere BigInsights is affected by a vulnerability in DB2 (CVE-2015-1947) ***
http://www.ibm.com/support/docview.wss?uid=swg21967131
---------------------------------------------
*** IBM InfoSphere Balanced Warehouse C3000, C4000, IBM Smart Analytics System 1050, 2050 and 5710 are affected by multiple vulnerabilities in OpenSSL ***
http://www.ibm.com/support/docview.wss?uid=swg21971298
---------------------------------------------
*** Multiple vulnerabilities in current releases of IBM SDK for Node.js in IBM Bluemix ***
http://www.ibm.com/support/docview.wss?uid=swg21973447
---------------------------------------------
*** Multiple Security Vulnerabilities affect IBM Security Privileged Identity Manager Virtual Appliance ***
http://www.ibm.com/support/docview.wss?uid=swg21972496
---------------------------------------------
*** Multiple vulnerabilities in IBM Java SDK affect Rational Functional Tester (CVE-2015-4872, CVE-2015-4734, CVE-2015-5006) ***
http://www.ibm.com/support/docview.wss?uid=swg21972844
---------------------------------------------
*** A vulnerability in lighttpd affects IBM Security Virtual Server Protection for VMware (CVE-2015-3200) ***
http://www.ibm.com/support/docview.wss?uid=swg21973291
---------------------------------------------
*** IBM Multiple vulnerabilities in IBM Java SDK affect IBM API Management ***
http://www.ibm.com/support/docview.wss?uid=swg21972828
---------------------------------------------
*** Citrix XenServer Multiple Security Updates ***
---------------------------------------------
A number of security vulnerabilities have been identified in Citrix XenServer that could, in certain configurations, allow a malicious administrator of a guest VM to compromise the host or obtain potentially sensitive information from other guest VMs. In addition, a vulnerability has been identified that would allow certain applications running on a guest to cause that guest to crash.
---------------------------------------------
https://support.citrix.com/article/CTX203879
*** Vuln: Microsoft Windows Environment Variable Expansion in PATH Security Bypass Weakness ***
---------------------------------------------
http://www.securityfocus.com/bid/44484
*** Cisco IOS and IOS XE Software IKEv1 State Machine Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** SSA-472334 (Last Update 2015-12-18): NTP Vulnerabilities in RUGGEDCOM ROX-based Devices ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-472334…
*** SSA-396873 (Last Update 2015-12-18): TLS Vulnerability in Ruggedcom ROS- and ROX-based Devices ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-396873…
*** iOS banking apps security still not good enough, says researcher ***
---------------------------------------------
Repeat test throws up improved results from 2013 but problems remain The security of mobile banking apps has improved over the ..
---------------------------------------------
www.theregister.co.uk/2015/12/18/ios_banking_app_audit/
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 16-12-2015 18:00 − Donnerstag 17-12-2015 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Press Backspace 28 times to own unlucky Grub-by Linux boxes ***
---------------------------------------------
Integer underflow fault means you can get into rescue mode and rummage around A pair of researchers from the University of Valencias Cybersecurity research group have found that if you press backspace 28 times, its possible to bypass authentication during boot-up on some Linux machines.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2015/12/17/press_backs…
*** Checklist - How to Secure Your WordPress Website ***
---------------------------------------------
We know that you care about what you build and protecting it is incredibly important. Hacks happen, and it's your job to reduce their likelihood to the lowest probability possible. We built this checklist of best practices to help you harden your website and protect you and your users from hacks.
---------------------------------------------
https://www.wordfence.com/learn/checklist-how-to-secure-your-wordpress-webs…
*** Privileged Access Workstations ***
---------------------------------------------
Privileged Access Workstations (PAWs) provide a dedicated operating system for sensitive tasks that is protected from Internet attacks and threat vectors. Separating these sensitive tasks and accounts from the daily use workstations and devices provides very strong protection from phishing attacks, application and OS vulnerabilities, various impersonation attacks, and credential theft attacks such as keystroke logging, Pass-the-Hash, and Pass-The-Ticket.
---------------------------------------------
https://technet.microsoft.com/en-US/library/mt634654.aspx
*** F-Secure: Sandboxed Execution Environment ***
---------------------------------------------
Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments. The Sandboxes, provided via libvirt, are customizable allowing high degree of flexibility. Different type of Hypervisors (Qemu, VirtualBox, LXC) can be employed to run the Test Environments. Plugins can be added to a Test Environment which provides an Event mechanism synchronisation for their interaction. Users can enable and configure the plugins through a JSON configuration file.
---------------------------------------------
https://github.com/F-Secure/see
*** How do you know if your smartphone has been compromised? ***
---------------------------------------------
Signs that may indicate a mobile infection: Has your phone been compromised? #1: You notice the system or apps behaving strangely #2: Your call or message history includes some unknown entries ...
---------------------------------------------
http://www.welivesecurity.com/2015/12/16/know-smartphone-compromised/
*** XSS, SQLi bugs found in several Network Management Systems ***
---------------------------------------------
Network Management System (NMS) offerings by Spiceworks, Ipswitch, Opsview and Castle Rock Computing have been found sporting several cross-site scripting and SQL injection flaws that could be exploit...
---------------------------------------------
http://feedproxy.google.com/~r/HelpNetSecurity/~3/hQ6oQHF5luA/secworld.php
*** POS Malware Families: An insight into the Behavior of POS Malware ***
---------------------------------------------
In a previous blog, we discussed why Point of Sale (POS) devices remain such an attractive target and described some different attack methods. As you can see from the infographic below, retail and POS have been (pardon the pun) "Targets" on an ongoing basis for the past few years, and the trend doesn't appear to be reversing, even with technologies such as EMV and P2PE. In this blog, we describe some of the different families of POS malware. POS Malware Common Features...
---------------------------------------------
https://feeds.feedblitz.com/~/128665939/0/alienvault-blogs~POS-Malware-Fami…
*** Xen Security Advisories ***
---------------------------------------------
XSA-155 - paravirtualized drivers incautious about shared memory contents
http://xenbits.xen.org/xsa/advisory-155.html
---------------------------------------------
XSA-157 - Linux pciback missing sanity checks leading to crash
http://xenbits.xen.org/xsa/advisory-157.html
---------------------------------------------
XSA-164 - qemu-dm buffer overrun in MSI-X handling
http://xenbits.xen.org/xsa/advisory-164.html
---------------------------------------------
XSA-165 - information leak in legacy x86 FPU/XMM initialization
http://xenbits.xen.org/xsa/advisory-165.html
---------------------------------------------
XSA-166 - ioreq handling possibly susceptible to multiple read issue
http://xenbits.xen.org/xsa/advisory-166.html
---------------------------------------------
*** DFN-CERT-2015-1948: Samba: Mehrere Schwachstellen ermöglichen u.a. das Umgehen von Sicherheitsvorkehrungen ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2015-1948/
*** Cisco FireSIGHT Management Center SSL HTTP Attack Detection Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Security Advisory: BIND vulnerability CVE-2015-8000 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/34/sol34250741.html?…
*** Multiple SQL Injection Vulnerabilities in Citrix Command Center Web User Interface Java Servlets ***
---------------------------------------------
A number of SQL Injection vulnerabilities have been identified in the Administration Web UI servlets used by Citrix Command Center. These vulnerabilities, if exploited, could allow an authenticated user to insert malicious SQL queries into the application, potentially causing the alteration or deletion of system data.
---------------------------------------------
http://support.citrix.com/article/CTX203787
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM API Management (CVE-2015-1788) ***
http://www.ibm.com/support/docview.wss?uid=swg21965259
---------------------------------------------
*** IBM Security Bulletin: Fix available for Information Disclosure Vulnerability in IBM WebSphere Portal (CVE-2015-7447) ***
http://www.ibm.com/support/docview.wss?uid=swg21973152
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Apache Commons affects IBM Content Manager Services for Lotus Quickr (CVE-2015-7450) ***
http://www.ibm.com/support/docview.wss?uid=swg21973096
---------------------------------------------
*** IBM Security Bulletin: Tivoli Storage Manager for Virtual Environments: Data Protection for VMware and Tivoli Storage FlashCopy Manager for VMware affected by privilege escalation vulnerability (CVE-2015-7429) ***
http://www.ibm.com/support/docview.wss?uid=swg21973087
---------------------------------------------
*** IBM Security Bulletin: Tivoli Storage Manager for Virtual Environments: Data Protection for VMware and Tivoli Storage FlashCopy Manager for VMware affected by unauthorized access vulnerability (CVE-2015-7420) ***
http://www.ibm.com/support/docview.wss?uid=swg21973086
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Application Dependency Discovery Manager (TADDM) - IBM Java SDK updates October 2015 ***
http://www.ibm.com/support/docview.wss?uid=swg21973355
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM HTTP Server (IHS) affect IBM Security SiteProtector System (CVE-2015-1283, CVE-2015-3183 and CVE-2015-4947) ***
http://www.ibm.com/support/docview.wss?uid=swg21972470
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Content Collector for SAP Applications (CVE-2015-1788) ***
http://www.ibm.com/support/docview.wss?uid=swg21973147
---------------------------------------------
*** IBM Security Bulletin: IBM PowerVC is impacted by OpenStack Cinder information disclosure vulneraility (CVE-2015-1851) ***
http://www.ibm.com/support/docview.wss?uid=nas8N1020980
---------------------------------------------
*** IBM Security Bulletin: Infosphere BigInsights is affected by a vulnerability in DB2 that allows users to truncate any table even though the owner of the table has not granted any privilege to any user/role/group (CVE-2015-5020) ***
http://www.ibm.com/support/docview.wss?uid=swg21967923
---------------------------------------------
*** IBM Security Bulletin: Infosphere BigInsights is affected by a vulnerability in DB2 (CVE-2015-1788) ***
http://www.ibm.com/support/docview.wss?uid=swg21970400
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Apache Commons affects OpenPages GRC Platform with Application Server (CVE-2015-7450) ***
http://www.ibm.com/support/docview.wss?uid=swg21972345
---------------------------------------------
*** IBM Security Bulletin: IBM Curam Social Program Management is Vulnerable to Reflected Cross-Site Scripting (CVE-2015-7402) ***
http://www.ibm.com/support/docview.wss?uid=swg21970661
---------------------------------------------
*** ZDI-15-641: Foxit Reader Forms Out-Of-Bounds Read Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/LfsseiLCccs/
*** ZDI-15-643: Foxit Reader Will Print Action Use-After-Free Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/28dKwkM6_5M/
*** ZDI-15-642: Foxit Reader Will Save Document Action Use-After-Free Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/uY-c98zZjQI/
*** ZDI-15-644: Foxit Reader FlateDecode Heap Buffer Overflow Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/s3waojIPu0E/
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 15-12-2015 18:00 − Mittwoch 16-12-2015 18:00
Handler: Stephan Richter
Co-Handler: Alexander Riepl
*** IBM Security Bulletin ***
---------------------------------------------
*** Multiple vulnerabilities in IBM Java SDK affect IBM Rational Connector for SAP Solution Manager ***
http://www.ibm.com/support/docview.wss?uid=swg21967447
---------------------------------------------
*** IBM Security Bulletin: Security Vulnerability in IBM WebSphere Application Server shipped with IBM Tivoli Netcool Configuration Manager ***
http://www.ibm.com/support/docview.wss?uid=swg21972884
---------------------------------------------
*** IBM Security Bulletin: Openstack Cinder and Horizon vulnerabilities affect IBM Cloud Manager with OpenStack ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023146
---------------------------------------------
*** IBM Security Bulletin: IBM QRadar SIEM is vulnerable to path traversal attack. ***
http://www.ibm.com/support/docview.wss?uid=swg21967647
---------------------------------------------
*** IBM Security Bulletin: A security vulnerability exist in the IBM SDK, Java Technology Edition provided with WebSphere DataPower XC10 Appliance ***
http://www.ibm.com/support/docview.wss?uid=swg21972660
---------------------------------------------
*** IBM Security Bulletin: IBM QRadar SIEM is vulnerable to Stored cross-site scripting. ***
http://www.ibm.com/support/docview.wss?uid=swg21973175
---------------------------------------------
*** FireEye Exploitation: Project Zero's Vulnerability of the Beast ***
---------------------------------------------
FireEye sell security appliances to enterprise and government customers. FireEye's flagship products are monitoring devices designed to be installed at egress points of large networks, i.e. where traffic flows from the intranet to the internet.To give a ..
---------------------------------------------
http://googleprojectzero.blogspot.com/2015/12/fireeye-exploitation-project-…
*** Security Management vs Chaos: Understanding the Butterfly Effect to Manage Outcomes & Reduce Chaos ***
---------------------------------------------
And now for something completely different.">Python">Subtitle: Captain Obvious Applies Chaos Theory Introduction This diary breaks a bit from our expected norms todiscussmanaging possible outcomes originating froma data breach ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20495
*** Security Advisory: Multiple MySQL vulnerabilities ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/59/sol59010802.html?…
*** VB2015 video: Making a dent in Russian mobile banking phishing ***
---------------------------------------------
Sebastian Porst explains what Google has done to protect users from phishing apps targeting Russian banks.In the last few years, mobile malware has evolved from a mostly theoretical threat to a very serious one that affects many users. Indeed, several talks at VB2015 dealt with various aspects of mobile ..
---------------------------------------------
http://www.virusbtn.com/blog/2015/12_16.xml
*** Adcon Telemetry A840 Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for vulnerabilities in Adcon Telemetry's A840 Telemetry Gateway Base Station.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-349-01
*** Advantech EKI Vulnerabilities (Update A) ***
---------------------------------------------
This updated advisory is a follow-up to the original advisory titled ICSA-15-344-01 Advantech EKI Vulnerabilities that was published December 10, 2015, on the NCCIC/ICS-CERT web site.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-344-01
*** Sicherheitspaket UTM von Sophos löchrig ***
---------------------------------------------
Das Unified-Threat-Management-Paket von Sophos ist bedroht und einem Sicherheitsforscher zufolge können Angreifer etwa die Firewall deaktivieren. Die Lücken sollen bereits gefixt sein; Patches sind aber noch nicht verfügbar.
---------------------------------------------
http://heise.de/-3044717
*** DFN-CERT-2015-1937/">ISC BIND9: Zwei Schwachstellen ermöglichen einen Denial-of-Service-Angriff ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2015-1937/
*** Driving an industry towards secure code ***
---------------------------------------------
The German government made an unprecedented move this week by issuing requirements for all new vehicles' software to be made accessible to country regulators to ensure that emissions loopholes aren't ...
---------------------------------------------
http://www.net-security.org/article.php?id=2431
*** Playing With Sandboxes Like a Boss ***
---------------------------------------------
Last week, Guy wrote a nice diary to explain how to easily deploy IRMA to analyze suspicious files. Having a good tool to work on files locally is always interesting for multiple reasons. You are doing some independent research, you ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20501
*** Attacking WPA2 Enterprise ***
---------------------------------------------
The widespread use of mobile and portable devices in the enterprise environment requires a proper implementation of the wireless network infrastructure to provide them connectivity and ensure the business functionality. WPA-Enterprise is ..
---------------------------------------------
http://resources.infosecinstitute.com/attacking-wpa2-enterprise/
*** Open Source Network Security Tools for Newbies ***
---------------------------------------------
With so many open source tools available to help with network security, it can be tricky to figure out where to start, especially if you are an IT generalist who has been tasked with security. We all have to start somewhere. The question is, where? The sheer number of open source tools available can make ..
---------------------------------------------
https://www.alienvault.com/blogs/security-essentials/open-source-network-se…
*** [HTB23282]: RCE in Zen Cart via Arbitrary File Inclusion ***
---------------------------------------------
High-Tech Bridge Security Research Lab discovered critical vulnerability in a popular e-commerce software Zen Cart, which can be exploited by remote non-authenticated attackers to compromise vulnerable system. A remote ..
---------------------------------------------
https://www.htbridge.com/advisory/HTB23282
*** Crimeware / APT Malware Masquerade as Santa Claus and Christmas Apps ***
---------------------------------------------
CloudSek was monitoring an underground hacking team, that was selling a Desktop malware in various underground forums. The desktop malware is specifically designed for jumping air-gapped systems , and given the type of documents the attackers are seeking , it was collecting classified data from software companies and government organisations.
---------------------------------------------
https://www.cloudsek.com/announcements/blog/apt-malware-masquerade-as-chris…
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 14-12-2015 18:00 − Dienstag 15-12-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** 13 million MacKeeper users exposed after MongoDB door was left open ***
---------------------------------------------
Expect more breaches in the future as 35,000 MongoDB installs are misconfigured.
---------------------------------------------
http://arstechnica.com/security/2015/12/13-million-mackeeper-users-exposed-…
*** Hack: Esa-Nutzer haben kurze Passwörter ***
---------------------------------------------
Zahlreiche interne Datensätze der Europäischen Raumfahrtagentur Esa sind gehackt worden und jetzt im Internet einsehbar. Offenbar benutzen viele der Esa-Nutzer kurze und unsichere Passwörter.
---------------------------------------------
http://www.golem.de/news/rocket-science-esa-nutzer-haben-kurze-passwoerter-…
*** Vulnerability Details: Joomla! Remote Code Execution ***
---------------------------------------------
The Joomla! team released a new version of Joomla! CMS yesterday to patch a serious and easy to exploit remote code execution vulnerability that affected pretty much all versions of the platform up to 3.4.5. As soon as the patch was released, we were able to start our investigation and found that it was alreadyRead More The post Vulnerability Details: Joomla! Remote Code Execution appeared first on Sucuri Blog.
---------------------------------------------
https://blog.sucuri.net/2015/12/joomla-remote-code-execution-the-details.ht…
*** 4 Things to Consider When Assessing Device Posture for Effective Network Access Control ***
---------------------------------------------
Guest blogger Benny Czarny explains one of the main reasons to have a NAC system in place is to keep risky devices from connecting to your organization's network. Unfortunately, simply purchasing a NAC solution is not going to guarantee your protection.Categories: Online SecurityTags: Anti-Malwareanti-virusencryptionendpointvulnerability(Read more...)
---------------------------------------------
https://blog.malwarebytes.org/online-security/2015/12/4-things-to-consider-…
*** Protecting Windows Networks - Kerberos Attacks ***
---------------------------------------------
MEDIA NOTE: This is not a new flaw, just a good write-up! I don't know why media reporting this as a new flaw. | Kerberos is an authentication protocol that is used by default in Windows networks and provide mutual authentication and authorization for clients and servers. It does not require you to send a password or a hash on the wire, it is instead rely on a trusted third party for handling all the details. | Although, it is considered a secure protocol, it has some flaws in Windows...
---------------------------------------------
http://dfir-blog.com/2015/12/13/protecting-windows-networks-kerberos-attack…
*** Kaspersky Security Bulletin 2015. Overall statistics for 2015 ***
---------------------------------------------
In 2015, virus writers demonstrated a particular interest in exploits for Adobe Flash Player. The proportion of relatively simple programs used in mass attacks was growing. Attackers have mastered non-Windows platforms - Android and Linux: almost all types of malicious programs are created and used for these platforms.
---------------------------------------------
http://securelist.com/analysis/kaspersky-security-bulletin/73038/kaspersky-…
*** Oil and Gas Cyber Security - Interview ***
---------------------------------------------
In the recent presentation at BlackHat, you mentioned that oil and gas is one of the industries most plagued by cyber-attacks. What makes oil and gas an attractive target? It's a juicy target for Cyberattacks as oil and gas companies are responsible for a great part of some countries' economies. Any interference in their work...
---------------------------------------------
http://resources.infosecinstitute.com/oil-and-gas-cyber-security-interview/
*** Android.ZBot banking Trojan uses "web injections" to steal confidential data ***
---------------------------------------------
December 15, 2015 The Trojans designed to steal money from bank accounts pose a serious threat to Android users. The Android.ZBot Trojan is one of these malicious programs. Its different modifications target mobile devices of Russian users from February 2015. This Trojan is interesting due to its ability to steal logins, passwords, and other confidential data by displaying fraudulent authentication forms on top of any applications. The appearance of such forms is generated on
---------------------------------------------
http://news.drweb.com/show/?i=9754&lng=en&c=9
*** Security Afterworks: Wie man TLS-Hipster wird & Best of CCC ***
---------------------------------------------
January 21, 2016 - 5:00 pm - 6:00 pm SBA Research Favoritenstraße 16 1040 Wien
---------------------------------------------
https://www.sba-research.org/events/security-afterworks-wie-man-tls-hipster…
*** ZDI-15-639: (0Day) Microsoft Office Excel Binary Worksheet Use-After-Free Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office Excel. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-15-639/
*** ZDI-15-638: (0Day) Apache TomEE Deserialization of Untrusted Data Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apache TomEE. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-15-638/
*** Security Advisory: RSA-CRT key leak vulnerability CVE-2015-5738 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/91/sol91245485.html?…
*** Cisco Unified Communications Manager Web Management Interface Cross-Site Scripting Filter Bypass Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco IOS XE Software IPv6 Neighbor Discovery Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Unified Communications Manager Web Applications Identity Management Subsystem Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Security Notice - Statement on NTP.org and CERT/CC Revealing Security Vulnerabilities in NTPd ***
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-notices…
*** TYPO3 CMS 6.2.16 and 7.6.1 released ***
---------------------------------------------
The TYPO3 Community announces the versions 6.2.16 LTS and 7.6.1 LTS of the TYPO3 Enterprise Content Management System.
Both versions are maintenance releases and contain bug and security fixes.
In case the extension mediace is used, please make sure to upgrade to version 7.6.1.
---------------------------------------------
http://www.typo3.org/news/article/typo3-cms-6216-and-761-released/
---------------------------------------------
*** Cross-Site Scripting in TYPO3 component Indexed Search ***
http://www.typo3.org/news/article/cross-site-scripting-in-typo3-component-i…
---------------------------------------------
*** TYPO3 is susceptible to Cross-Site Flashing ***
http://www.typo3.org/news/article/typo3-is-susceptible-to-cross-site-flashi…
---------------------------------------------
*** Multiple Cross-Site Scripting vulnerabilities in frontend ***
http://www.typo3.org/news/article/multiple-cross-site-scripting-vulnerabili…
---------------------------------------------
*** Cross-Site Scripting vulnerability in typolinks ***
http://www.typo3.org/news/article/cross-site-scripting-vulnerability-in-typ…
---------------------------------------------
*** Multiple Cross-Site Scripting vulnerabilities in TYPO3 backend ***
http://www.typo3.org/news/article/multiple-cross-site-scripting-vulnerabili…
---------------------------------------------
*** Cross-Site Scripting in TYPO3 component Extension Manager ***
http://www.typo3.org/news/article/cross-site-scripting-in-typo3-component-e…
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 11-12-2015 18:00 − Montag 14-12-2015 18:00
Handler: Stephan Richter
Co-Handler: Alexander Riepl
*** IBM Security Bulletin ***
---------------------------------------------
*** Vulnerability in Apache Commons affects WebSphere Message Broker and IBM Integration Bus (CVE-2015-7450) ***
http://www.ibm.com/support/docview.wss?uid=swg21972391
---------------------------------------------
***Vulnerability in Apache Commons affects Tivoli Network Manager Transmission Edition (CVE-2015-7450) ***
http://www.ibm.com/support/docview.wss?uid=swg21971891
---------------------------------------------
***Vulnerability in Apache Commons affects Rational Developer for System z (CVE-2015-7450) ***
http://www.ibm.com/support/docview.wss?uid=swg21971643
---------------------------------------------
***Vulnerability in the IBM Installation Manager script (CVE-2015-7442) ***
http://www.ibm.com/support/docview.wss?uid=swg21971295
---------------------------------------------
***Vulnerability in Apache Commons affects Rational Software Architect, Rational Software Architect for WebSphere Software and Rational Software Architect RealTime (CVE-2015-7450) ***
http://www.ibm.com/support/docview.wss?uid=swg21972753
---------------------------------------------
***Vulnerabilities in OpenSSL affect IBM Rational Application Developer for WebSphere Software (CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-1794) ***
http://www.ibm.com/support/docview.wss?uid=swg21972951
---------------------------------------------
***A security vulnerability has been identified in IBM Maximo Asset Management which could allow an attacker to obtain sensitive information via REST API (CVE-2015-7452) ***
http://www.ibm.com/support/docview.wss?uid=swg21972463
---------------------------------------------
***IBM Maximo Asset Management is vulnerable to cross-site scripting, caused by improper validation of user-supplied input (CVE-2015-7451) ***
http://www.ibm.com/support/docview.wss?uid=swg21972423
---------------------------------------------
***IBM Security Network Intrusion Prevention System is affected by krb5 vulnerabilities (CVE-2014-4341, CVE-2013-1418 ) ***
http://www.ibm.com/support/docview.wss?uid=swg21970321
---------------------------------------------
***A vulnerability in OpenSSH affects IBM Security Network Intrusion Prevention System (CVE-2015-5600) ***
http://www.ibm.com/support/docview.wss?uid=swg21969673
---------------------------------------------
***A vulnerability in net-snmp affects IBM Security Network Intrusion Prevention System (CVE-2014-3565) ***
http://www.ibm.com/support/docview.wss?uid=swg21972208
---------------------------------------------
***Vulnerabilities in curl affect IBM Security Network Intrusion Prevention System ***
http://www.ibm.com/support/docview.wss?uid=swg21968978
---------------------------------------------
***A security vulnerability has been identified in IBM Rational ClearQuest (CVE-2015-4996) ***
http://www.ibm.com/support/docview.wss?uid=swg21972331
---------------------------------------------
***Multiple vulnerabilities in IBM Java Runtime affect IBM Tivoli Provisioning Manager (CVE-2015-2601, CVE-2015-1931, CVE-2015-2625) ***
http://www.ibm.com/support/docview.wss?uid=swg21972941
---------------------------------------------
***Vulnerabilities in OpenSSL affect IBM Cognos Planning(CVE-2015-1789, CVE-2015-1790, CVE-2015-1792) ***
http://www.ibm.com/support/docview.wss?uid=swg21971729
---------------------------------------------
*** Website Malware - Evolution of Pseudo Darkleech ***
---------------------------------------------
Last March we described a WordPress attack that was responsible for hidden iframe injections that resembled Darkleech injections: declarations of styles with random names and coordinates, iframes with No-IP host names, and random dimensions where the ..
---------------------------------------------
https://blog.sucuri.net/2015/12/evolution-of-pseudo-darkleech.html
*** iTunes 12.3.2 ***
---------------------------------------------
https://support.apple.com/kb/HT205636
*** Security Advisory: Apache Groovy vulnerability CVE-2015-3253 ***
---------------------------------------------
The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object. (CVE-2015-3253)
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/49/sol49233165.html
*** Security Update 2015-006 Yosemite ***
---------------------------------------------
https://support.apple.com/kb/HT205653
*** OS X El Capitan 10.11.2, Security Update 2015-005 Yosemite, and Security Update 2015-008 Mavericks ***
---------------------------------------------
https://support.apple.com/kb/HT205637
*** OS X El Capitan 10.11.1, Security Update 2015-004 Yosemite, and Security Update 2015-007 Mavericks ***
---------------------------------------------
https://support.apple.com/kb/HT205375
*** What Signs Are You Missing? ***
---------------------------------------------
While recently listening to a presentation, I found my attention drawn to a metal water container at the center of the conference room table. Condensation was all around it and without ever having to interact with the container, I found ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20481
*** Google Bans Symantec Root Certificates ***
---------------------------------------------
An anonymous reader writes: After in September Google discovered SSL certificates issued in its name by Symantec, and after in October the company discovered over 2,500 ..
---------------------------------------------
http://tech.slashdot.org/story/15/12/12/2255212/google-bans-symantec-root-c…
*** DSA-3416 libphp-phpmailer - security update ***
---------------------------------------------
Takeshi Terada discovered a vulnerability in PHPMailer, a PHP library foremail transfer, used by many CMSs. The library accepted email addressesand SMTP commands containing line breaks, which can be abused by anattacker to inject messages.
---------------------------------------------
https://www.debian.org/security/2015/dsa-3416
*** Memory-resident modular malware menaces moneymen ***
---------------------------------------------
Latentbot avoids your HDD - and its been off the radar for two years A stealthy strain of malware resident only in memory has been quietly pwning victims around the world for two years.
---------------------------------------------
www.theregister.co.uk/2015/12/14/latentbot_memory_resident_malware/
*** Lenovo/CSR: Bluetooth-Treiber installiert Root-Zertifikat ***
---------------------------------------------
Ein Bluetooth-Treiber für Chips der Firma CSR installiert zwei Root-Zertifikate, mit denen der Besitzer des privaten Schlüssels HTTPS-Verbindungen angreifen könnte. Offenbar handelt es sich um Testzertifikate zur Treibersignierung während der Entwicklung.
---------------------------------------------
http://www.golem.de/news/lenovo-csr-bluetooth-treiber-installiert-root-zert…
*** Inside the German cybercriminal underground ***
---------------------------------------------
Trend Micro investigated on German crime forums and concluded that Germany possesses the most advanced cybercrime ecosystem in the European Union. We have reported several times the news related to various criminal cybercriminal ..
---------------------------------------------
http://securityaffairs.co/wordpress/42802/cyber-crime/german-cybercriminal-…
*** [20151214] - Core - Remote Code Execution Vulnerability ***
---------------------------------------------
Browser information are not filtered properly while saving the session values into the database what leads to a Remote Code Execution vulnerability.
---------------------------------------------
https://developer.joomla.org/security-centre/630-20151214-core-remote-code-…
*** [20151214] - Core - CSRF Hardening ***
---------------------------------------------
Add additional CSRF hardening in com_templates.
---------------------------------------------
https://developer.joomla.org/security-centre/633-20151214-core-csrf-hardeni…
*** [20151214] - Core - Directory Traversal ***
---------------------------------------------
Fails to properly sanitise input data from the XML install file located within the package archive.
---------------------------------------------
https://developer.joomla.org/security-centre/634-20151214-core-directory-tr…
*** Bugtraq: ERPSCAN Research Advisory [ERPSCAN-15-022] SAP NetWeaver 7.4 - XSS ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537111
*** Bugtraq: [ERPSCAN-15-021] SAP NetWeaver 7.4 - SQL Injection vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537109
*** Sicherheitsforscher: Datenleck bei Mackeeper erlaubt freien Zugriff auf Nutzerdaten ***
---------------------------------------------
Die Datenbank der umstrittetenen Mac-Software Mackeeper sei frei zugänglich, erklärt ein Sicherheitsforscher. Er habe 13 Millionen Datensätze mit Nutzerinformationen ungehindert heruntergeladen.
---------------------------------------------
http://heise.de/-3043720