- Daily - CERT.at

Tageszusammenfassung - Freitag 17-07-2015
by Daily end-of-shift report 17 Jul '15

17 Jul '15

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 16-07-2015 18:00 − Freitag 17-07-2015 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** MSRT July 2015: Crowti *** --------------------------------------------- In our ongoing effort to provide malware protection, we are adding the following detections to the Microsoft Malicious Software Removal Tool (MSRT) this month: Win32/Crowti Win32/Reveton Crowti, a file encryption threat, is one of the top prevalent ransomware families. We have recently seen it sent as a spam email attachment with formats similar to those shown below: Figure 1: Email spam samples delivering Crowti as an attachment As well as using spam emails as the entry point or infection... --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2015/07/14/msrt-july-2015-crowti.as… *** Running SAP? Checked for patches lately? Nows a good time *** --------------------------------------------- New round of fixes includes one for security bypass flaw SAP has released its July pack of security fixes, including critical patches one researcher says demand your urgent attention. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2015/07/17/running_sap… *** Ad networks beware; Google raises Red Screen of malware Dearth *** --------------------------------------------- Chrome to take shine off dodgy ad networks. Watch out dodgy ad slingers and news sites; Google is expanding its last line of defence Chrome feature to brand all security-slacker ad networks as unsafe. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2015/07/17/google_safe… *** Fake News App in Hacking Team Dump Designed to Bypass Google Play *** --------------------------------------------- Looking into the app's routines, we believe the app can circumvent Google Play restrictions by using dynamic loading technology. Initially, it only asks for three permissions and can be deemed safe by Google's security standards as there are no exploit codes to be found in the app. However, dynamic loading technology allows the app to download and execute a partial of code from the Internet. It will not load the code while Google is verifying the app but will later push the code once... --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/fake-news-app-in… *** Significant Flash exploit mitigations are live in v18.0.0.209 *** --------------------------------------------- Whilst Project Zero has gained a reputation for vulnerability and exploitation research, thats not all that we do. One of the main reasons we perform this research is to provide data to defenders; and one of the things that defenders can do with this data is to devise exploit mitigations. Sometimes, well take on exploit mitigations ourselves. Recently, weve been working with Adobe on Flash mitigations, and this post describes some significant mitigations have landed over the past couple of... --------------------------------------------- http://googleprojectzero.blogspot.co.at/2015/07/significant-flash-exploit-m… *** Save the Date: 2 November NCSRA-Symposium 2015 *** --------------------------------------------- For the second time the NCSC will be co-organizing the NCSRA Symposium, which will be held on 2 November during Alert Online (the Dutch national cyber security awareness campaign). This symposium offers possibilities for knowledge sharing and community building in cybersecurity research and innovation. --------------------------------------------- https://www.ncsc.nl/english/current-topics/news/save-the-date-2-november-nc… *** Process Explorer and VirusTotal, (Fri, Jul 17th) *** --------------------------------------------- About a year ago, Rob had a diary entry about checking a file from Process Explorer with VirusTotal. Did you know you can have all EXEs of running processes scanned with VirusTotal? In Process Explorer, add column VirusTotal: Enable VirusTotal checks: And accept the VirusTotal terms: And now you can see the VirusTotal scores: Process Explorer is not the only Sysinternals tool that comes with VirusTotal support. Ill showcase more tools in upcoming diary entries. Sysinternals:... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19931&rss *** SANS: Kostenloser Webcast: 5 Jahre nach Stuxnet: Was hat sich geändert, was nicht und was liegt vor uns *** --------------------------------------------- Wednesday, July 29, 2015 at 17:00 CEST Thomas Brandstetter | In der industriellen Welt war die Entdeckung der Stuxnet-Malware das markanteste Ereignis der letzten Jahre. Viele Präsentationen über Industrial Security haben seither mit dem Satz Seit Stuxnet ist alles anders begonnen. Anlässlich des 5-Jahres-Jubiläums der Entdeckung von Stuxnet lohnt es zu fragen: Stimmt das? Welche Auswirkungen hatte Stuxnet tatsächlich auf die industrielle Welt? Thomas Brandstetter war im... --------------------------------------------- https://www.sans.org/webcasts/5-years-stuxnet-changed-didnt-lies-100617 *** Flash-Updates für Linux und noch einmal für die Extended-Support-Version *** --------------------------------------------- Auch Linux-Nutzer, die nicht mit Chrome unterwegs sind, kommen nun in den Genuss des neuesten Flash-Updates. Außerdem müssen Extended-Support-Nutzer noch mal patchen. --------------------------------------------- http://heise.de/-2752440 *** Kommentar: Weg mit Flash! *** --------------------------------------------- Bei Adobes Plug-in stimmt die Balance aus Nutzen und Risiko nicht mehr. Es wird Zeit, dieses Relikt abzuschalten, meint Herbert Braun --------------------------------------------- http://heise.de/-2751583 *** TotoLink Routers Plagued By XSS, CSRF, RCE Bugs *** --------------------------------------------- A slew of routers manufactured in China are fraught with vulnerabilities, some which have existed in products for as long as six years. --------------------------------------------- http://threatpost.com/totolink-routers-plagued-by-xss-csrf-rce-bugs/113816 *** Bugtraq: Novell GroupWise 2014 WebAccess vulnerable to XSS attacks *** --------------------------------------------- http://www.securityfocus.com/archive/1/536023 *** Elasticsearch 1.6.0 Remote Code Execution *** --------------------------------------------- Topic: Elasticsearch 1.6.0 Remote Code Execution Risk: High Text:Summary: Elasticsearch versions prior to 1.6.1 are vulnerable to an engineered attack on its transport protocol that enables r... --------------------------------------------- http://cxsecurity.com/issue/WLB-2015070089 *** Elasticsearch 1.6.0 Directory Traversal *** --------------------------------------------- Topic: Elasticsearch 1.6.0 Directory Traversal Risk: Medium Text:Summary: Elasticsearch versions from 1.0.0 to 1.6.0 are vulnerable to a directory traversal attack that allows an attacker to ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2015070090 *** WP Backitup <= 1.9.1 - Backup File Disclosure *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8105 *** Cisco Prime Collaboration Assurance Web Interface Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=40003 *** EMC Documentum WebTop Lets Remote Users Redirect the Target User to an Arbitrary Site *** --------------------------------------------- http://www.securitytracker.com/id/1032965 *** EMC Documentum CenterStage Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1032966 *** Eaton's Cooper Power Series Form 6 Control and Idea/IdeaPlus Relays with Ethernet Vulnerability *** --------------------------------------------- This advisory was originally posted to the US-CERT secure Portal library on January 6, 2015, and is now being released to the ICS-CERT web site. This advisory provides mitigation details for a predictable TCP sequence vulnerability in Eaton's Cooper Power Systems Form 6 and Idea/IdeaPLUS relays with Ethernet application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-006-01 *** SSA-732541 (Last Update 2015-07-17): Denial-of-Service Vulnerability in SIPROTEC 4 *** --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** IBM Security Bulletins *** --------------------------------------------- IBM Vulnerability in Apache Tomcat may affect IBM WebSphere Application Server Community Edition (CVE-2014-0230) IBM Security Bulletin: Open Source Apache Tomcat vulnerability and vulnerability in Diffie-Hellman ciphers affects IBM Tivoli Application Dependency Discovery Manager (TADDM) (CVE-2014-0230, CVE-2014-7810, CVE-2015-4000) IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Sterling Secure Proxy and Sterling External Authentication Server (CVE-2015-0488, CVE-2015-1916, CVE-2015-2808, CVE-2015-0478, CVE-2015-0204) IBM Security Bulletin: Vulnerabilities in OpenSSL including Logjam affect Rational Application Developer for WebSphere Software (CVE-2015-4000, CVE-2015-1793) IBM Security Bulletin: Vulnerability in OpenSSL affects IBM SDK for Node.js (CVE-2015-1793) IBM Security Bulletin: Vulnerability in the Dojo Toolkit affects IBM Business Process Manager, which is shipped with IBM SmartCloud Orchestrator and IBM SmartCloud Orchestrator Enterprise (CVE-2014-8917) IBM Security Bulletin: Tivoli Workload Scheduler Distributed Potential Security vulnerabilities with IBM WebSphere Application Server (CVE-2015-1920) --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/?lang=en_us

1 0

Tageszusammenfassung - Donnerstag 16-07-2015
by Daily end-of-shift report 16 Jul '15

16 Jul '15

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 15-07-2015 18:00 − Donnerstag 16-07-2015 18:00 Handler: Stephan Richter Co-Handler: n/a *** RC4 crypto: Get RID of it already, say boffins *** --------------------------------------------- This one simple attack busts WPA-TKIP in less than an hour ... As they explain here, the weakness of RC4 (inherited by systems using it) is based on biases in the RC4 keystream. The bias was already known, and is why vendors like Microsoft are working to deprecate it. Whats different in the new work is the acceleration of the cryptanalysis Vanhoef and Piessens carry out. --------------------------------------------- http://www.theregister.co.uk/2015/07/16/rc4_get_rid_of_it_already_say_boffi… *** RC4 in HTTPS & Verbreitung *** --------------------------------------------- RC4 gehört nicht zu den stärksten Verschlüsselungsmethoden, und sollte eigentlich nach RFC7465 (aktuell noch ein Draft) gar nicht mehr verwendet werden. Neue Angriffe ermöglichen im Nachhinein das entschlüsseln von sensitiven Informationen wie zum Beispiel Session cookies innerhalb von wenigen Tagen. In den letzten Wochen haben wir ca. 2 Millionen TLS Konfigurationen weltweit mittels dem Tool... --------------------------------------------- https://www.sba-research.org/2015/07/16/rc4-in-https-verbreitung/ *** Poodle-Nachspiel: Mace und weitere Lücken in TLS-Servern *** --------------------------------------------- Cisco, F5, Juniper, Fortinet: Ein Sicherheitsforscher hat eine Reihe von TLS-Servern entdeckt, die den sogenannten Message Authentication Code (MAC) von Verbindungen nicht prüfen. Andere Serverimplementierungen prüfen eine Checksumme am Ende des Handshakes nicht. --------------------------------------------- http://www.golem.de/news/poodle-nachspiel-mace-und-weitere-luecken-in-tls-s… *** Adobe's CVE-2015-5090 - Updating the Updater to become the bossman *** --------------------------------------------- Amongst the many bugs Adobe patched in July 2015, CVE-2015-5090 stands out as being worth a closer look. Adobe lists this vulnerability as a privilege escalation from low to medium integrity, but this doesn’t tell the whole story. In actuality, this bug can used to execute code with SYSTEM privileges, which could allow an attacker to completely take over a target. Since this affects the Adobe updater service, the bug exists in both Adobe Reader and Acrobat Pro. Both of these programs install the ARMSvc service (Updater) and both keep AdobeARM.exe/AdobeARMHelper.exe in c:\progra~1\common~1\Adobe\ARM\1.0. --------------------------------------------- http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Adobe-s-CVE-2015-509… *** Mozilla Winter of Security is back! *** --------------------------------------------- The first edition of MWoS was a success, and a lot of fun for students and mentors, so we decided to run it again this year. For the 2015 edition, we are proposing six projects that directly contribute to our most impactful security tools. Students will be able to work on digital forensics with MIG, SSL/TLS configurations with Menagerie, certificate management with LetsEncrypt, security visualization with MozDef, and web security scanning with OWASP ZAP. --------------------------------------------- https://blog.mozilla.org/security/2015/07/15/mozilla-winter-of-security-is-… *** Understanding PCI compliance fines: Who is in charge of enforcing PCI? *** --------------------------------------------- If your business stores, processes, or transmits data from payment cards, then you are subject to the requirements of the PCI DSS. This set of security controls is designed to help merchants combat da... --------------------------------------------- http://feedproxy.google.com/~r/HelpNetSecurity/~3/--jT_s5xAyE/article.php *** Researchers prove HTML5 can be used to hide malware *** --------------------------------------------- A group of Italian researchers have come up with new obfuscation techniques that can be used to dupe malware detection systems and allow malicious actors to execute successful drive-by download attack... --------------------------------------------- http://feedproxy.google.com/~r/HelpNetSecurity/~3/9k3wj_RIqQ8/malware_news.… *** Authentication Bypass Bug Hits Siemens Energy Automation Device *** --------------------------------------------- An authentication bypass vulnerability in a Siemens device that's used in energy automation systems could allow an attacker to gain control of the device. The vulnerability is in the Siemens SICAM MIC, a small telecontrol system that performs a number of functions and includes an integrated Web server and several other features. The devices consist of... --------------------------------------------- http://threatpost.com/authentication-bypass-bug-hits-siemens-energy-automat… *** Are smart infrastructures experts in cyber security? *** --------------------------------------------- [...] Prof. Helmbrecht said: “Currently there is no clear definition of cyber security for smart infrastructures at an EU level. It will be beneficial to increase information sharing and coordination for example on public transport. As new technologies and applications are developed, their security aspects also need to be developed from the design phase, allowing for improved services, user experience and safety in a connected online world”. --------------------------------------------- http://www.enisa.europa.eu/media/news-items/are-smart-infrastructures-exper… *** Bugtraq: ESA-2015-122: EMC Documentum CenterStage Cross-site Scripting Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/536014 *** Bugtraq: ESA-2015-123: EMC Documentum WebTop Open Redirect Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/536015 *** IBM Security Bulletins *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/?lang=en_us *** Cisco WebEx Meetings Server Remote Code Execution Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39938 *** Cisco Unified Intelligence Center Cross-Site Request Forgery Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39920 *** Cisco Email Security Appliance Malformed DMARC Policy Records File Modification Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39940 *** Oracle Critical Patch Update Advisory - July 2015 *** --------------------------------------------- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html *** Oracle Critical Patch Update - July 2015 *** --------------------------------------------- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html *** Solaris Third Party Bulletin - July 2015 *** --------------------------------------------- http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.h…

1 0

Tageszusammenfassung - Mittwoch 15-07-2015
by Daily end-of-shift report 15 Jul '15

15 Jul '15

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 14-07-2015 18:00 − Mittwoch 15-07-2015 18:00 Handler: Robert Waldner Co-Handler: Otmar Lendl *** July 2015 Security Updates *** --------------------------------------------- Today we released security updates for Microsoft Windows, Microsoft Office, Microsoft SQL Server, and Internet Explorer. As a best practice, we encourage customers to apply security updates as soon as they are released. For more information about this month's security updates and advisories visit the Security TechNet Library. You can also follow the Microsoft Security Response Center (MSRC) team on Twitter at @MSFTSecResponse MSRC Team --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2015/07/14/july-2015-security-updat… https://technet.microsoft.com/en-us/library/security/MS15-JUL *** TA15-195A: Adobe Flash and Microsoft Windows Vulnerabilities *** --------------------------------------------- Original release date: July 14, 2015 Systems Affected Microsoft Windows systems with Adobe Flash Player installed. Overview Used in conjunction, recently disclosed vulnerabilities in Adobe Flash and Microsoft Windows may allow a remote attacker to execute arbitrary code with system privileges. Since attackers continue to target and find new vulnerabilities in popular, Internet-facing software, updating is not sufficient, and it is important to use exploit mitigation and other defensive --------------------------------------------- https://www.us-cert.gov/ncas/alerts/TA15-195A *** Microsoft Patch Tuesday July 2015 *** --------------------------------------------- Julys Patch Tuesday is here and brings with it a rather large 14 bulletins with 4 Critical and 10 Important rated patches. All combined this months release patches 59 vulnerabilities 29 of which are in the old stalwart Internet Explorer.... --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/Microsoft-Patch-Tuesday-July… *** Adobe, MS, Oracle Push Critical Security Fixes *** --------------------------------------------- This being the second Tuesday of the month, its officially Patch Tuesday. But its not just Windows users who need to update today: Adobe has released fixes for several products, including a Flash Player bundle that patches two vulnerabilities for which exploit code is available online. Separately, Oracle issued a critical patch update that plugs more than two dozen security holes in Java. --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/GZ70l-ulAqw/ *** Oracle Critical Patch Update dichtet 193 Lücken ab *** --------------------------------------------- Wie üblich bei Oracles quartalsweisen Updates stopft die Firma massenweise Lücken in fast allen ihrer Produkte. Sogar die Ghost-Lücke vom Januar feiert ein Comeback. Besonders die Updates für Java und MySQL sollten baldigst installiert werden. --------------------------------------------- http://heise.de/-2750641 *** Microsoft Ends Support for Windows Server 2003, Migration a Must *** --------------------------------------------- End-of-life fun times are coming to infosec departments everywhere again. Just a year after the announcement of Windows XP's end-of-life, we see another body in the OS graveyard: Windows Server 2003. After July 14th, servers running this venerable OS will no longer be receiving any more security updates. This would leave you out in the cold --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/sr3phsOSoFM/ *** Microsoft Security Essentials is no longer available for Windows XP *** --------------------------------------------- We strongly recommend that you complete your migration to a supported operating system as soon as possible so that you can receive regular security updates to help protect your computer from malicious attacks. --------------------------------------------- http://windows.microsoft.com/en-us/windows/security-essentials-download?os=… *** Cisco Packet Data Network Gateway IP Stack Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39907 *** Cisco Identity Services Engine Cross-Site Request Forgery Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39872 *** Unit 42 Technical Analysis: Seaduke *** --------------------------------------------- Earlier this week Symantec released a blog post detailing a new Trojan used by the "Duke" family of malware. Within this blog post, a payload containing a function named "forkmeiamfamous" was mentioned. While performing some ... --------------------------------------------- http://feedproxy.google.com/~r/PaloAltoNetworks/~3/y_CGsjS6Bio/ *** An In-Depth Look at How Pawn Storm's Java Zero-Day Was Used *** --------------------------------------------- Operation Pawn Storm is a campaign known to target military, embassy, and defense contractor personnel from the United States and its allies. The attackers behind Operation Pawn Storm have been active since at least 2007 and they continue to launch new campaigns. Over the past year or so, we have seen numerous techniques and tactics --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/gJtU9nel0NM/ *** Hideouts for Lease: The Silent Role of Bulletproof Hosting Services in Cybercriminal Operations *** --------------------------------------------- What do LeaseWeb, Galkahost, and Spamz have in common? All of them, at one point or another, have functioned as cybercriminal hideouts in the form of bulletproof hosting services (BPHS). Simply put, BPHS is any hosting facility that can store any type of malicious content like phishing sites, pornography, and command-and-control (C&C) infrastructure. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/Ojxl_6lsUjU/ *** DFN-CERT-2015-1068/ BlackBerry Link: Eine Schwachstelle ermöglicht das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2015-1068/ *** Rootkits: User Mode *** --------------------------------------------- In this article, we will learn about what rootkits are and how they operate. The focus will be on two types of Rootkits exploits: User Mode & Kernel Mode, what are the various ways in which rootkits exploit in both modes. --------------------------------------------- http://resources.infosecinstitute.com/rootkits-user-mode-kernel-mode-part-1/ *** Rootkits: Kernel Mode *** --------------------------------------------- We have learned in part one of this series about the Rootkits and how they operate in User Mode, in this part of the series we will up the ante and look at the other part where rootkits operate, i.e. Kernel Mode. --------------------------------------------- http://resources.infosecinstitute.com/rootkits-user-mode-kernel-mode-part-2/ *** Rootkits: User Mode & Kernel Mode-Part 2 *** --------------------------------------------- We have learned in part one of this series about the Rootkits and how they operate in User Mode, in this part of the series we will up the ante and look at the other part where rootkits operate, i.e. Kernel Mode. --------------------------------------------- http://resources.infosecinstitute.com/rootkits-user-mode-kernel-mode-part-2/ *** FBI paid Hacking Team to identify Tor users *** --------------------------------------------- Documents leaked online after the Hacking Team data breach revealed that the company supported the FBI in the investigation on Tor users. While the security experts are continuing to analyze the impressive amount of data stolen from the Hacking Team, new revelation are circulating over the Internet. Among the clients of the Italian security firm, there ... --------------------------------------------- http://securityaffairs.co/wordpress/38601/cyber-crime/fbi-hacking-team-tor.… *** Government Grade Malware: a Look at HackingTeam's RAT *** --------------------------------------------- We have our hands on the code repositories of HackingTeam, and inside of them we've found the source code for a cross-platform, highly-featured, government-grade RAT (Remote Access Trojan). It's rare that we get to do analysis of complex malware at the source-code level, so I couldn't wait to write a blog about it! --------------------------------------------- http://labs.bromium.com/2015/07/10/government-grade-malware-a-look-at-hacki… *** Epic Games, Epic Fail: Forumers info blown into dust by hack *** --------------------------------------------- Company sorry for the inconvenience caused. Great Epic Games, known for its Unreal Engine and the Games of War series, sent a grovelling letter to its forum users this morning explaining that a hack "may have resulted in unauthorised access to your username, email address, password, and the date of birth you provided at registration." --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2015/07/15/epic_games_… *** Details on Internet-wide Scans from SBA *** --------------------------------------------- To clarify what we are scanning on the Internet, here are some details on the project and which tools we use. Most importantly: if you want your IP to be excluded from future scans, please send an email to abuse(a)sba-research.org. For quite some time now we scan Internet-wide for well-known ports that use TLS, most ... --------------------------------------------- https://www.sba-research.org/2015/07/15/details-on-internet-wide-scans-from…

1 0

Tageszusammenfassung - Dienstag 14-07-2015
by Daily end-of-shift report 14 Jul '15

14 Jul '15

======================= = End-of-Shift report = ======================= Timeframe: Montag 13-07-2015 18:00 − Dienstag 14-07-2015 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Been hacked? Now to decide if you chase the WHO or the HOW *** --------------------------------------------- Imagine a security researcher has plucked your customer invoice database from a command and control server. Youre nervous and angry. Your boss will soon be something worse and will probably want you to explain who pulled off the heist, and how. But only one of these questions, the how, is worth your precious resources; security experts say the who is an emotional distraction. --------------------------------------------- http://www.theregister.co.uk/2015/07/14/attribution_feature/ *** Hacking Team Uses UEFI BIOS Rootkit to Keep RCS 9 Agent in Target Systems *** --------------------------------------------- Hacking Team uses a UEFI BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets' systems. This means that even if the user formats the hard disk, reinstalls the OS, and even buys a new hard disk, the agents are implanted after Microsoft Windows is up and running. They have written a procedure specifically for Insyde BIOS (a very popular BIOS vendor for laptops). However, the code can very likely work on AMI BIOS as well. A Hacking Team slideshow... --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-use… *** Lowering Defenses to Increase Security *** --------------------------------------------- Starting at WhiteHat was a career change for me. I wasn't sure exactly what to expect, but I knew there was a lot of unfamiliar terminology: "MD5 signature", "base64", "cross-site request forgery", "'Referer' header", to name a few. When I started testing real websites, I was surprised that a lot of what I was doing... --------------------------------------------- https://blog.whitehatsec.com/lowering-defenses-to-increase-security/ *** Adobe Updates Flash Player, Shockwave and PDF Reader, (Tue, Jul 14th) *** --------------------------------------------- In a warm up to patch Tuesday, it looks like we have a new version for Adobe Flash Player, Shockwave Player and PDF Reader. Given that some of the exploits against the vulnerabilities patchedare public, you may want to expedite patching and review your Flash Player and browser configuration. the latest (patched) versions are (thanks Dave!): - FlashPlayer 18.0.0.209 - Flash Player EST 13.0.0.305 - Reader 10.1.15 - Reader 11.0.12 - Shockwave Player">12.1.9.159 Bulletins: --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19917&rss *** Adobe: Look, honestly, we really do take Flash security seriously *** *** Mozilla: Right, THATS IT. You, Flash, behind the shed with me. *snick snack* *** *** FLASH MUST DIE, says Facebook security chief *** --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2015/07/14/adobe_respo… http://go.theregister.com/feed/www.theregister.co.uk/2015/07/14/firefox_blo… http://go.theregister.com/feed/www.theregister.co.uk/2015/07/14/facebook_fl… *** Security Bulletins Posted *** --------------------------------------------- Security Bulletins for Adobe Acrobat and Reader (APSB15-15), Adobe Shockwave Player (APSB15-17) and Adobe Flash Player (APSB15-18) have been published. These updates address critical vulnerabilities, and Adobe recommends users update their product installations to the latest versions using the instructions referenced... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1247 *** SSA-632547 (Last Update 2015-07-14): Authentication Bypass Vulnerability in SICAM MIC *** --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** VU#919604: Kaseya Virtual System Administrator contains multiple vulnerabilities *** --------------------------------------------- Vulnerability Note VU#919604 Kaseya Virtual System Administrator contains multiple vulnerabilities Original Release date: 13 Jul 2015 | Last revised: 13 Jul 2015 Overview Kaseya Virtual System Administrator (VSA), versions R9 and possibly earlier, contains arbitrary file download and open redirect vulnerabilities. Description CWE-22: Improper Limitation of Pathname to a Restricted Directory (Path Traversal) - CVE-2015-2862Kaseya VSA is an IT management platform with a help desk ticketing --------------------------------------------- http://www.kb.cert.org/vuls/id/919604 *** Cisco Vulnerability Alerts *** --------------------------------------------- *** Cisco Identity Services Engine Cross-Frame Scripting Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39871 *** Cisco TelePresence Integrator C Series Multiple Request Parameter Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39880 *** Cisco Identity Services Engine Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39873 *** Cisco Unified Communications Manager Denial of Service Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39877 *** Cisco FireSIGHT Management Center Cross-Site Scripting Vulnerabilities *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39879 *** Cisco Unified Communications Manager ccmivr Page Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39905 *** IBM Security Bulletins *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/?lang=en_us *** Moodle Bugs Permit Cross-Site Scripting and Open Redirect Attacks and Let Remote Authenticated Users Modify Data *** --------------------------------------------- http://www.securitytracker.com/id/1032877 *** F5 Security Advisory: Multiple PHP CDF vulnerabilities CVE-2014-0237 and CVE-2014-0238 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/16000/900/sol16954.htm… *** DFN-CERT-2015-1009: Django: Mehrere Schwachstellen ermöglichen u.a. Denial-of-Service-Angriffe *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2015-1009/

1 0

Tageszusammenfassung - Montag 13-07-2015
by Daily end-of-shift report 13 Jul '15

13 Jul '15

======================= = End-of-Shift report = ======================= Timeframe: Freitag 10-07-2015 18:00 − Montag 13-07-2015 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Government Grade Malware: a Look at HackingTeam's RAT *** --------------------------------------------- Security researchers the world over have been digging through the massive HackingTeam dump for the past five days, and what we've found has been surprising. I've heard this situation called many things, and there's one description that I can definitely agree with: it's like Christmas for hackers. "On the fifth day of Christmas Bromium sent to... --------------------------------------------- http://labs.bromium.com/2015/07/10/government-grade-malware-a-look-at-hacki… *** Pawn Storm Update: Trend Micro Discovers New Java Zero-Day Exploit *** --------------------------------------------- Analysis and data by Brooks Li (Threats Analyst) and Feike Hacquebord (Senior Threat Researcher) Zero-day exploits continued to be used in targeted attacks because they are effective, given that software vendors have yet to create patches for them. Throughout our on-going investigation and monitoring of a targeted attack campaign, Operation Pawn Storm, we found suspicious URLs that... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/5OzXdZhhVhc/ *** New Zero-Day Vulnerability (CVE-2015-5123) in Adobe Flash Emerges from Hacking Team Leak *** --------------------------------------------- After two Adobe Flash player zero-days disclosed in a row from the leaked data of Hacking Team, we discovered another Adobe Flash Player zero-day (assigned with CVE number, CVE-2015-5123) that surfaced from the said leak. Adobe has already released a security advisory after we reported the said zero-day. This vulnerability is rated as critical and... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/rV5yri4x48E/ *** Mit Windows 10 kommen Updates automatisch *** --------------------------------------------- Windows 10-Kunden können sich künftig nur noch sehr begrenzt aussuchen, wann sie ein Update erhalten. --------------------------------------------- http://futurezone.at/produkte/mit-windows-10-kommen-updates-automatisch/141… *** Jump List Files Are OLE Files, (Sun, Jul 12th) *** --------------------------------------------- Jump List files are another type of files that are actually OLE files. They can contain useful data for forensic investigations. There are a couple of tools that can extract information from these files. Here you can see oledump analyzing an automatic Jump List file: The stream DestList contains the Jump List data: There are several sites on the Internet explaining the format of this data, like this one. I used this information to code a plugin for Jump List files: The plugin takes an option... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19911&rss *** Identifying the five principal methods of network attacks *** --------------------------------------------- Companies are underestimating the risk of failing to provide security training to non-technical staff. A new Intel Security study, which surveyed IT decision makers in European-based companies, fo... --------------------------------------------- http://feedproxy.google.com/~r/HelpNetSecurity/~3/gSbxVIXvO94/secworld.php *** Mobile SSL failures: More common than they should be *** --------------------------------------------- Securing your mobile application traffic is apparently more difficult than it should be, as researchers Anthony Trummer and Tushar Dalvi discovered when looking into SSL/TLS usage on the Android opera... --------------------------------------------- http://feedproxy.google.com/~r/HelpNetSecurity/~3/dY8mHp2RDC4/article.php *** Identifying and exploiting IBM WebSphere Application Server *** --------------------------------------------- IBM WebSphere is application server similar to Tomcat, JBoss and WebLogic. Therefore, it should be interesting to any penetration tester doing enterprise scale work where Websphere might be present. It should be also interesting to anyone who is working on securing enterprise environment since Websphere allows deploying own (malicious or not) code to the server. I have written NSE scripts to identify IBM Websphere consoles of application servers and to brute force any usernames and passwords. I... --------------------------------------------- https://k0st.wordpress.com/2015/07/13/identifying-and-exploiting-ibm-websph… *** Start Secure 2015 - Sicherheits-Start-ups gesucht *** --------------------------------------------- Der Wettbewerb "Start Secure 2015" wird gemeinsam vom Innenministerium und der futurezone veranstaltet. Als Organisationspartner fungieren SBA Research, das die Sieger-Start-ups auf Wunsch auch als Inkubator bei der Investorensuche berät, sowie das Kuratorium Sicheres Österreich. --------------------------------------------- http://futurezone.at/thema/start-ups/sicherheits-start-ups-gesucht/139.420.… *** Common Assessment Tool Cheatsheets *** --------------------------------------------- I have an unhealthy obsession for time savers when im doing pentest work. Since a lot of my time is spent on the command line I love cheatsheets. I thought id use this thread to post some of the more awesome cheat sheets I find... --------------------------------------------- https://forum.bugcrowd.com/t/common-assessment-tool-cheatsheets/502 *** Tunneling Data and Commands Over DNS to Bypass Firewalls *** --------------------------------------------- No matter how tightly you restrict outbound access from your network, you probably allow DNS queries to at least one server. Adversaries can abuse this "hole" in your firewall to exfiltrate data and establish stealthy Command and Control (C2) channels that are very difficult to block. ... I am struggling to come up with a solution to plug this firewall "hole", but I have a few risk mitigation recommendations:... --------------------------------------------- https://zeltser.com/c2-dns-tunneling/ *** Google Photo App Uploads Your Images To Cloud, Even After Uninstalling *** --------------------------------------------- Have you ever seen any mobile application working in the background silently even after you have uninstalled it completely? I have seen Google Photos app doing the same. Your Android smartphone continues to upload your phone photos to Google servers without your knowledge, even if you have already uninstalled the Google Photos app from your device. Nashville Business... --------------------------------------------- http://feedproxy.google.com/~r/TheHackersNews/~3/yxF2id-ZsHg/google-photo-a… *** "Forkmeiamfamous": Seaduke, latest weapon in the Duke armory *** --------------------------------------------- Low-profile information-stealing Trojan is used only against high-value targets --------------------------------------------- http://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest-weapon… *** BGP Hijacking - why you need to care! *** --------------------------------------------- This came across our desk this morning when we were putting together Dragon News Bytes. There is lots of talk about what has been discovered in the recent reporting on the data dump from the Hacking Team incident. A lot of the reporting discusses the ethics of the company's services and whom they have been selling them to. Concentrating for a moment on the technology deployed in this activity, it is suggested that BGP hijacking was involved. This is described the article entitled... --------------------------------------------- https://blog.team-cymru.org/2015/07/bgp-hijacking-why-do-you-need-to-care/ *** Allerletzter Aufruf: Support fÜr Windows 2003 Server endet *** --------------------------------------------- Am 14. Juli ist endgÜltig Schluss. FÜr Windows 2003 Server liefert Microsoft keine Updates mehr aus, auch nicht bei Sicherheitsproblemen. Wobei auch hier zu gelten scheint: Ausnahmen bestÄtigen die Regel. --------------------------------------------- http://www.heise.de/newsticker/meldung/Allerletzter-Aufruf-Support-fuer-Win… *** Hacking Team 0-day Flash Wave with Exploit Kits *** --------------------------------------------- https://www.f-secure.com/weblog/archives/00002819.html *** New PHP Releases Fix BACRONYM MySQL Flaw *** --------------------------------------------- Several new versions of PHP have been released, all of which contain a number of bug fixes, most notably a patch for the so-called BACKRONYM vulnerability in MySQL. That bug in MySQL is caused by a problem with the way that the database software handles requests for secure connections. Researchers at Duo Security disclosed the... --------------------------------------------- http://threatpost.com/new-php-releases-fix-bacronym-mysql-flaw/113740 *** The Adobe Flash Conundrum: Old Habits Die Hard *** --------------------------------------------- Is it time to hop off the endless cycle of Flash vulnerabilities and updates? Last week has not been great for Adobe Flash. The 440GB of leaked Hacking Team emails has become a treasure trove for vulnerability hunters. Over the past 7 days, Flash was hit by three separate vulnerabilities: CVE-2015-5119 CVE-2015-5122 CVE-2015-5123 At this time, only the... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/AmkybOPif7Y/ *** Bugtraq: ESA-2015-115: EMC RecoverPoint for Virtual Machines (VMs) Restriction Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/535981 *** Cisco Mobility Services Engine Control And Provisioning Information Disclosure Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39825 *** Juniper Security Advisories *** --------------------------------------------- *** Juniper Junos IPv6 SEND Processing Flaw Lets Remote Users Deny Service *** http://www.securitytracker.com/id/1032849 *** Juniper Junos SRX Network Security Daemon Bug Lets Remote Users Deny Service *** http://www.securitytracker.com/id/1032848 *** Juniper Junos EX4600 and QFX Series Unspecified Flaw Lets Remote Users Deny Service *** http://www.securitytracker.com/id/1032847 *** Juniper Junos J-Web Bugs Let Remote Users Conduct Cross-Site Scripting and Denial of Service Attacks *** http://www.securitytracker.com/id/1032846 *** Bugtraq: [security bulletin] HPSBGN03373 rev.1 - HP Release Control running TLS, Remote Disclosure of Information *** --------------------------------------------- http://www.securityfocus.com/archive/1/535983 *** Cisco WebEx Meeting Center Reflected Cross-Site Scripting Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39782 *** F5 Security Advisories *** --------------------------------------------- *** Security Advisory: Boost memory allocator vulnerability CVE-2012-2677 *** https://support.f5.com:443/kb/en-us/solutions/public/16000/900/sol16946.htm… *** Security Advisory: Multiple SQLite vulnerabilities *** https://support.f5.com:443/kb/en-us/solutions/public/16000/900/sol16950.htm… *** Security Advisory: Mailx vulnerabilities CVE-2004-2771 and CVE-2014-7844 *** https://support.f5.com:443/kb/en-us/solutions/public/16000/900/sol16945.htm… *** Security Advisory: Expat vulnerabilities CVE-2012-0876 and CVE-2012-1148 *** https://support.f5.com:443/kb/en-us/solutions/public/16000/900/sol16949.htm… *** Splunk Enterprise and Splunk Light Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1032859 *** Squid CONNECT Method Peer Response Processing Flaw Lets Remote Users Bypass Security Controls *** --------------------------------------------- http://www.securitytracker.com/id/1032873 *** PHP 5.x Security Updates, (Sun, Jul 12th) *** --------------------------------------------- PHP 5.6.11, 5.5.27 and 5.4.43 were updated fixing numerous bugs in the various components of PHP including CVE-2015-3152. PHP recommend testing and upgrading to the current release. The binaries and packages are available here and the release notes here. [1] http://www.php.net/ChangeLog-5.php [2] http://windows.php.net/download/ ----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19907&rss *** Joomla J2Store 3.1.6 SQL Injection *** --------------------------------------------- Topic: Joomla J2Store 3.1.6 SQL Injection Risk: Medium Text:J2Store v3.1.6, a Joomla! extension that adds basic store functionality to a Joomla! instance, suffered from two unauthenticate... --------------------------------------------- http://cxsecurity.com/issue/WLB-2015070053 *** DFN-CERT-2015-0907 FreeRADIUS: Eine Schwachstelle ermÖglicht das Umgehen von Sicherheitsvorkehrungen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2015-0907/ *** DFN-CERT-2015-1030 strongSwan: Zwei Schwachstellen ermöglichen das Ausspähen von Informationen und Denial-of-Service-Angriffe *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2015-1030/

1 0

Tageszusammenfassung - Freitag 10-07-2015
by Daily end-of-shift report 10 Jul '15

10 Jul '15

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 09-07-2015 18:00 − Freitag 10-07-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Multiple vulnerabilities in Cisco TelePresence products *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39798 http://tools.cisco.com/security/center/viewAlert.x?alertId=39802 http://tools.cisco.com/security/center/viewAlert.x?alertId=39801 http://tools.cisco.com/security/center/viewAlert.x?alertId=39795 http://tools.cisco.com/security/center/viewAlert.x?alertId=39796 http://tools.cisco.com/security/center/viewAlert.x?alertId=39800 http://tools.cisco.com/security/center/viewAlert.x?alertId=39797 *** VMSA-2015-0005 *** --------------------------------------------- VMware Workstation, Player and Horizon View Client for Windows do not set a discretionary access control list (DACL) for one of their processes. This may allow a local attacker to elevate their privileges and execute code in the security context of the affected process. --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2015-0005.html *** The Massive OPM Hack Actually Hit 21 Million People *** --------------------------------------------- The massive hack that struck the US Office of Personnel Management affected some 21.5 million people, all of them people who had information stolen about them from a backgrounds investigation database used for evaluating people who sought classified clearances from the government. --------------------------------------------- http://www.wired.com/2015/07/massive-opm-hack-actually-affected-25-million/ *** Yubikeys Zwei-Faktor-Authentifizierung unter Linux nutzen *** --------------------------------------------- Mit Hilfe des Yubikeys lässt sich eine verschlüsselte Systempartition unter Linux zusätzlich per Zwei-Faktor-Authentifizierung absichern. In dieser Kombination kann auch ein bequemeres Kennwort genutzt werden. --------------------------------------------- http://www.golem.de/news/systemverschluesselung-yubikeys-zwei-faktor-authen… *** Magento-Patch: Update soll Kundendaten-Leck stopfen *** --------------------------------------------- Im Shop-System Magento klaffen Lücken, die es Angreifern erlauben, Admin-Konten zu kapern und Kundendaten auszulesen. Der Hersteller hat jetzt einen Patch veröffentlicht, der Abhilfe schaffen soll. --------------------------------------------- http://heise.de/-2747984 *** Hacking Team Shows the World How Not to Stockpile Exploits *** --------------------------------------------- Bank robber Willie Sutton’s famous line about why he robs banks—“because that’s where the money is”—was particularly apt this week after the Italian firm Hacking Team was hacked and at least two zero-day exploits the firm possessed were spilled to the public, along with about 400 gigabytes of company emails and other data. --------------------------------------------- http://www.wired.com/2015/07/hacking-team-shows-world-not-stockpile-exploit… *** Rootkits: User Mode & Kernel Mode - Part 1 *** --------------------------------------------- In this article, we will learn about what rootkits are and how they operate. The focus will be on two types of Rootkits exploits: User Mode & Kernel Mode, what are the various ways in which rootkits exploit in both modes. In this Part we will learn .. --------------------------------------------- http://resources.infosecinstitute.com/rootkits-user-mode-kernel-mode-part-1/ *** Programmier-Tipps für die BIOS-Backdoor *** --------------------------------------------- Der Hacker Cr4sh erklärt, wie er eine Hintertür in die UEFI-Firmware eines Intel-Mainboards einbaut. Dabei zeigen sich einmal mehr kritische Lücken in der x86-Plattform, vor allem beim System Management Mode. --------------------------------------------- http://heise.de/-2748219

1 0

Tageszusammenfassung - Donnerstag 9-07-2015
by Daily end-of-shift report 09 Jul '15

09 Jul '15

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 08-07-2015 18:00 − Donnerstag 09-07-2015 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Hacking Team Flash Zero-Day Tied To Attacks In Korea and Japan... on July 1 *** --------------------------------------------- Earlier this week several vulnerabilities were disclosed as part of the leak of information from the Italian company Hacking Team. We've noted that this exploit is now in use by various exploit kits. However, feedback provided by the Smart Protection Network also indicates that this exploit was also used in limited attacks in Korea and Japan.... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/Ys8noghmsHc/ *** Ding! Your RAT has been delivered *** --------------------------------------------- Talos is constantly observing malicious spam campaigns delivering various different types of payloads. Common payloads include things like Dridex, Upatre, and various versions of Ransomware. One less common payload that Talos analyzes periodically are Remote Access Trojans or RATs. A recently observed spam campaign was using freeware remote access trojan DarkKomet (a.k.a DarkComet). This isn't a novel approach since threat actors have been leveraging tools like DarkKomet or Hawkeye... --------------------------------------------- http://blogs.cisco.com/security/talos/darkkomet-rat-spam *** Finnland: 17-jähriger Botnetz-Betreiber verurteilt *** --------------------------------------------- Über 50.000 Rechner für ein Botnetz gekapert, DDoS-Attacken geritten und Kreditkartendaten geklaut: Ein 17-jähriger Finne, angeblich Mitglied der Hackergruppe Lizard Squad, wird zu zwei Jahren auf Bewährung verurteilt. --------------------------------------------- http://heise.de/-2745646 *** Detecting Random - Finding Algorithmically chosen DNS names (DGA), (Thu, Jul 9th) *** --------------------------------------------- Most normal user traffic communicates via a hostname and not an IP address. So looking at traffic communicating directly by IP with no associated DNS request is a good thing do to. Some attackers use DNS names for their communications. There is also malware such as Skybot and the Styx exploit kit that use algorithmically chosen host name rather than IP addresses for their command and control channels. This malware uses what has been called DGA or Domain Generation Algorithms to create random... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19893&rss *** Happy Video Game Day 2015 *** --------------------------------------------- Gamers are being targeted more and more by malware, trojans, and keyloggers, especially those that participate in pay-to-play games and MMORPGs (Massively Multiplayer Online Role-Playing Game). Your accounts, personal identity, banking information and even credit card numbers can be stolen if you are playing without a cyber-security solution. The PC gaming market is increasing rapidly and is expected to reach $30.9 Billion in 2016, and with that, the targets are getting bigger and more... --------------------------------------------- http://www.webroot.com/blog/2015/07/08/happy-video-game-day-2015 *** Cisco PSIRT reporting Customers affected by ASA VPN DoS attacks, (Thu, Jul 9th) *** --------------------------------------------- Patch your firewalls! 2015-July-08 UPDATE:">Cisco PSIRT is aware of disruption to some Cisco customers with Cisco ASA devices affected by CVE-2014-3383, the Cisco ASA VPN Denial of Service Vulnerability that was disclosed in this Security Advisory. Traffic causing the disruption was isolated to a specific source IPv4 address. Cisco has engaged the provider and owner of that device and determined that the traffic was sent with no malicious intent. Cisco strongly recommends that customers... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19895&rss *** Sicherheitslücke: OpenSSL akzeptiert falsche Zertifikate *** --------------------------------------------- Ein OpenSSL-Update behebt eine kritische Sicherheitslücke. Mittels einiger Tricks kann ein Angreifer damit ein gewöhnliches Zertifikat zu einer Zertifizierungsstelle machen. Betroffen sind vor allem Clients. --------------------------------------------- http://www.golem.de/news/sicherheitsluecke-openssl-akzeptiert-falsche-zerti… *** OpenSSL CVE-2015-1793: Man-in-the-Middle Attack *** --------------------------------------------- As announced at the beginning of this week, OpenSSL has released the fix for CVE-2015-1793. --------------------------------------------- https://ma.ttias.be/openssl-cve-2015-1793-man-middle-attack/ *** OpenSSL Security Advisory [9 Jul 2015] *** --------------------------------------------- An error in the implementation of the alternative certificate chain logic could allow an attacker to cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. (original advisory). Reported by Adam Langley and David Benjamin (Google/BoringSSL). --------------------------------------------- https://openssl.org/news/secadv_20150709.txt *** Administration Views - Critical - Information Disclosure - SA-CONTRIB-2015-132 *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2015-132Project: Administration Views (third-party module)Version: 7.xDate: 2015-July-08Security risk: 15/25 ( Critical) AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Information DisclosureDescriptionAdministration Views module replaces overview/listing pages with actual views for superior usability.The module does not check access properly under certain circumstances. Anonymous users could get access to read information they should not have --------------------------------------------- https://www.drupal.org/node/2529378

1 0

Tageszusammenfassung - Mittwoch 8-07-2015
by Daily end-of-shift report 08 Jul '15

08 Jul '15

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 07-07-2015 18:00 − Mittwoch 08-07-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Security Advisory for Adobe Flash Player (APSA15-03) *** --------------------------------------------- A Security Advisory (APSA15-03) has been published regarding a critical vulnerability (CVE-2015-5119) in Adobe Flash Player 18.0.0.194 and earlier versions for Windows, .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1223 *** Security Updates Available for Adobe Flash Player (APSB15-16) *** --------------------------------------------- A security bulletin (APSB15-16) has been published regarding security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1228 *** Multiple vulnerabilities in Cisco products *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39675 http://tools.cisco.com/security/center/viewAlert.x?alertId=39643 http://tools.cisco.com/security/center/viewAlert.x?alertId=39641 http://tools.cisco.com/security/center/viewAlert.x?alertId=39623 *** CVE-2015-5119 (HackingTeam 0d - Flash up to 18.0.0.194) and Exploit Kits *** --------------------------------------------- http://malware.dontneedcoffee.com/2015/07/hackingteam-flash-0d-cve-2015-xxx… *** When ‘int’ is the new ‘short’ *** --------------------------------------------- This is going to be a quick post, just describing a particularly interesting Chrome issue that I found last month; how I found it; and what is interesting about it�I was looking through some Chrome networking code; and I noticed an interesting API design .. --------------------------------------------- http://googleprojectzero.blogspot.com/2015/07/when-int-is-new-short.html *** Windows 10 kann WLAN-Passwörter an Kontakte verteilen *** --------------------------------------------- In Windows 10 lässt sich das WLAN-Passwort automatisch an Facebook-Freunde oder Skype-Kontakte verteilen. Das erspart das lästige Diktieren von Kennwörtern bei Besuch, bringt aber auch Risiken mit sich. --------------------------------------------- http://www.golem.de/news/it-sicherheit-windows-10-kann-wlan-passwoerter-an-… *** Schwachstelle in Nameserversoftware BIND 9 *** --------------------------------------------- Ein Angreifer, der einen Nameserver mit aktivierter DNSSEC-Validierung dazu bringen kann, eine Zone mit speziellem Inhalt abzufragen, kann den Nameserver zum Absturz bringen. --------------------------------------------- https://cert.at/warnings/all/20150708.html *** "Zero-Day"-Sicherheitslücke in Adobe Flash Player (aktiv ausgenützt) - Patches jetzt verfügbar *** --------------------------------------------- Durch Ausnutzen dieser Lücke kann ein Angreifer vermutlich vollständige Kontrolle über betroffene Systeme erlangen. Damit sind alle Daten auf diesen Systemen, sowie alle durch diese erreichbaren (etwa durch Login, VPN etc.) Daten und Systeme gefährdet. --------------------------------------------- https://cert.at/warnings/all/20150708-2.html *** Dyre Banking Trojan Exploits CVE-2015-0057 *** --------------------------------------------- CVE-2015-0057 is a Use-After-Free vulnerability that exists in the win32k.sys component of the Windows Kernel which can be exploited to perform local privilege escalation. The vulnerability was reported to Microsoft by Udi Yavo, and, after the patch .. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2015/07/dyre_banking_trojan.ht… *** Prenotification: Upcoming Security Updates for Adobe Acrobat and Reader (APSB15-15) *** --------------------------------------------- A prenotification security advisory has been posted regarding upcoming Adobe Acrobat and Reader updates scheduled for Tuesday, July 14, 2015. We will continue to provide updates on the upcoming release via the Security Bulletins and Advisories page as well .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1232 *** Wild Neutron – Economic espionage threat actor returns with new tricks *** --------------------------------------------- A powerful threat actor known as “Wild Neutron” (also known as “Jripbot” and “Morpho”) has been active since at least 2011, infecting high profile companies for several years by using a combination of exploits, watering holes and multi-platform malware. --------------------------------------------- https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-…

1 0

Tageszusammenfassung - Dienstag 7-07-2015
by Daily end-of-shift report 07 Jul '15

07 Jul '15

======================= = End-of-Shift report = ======================= Timeframe: Montag 06-07-2015 18:00 − Dienstag 07-07-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Security Advisory: BIG-IQ remote authentication vulnerability CVE-2015-4637 *** --------------------------------------------- When remote authentication is configured on the BIG-IQ system for a LDAP server that allows anonymous BIND operations, a unauthenticated user may obtain an authentication token from the REST API for any known (or guessed) LDAP user account and will receive all the access and privileges of that user account for REST API calls. (CVE-2015-4637) --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/16000/800/sol16861.htm… *** Fraudulent BatteryBot Pro App Yanked from Google Play *** --------------------------------------------- A malicious Android app spoofing the popular BatteryBot Pro app has been pulled from Google Play. Researchers at Zscaler reported the app, which had a package name of com.polaris.BatteryIndicatorPro. The app requested excessive permissions from the user in an attempt to get full control of an .. --------------------------------------------- http://threatpost.com/fraudulent-batterybot-pro-app-yanked-from-google-play… *** Malvertisement - A Nuclear EK Tale *** --------------------------------------------- Over the past couple of years delivering malware via advertisements, or "malvertisement," has become one of the most popular methods of distribution for exploit kits. Like most trends in the world of Internet security, the longer it endures - the .. --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/Malvertisement-%e2%80%9… *** Social Engineering - A Case Study *** --------------------------------------------- In this article, I am going to illustrate a real life social engineering hack that I did it for my friend. My friend saw some property ads on internet. He filled the query form for that ad, and after a day he got a call fraudulent call .. --------------------------------------------- http://resources.infosecinstitute.com/social-engineering-a-case-study/ *** Two major IT-Security Myths debunked *** --------------------------------------------- There are two statements G DATA’s security experts hear and read time and again: “I do not surf on porn websites, my computer can’t get infected” as well as “my computer does not hold anything valuable and I have nothing to hide – why should I be a target?” It would be a pleasure to confirm this, but, unfortunately, we do not live in an ideal world. The company’s latest Malware Report underlines why such sentences should be regarded as myths and IT-Security is important for everyone. --------------------------------------------- https://blog.gdatasoftware.com/blog/article/two-major-it-security-myths-deb… *** NewStatPress <= 1.0.4 - Reflected Cross-Site Scripting (XSS) *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8081 *** NewStatPress <= 1.0.4 - SQL Injection *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8080 *** Safer Internet *** --------------------------------------------- Anna is the director of a small kindergarten in Zurich. To give the kindergarten a home on the Internet, she registered a domain name and put up a website where parents can get up-to-date information about the kindergarten. A friend .. --------------------------------------------- http://securityblog.switch.ch/2015/07/07/safer-internet/ *** Kritischer OpenSSL-Patch voraus *** --------------------------------------------- Mit einer kurzen Notiz verkündet Mark J. Cox, dass man Donnerstag, den 9. Juli, ein Sicherheits-Update für OpenSSL veröffentlichen wolle. Dies sei der höchsten Sicherheitsstufe zuzurechnen (high). Das bedeutet, dass gängige Konfigurationen betroffen sind und die Lücke sich wahrscheinlich ausnutzen lässt, um Denial-of-Service-Angriffe durchzuführen, Daten zu klauen oder sogar betroffene System zu kapern. --------------------------------------------- http://heise.de/-2739804 *** Landeskriminalamt Salzburg warnt vor gefälschten Paketdienst-E-Mails *** --------------------------------------------- In Salzburg sind derzeit verstärkt Internet-Betrüger aktiv. Die Polizei warnt akut vor gefälschten E-Mails im Namen bekannter Paketdienste, die vorgeben, dass eine Postsendung unterwegs sei. Über einen Link könne man den aktuellen Paketstatus abrufen. Ein Klick darauf installiert in Wirklichkeit aber die Schadsoftware "CryptoLocker", welche die auf der Festplatte gespeicherten Daten verschlüsselt. --------------------------------------------- http://derstandard.at/2000018700461 *** Fuzzing: Auf Fehlersuche mit American Fuzzy Lop *** --------------------------------------------- Programme testweise mit massenhaft fehlerhaften Daten zu füttern, ist eine effektive Methode, um Fehler zu finden. Das sogenannte Fuzzing ist schon seit Jahrzehnten bekannt, doch bessere Tools und einige spektakuläre Funde von Sicherheitslücken haben zuletzt das Interesse daran erneut geweckt. --------------------------------------------- http://www.golem.de/news/fuzzing-auf-fehlersuche-mit-american-fuzzy-lop-150… *** New Android Malware Family Evades Antivirus Detection by Using Popular Ad Libraries *** --------------------------------------------- Unit 42 discovered a new family of Android malware that successfully evaded all antivirus products on the VirusTotal web service. We named this malware family 'Gunpoder' based on the main malicious component name, .. --------------------------------------------- http://researchcenter.paloaltonetworks.com/2015/07/new-android-malware-fami… *** Hacked Hacking Team *** --------------------------------------------- Wie ja seit gestern gross durch die diversen Medien getrommelt wird (siehe etwa heise.de, derstandard.at), wurde das Unternehmen "Hacking Team" anscheinend selbst Opfer eines Angriffs. In den dabei geleakten Daten sind auch etliche Hinweise auf bislang unbekannte Exploits ("0-days") zu finden. Leider fehlt uns die Kapazität, die gesamten geleakten Daten (gut 160.000 Dateien mit insg. rund 400GB!) in endlicher Zeit selbst zu analysieren, daher müssen wir uns dabei auf die Community verlassen. --------------------------------------------- http://www.cert.at/services/blog/20150707141314-1556.html *** Attack of the Zombie Orkut Phishing Pages *** --------------------------------------------- Sometimes long dead websites are targeted by phishing pages. When those sites made use of single sign-on, the danger will never quite go away. Orkut may be gone, but the fake login pages persist .. --------------------------------------------- https://blog.malwarebytes.org/fraud-scam/2015/07/attack-of-the-zombie-orkut…

1 0

Tageszusammenfassung - Montag 6-07-2015
by Daily end-of-shift report 06 Jul '15

06 Jul '15

======================= = End-of-Shift report = ======================= Timeframe: Freitag 03-07-2015 18:00 − Montag 06-07-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a *** [20150602] - Core - CSRF Protection *** --------------------------------------------- http://developer.joomla.org/security-centre/618-20150602-core-remote-code-e… *** [20150601] - Core - Open Redirect *** --------------------------------------------- http://developer.joomla.org/security-centre/617-20150601-core-open-redirect… *** This 20-year-old Student Has Written 100 Malware Programs in Two Years *** --------------------------------------------- Security firm Trend Micro has identified a 20-year-old Brazilian college student responsible for developing and distributing over 100 Banking Trojans selling each for around .. --------------------------------------------- http://thehackernews.com/2015/07/student-hacker.html *** A .BUP File Is An OLE File *** --------------------------------------------- Yesterday I mentioned that McAfee quarantine files on Windows (.BUP extension) are actually OLE files. Im going to write a couple of diary entries highlighting some file types that are OLE files, and .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19869 *** MMD-0036-2015 - KINS (or ZeusVM) v2.0.0.0 tookit (builder & panel) leaked. *** --------------------------------------------- The background KINS (or ZeusVM to be precised) v2.0.0.0 tookit (builder & panel) was leaked and spread all over the internet. On Jun 26th 2015 we were informed about this and after several internal discussion, considering that: "so .. --------------------------------------------- http://blog.malwaremustdie.org/2015/07/mmd-0036-2015-kins-or-zeusvm-v2000.h… *** A fileless Ursnif doing some POS focused reco *** --------------------------------------------- http://malware.dontneedcoffee.com/2015/07/a-fileless-ursnif-doing-some-pos.… *** BizCN gate actor changes from Fiesta to Nuclear exploit kit *** --------------------------------------------- Introduction An actor using gates registered through BizCN recently switched from Fiesta to Nuclear exploit kit (EK). This happened around last month, and we first noticed the change on 2015-06-15. I started writing about this actor in 2014 .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19875 *** Don't Be Fooled By Phony Online Reviews *** --------------------------------------------- The Internet is a fantastic resource for researching the reputation of companies with which you may wish to do business. Unfortunately, this same ease-of-use can lull the unwary into falling for marketing scams originally perfected .. --------------------------------------------- http://krebsonsecurity.com/2015/07/dont-be-fooled-by-phony-online-reviews/ *** Spionagefirma Hacking Team: "Feind des Internets" selbst gehackt *** --------------------------------------------- Die italienische Überwachungsfirma Hacking Team wurde selbst Opfer eines massiven Hacks: Eindringlinge konnten rund 480 GB an internen Daten übernehmen und diese als Download bereitstellen. Auch der Twitter-Account des Unternehmens wurde übernommen und in "Hacked Team" umbenannt. Die veröffentlichten Informationen .. --------------------------------------------- http://derstandard.at/2000018630550 *** Blue-Pill-Lücke in Xen geschlossen *** --------------------------------------------- In der langen Liste der Sicherheits-Verbesserungen von Xen 4.5.1 finden sich auch eine Lücke, die den Ausbruch aus einer virtuellen Maschine erlaubt - und ein geheimnisvoller, noch undokumentierte Eintrag. --------------------------------------------- http://heise.de/-2736158 *** ManageEngine Password Manager Pro 8.1 SQL Injection *** --------------------------------------------- An authenticated user (even the guest user) is able to execute arbitrary SQL code using a forged request to the SQLAdvancedALSearchResult.cc. The SQL query is build manually and is not escaped properly in the AdvanceSearch.class of AdventNetPassTrix.jar. --------------------------------------------- http://cxsecurity.com/issue/WLB-2015070020 *** Insider Threats Defined *** --------------------------------------------- According to the second annual SANS survey on the security of the financial services sector, the number one threat companies are concerned about doesn’t relate to nation-states, organised criminal gangs or ‘APTs’. Rather the main worry revolves around insider threats – but what exactly is an insider threat and what can be done to detect and respond to these threats? --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/insider-threats-defined *** How to Deal with Reverse Domain Name Hijacking *** --------------------------------------------- The fact that one owns a trademark which is identical or confusingly similar to a domain name does not necessarily mean that she is entitled to that domain name. For .. --------------------------------------------- http://resources.infosecinstitute.com/how-to-deal-with-reverse-domain-name-… *** Rätselaufgaben gegen DDoS-Angriffe auf TLS *** --------------------------------------------- Ein Akamai-Mitarbeiter beschreibt, wie mit einfachen Rechenaufgaben DDoS-Angriffe durch Clients auf TLS-Verbindungen minimiert werden könnten. Die Idee ist zwar noch ein Entwurf, könnte aber als Erweiterung für TLS 1.3 standardisiert werden. --------------------------------------------- http://www.golem.de/news/ietf-raetselaufgaben-gegen-ddos-angriffe-auf-tls-1… *** AWS Best Practices for DDoS Resiliency (PDF) *** --------------------------------------------- http://d0.awsstatic.com/whitepapers/DDoS_White_Paper_June2015.pdf *** No one expect command execution ! *** --------------------------------------------- Unix is a beautiful world where your shell gives you the power of launching any command you like. But sometimes, command can be used to launch another commands, and thats sometimes unexpected. --------------------------------------------- http://0x90909090.blogspot.fr/2015/07/no-one-expect-command-execution.html

1 0

Tageszusammenfassung - Freitag 3-07-2015
by Daily end-of-shift report 03 Jul '15

03 Jul '15

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 02-07-2015 18:00 − Freitag 03-07-2015 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Security Advisory: PHP vulnerability CVE-2015-4024 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/16000/800/sol16826.html *** Angler Exploit Kit Evasion Techniques Keep Cryptowall Thriving *** --------------------------------------------- Since the Angler Exploit Kit began pushing the latest version of Cryptowall ransomware, the kit has gone to great lengths to evade detection from IDS and other security technologies. The latest tactic is an almost-daily change to URL patterns used by the kit in HTTP GET requests for the Angler landing .. --------------------------------------------- http://it.slashdot.org/story/15/07/02/1829244/angler-exploit-kit-evasion-te… *** Plex: Foren des Media Servers gehackt *** --------------------------------------------- Unbekannten Angreifern ist es offenbar gelungen das zum Service gehörige Forum zu hacken, und Zugriff auf sensible Daten zu erhalten. Neben Mail-Adressen sollen dabei auch Passwort-Hashes, private Nachrichten und IP-Adressen abgegriffen worden sein. ... So wurden alle betroffenen User mittlerweile per .. --------------------------------------------- http://derstandard.at/2000018475799/Plex-Foren-des-Media-Servers-gehackt *** Cisco Adaptive Security Appliance Software OSPFv2 Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39612 *** DSA-3299 stunnel4 - security update *** --------------------------------------------- Johan Olofsson discovered an authentication bypass vulnerability inStunnel, a program designed to work as an universal SSL tunnel fornetwork daemons. When Stunnel in .. --------------------------------------------- https://www.debian.org/security/2015/dsa-3299 *** REcon Recap: Here's What Caught My Eye *** --------------------------------------------- A few weeks ago I was fortunate enough to attend REcon in Montreal, Canada. This conference focuses on reverse engineering and exploitation techniques and has been .. --------------------------------------------- http://researchcenter.paloaltonetworks.com/2015/07/recon-recap/ *** WordPress File Upload <= 2.7.6 - Multiple Vulnerabilities *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8070 *** Sicherheitsrisiko: LGs Update-App für Smartphones ist anfällig *** --------------------------------------------- Smartphones von LG sind aufgrund einer schlecht umgesetzten SSL-Verschlüsselung anfällig für Man-in-the-Middle-Attacken. Offenbar weiß der Hersteller schon länger davon, ein Patch soll das Problem beheben - auf manchen Geräten ist dieser aber noch nicht angekommen. --------------------------------------------- http://www.golem.de/news/sicherheitsrisiko-lgs-update-app-fuer-smartphones-… *** Viele VPNs plaudern wahre Identität ihrer Nutzer aus *** --------------------------------------------- Forscher finden grobe Implementationsprobleme - IPv6 und DNS-Abfragen unterwandern Sicherheit --------------------------------------------- http://derstandard.at/2000018498920 *** Mozilla: Firefox 39 schmeisst alte Krypto raus *** --------------------------------------------- SSLv3 ist aus Firefox 39 endgültig entfernt worden, und RC4 ist nur noch temporär für einige wenige Seiten erlaubt. Das Mozilla-Team erweitert den Schutz des Browsers vor Malware, daneben gibt es noch viele kleinere Neuerungen. --------------------------------------------- http://www.golem.de/news/mozilla-firefox-39-schmeisst-alte-krypto-raus-1507… *** Kovter AdFraud is updating Flash Player (and Internet Explorer) *** --------------------------------------------- Checking my systems I noticed multiple VM trying to grab last version of Flash and thought they were not properly setup allowing Flash Player to auto-update (which we do not want obviously - we want to keep them exploitable and also avoid behavioural/network noise). --------------------------------------------- http://malware.dontneedcoffee.com/2015/07/kovter-adfraud-is-updating-flash-… *** l+f: Noch mehr Hintertüren bei Cisco *** --------------------------------------------- http://heise.de/-2734480 *** Apple: EFI-Sicherheits-Update nicht für ältere Macs *** --------------------------------------------- Das Sicherheits-Update, das eine mögliche Modifikation der Firmware verhindert, steht zwar für ältere OS-X-Versionen zur Verfügung – lässt sich jedoch nur auf jüngeren Macs installieren. --------------------------------------------- http://heise.de/-2735051

1 0

Tageszusammenfassung - Donnerstag 2-07-2015
by Daily end-of-shift report 02 Jul '15

02 Jul '15

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 01-07-2015 18:00 − Donnerstag 02-07-2015 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Attackers Revive Deprecated RIPv1 Routing Protocol in DDoS Attacks *** --------------------------------------------- An advisory from Akamai warns of a recent reflection style DDoS attack in which the deprecated RIPv1 routing protocol was leveraged against targets. --------------------------------------------- http://threatpost.com/attackers-revive-deprecated-ripv1-routing-protocol-in… *** EMC Documentum D2 Input Validation Flaw Lets Remote Authenticated Users Obtain Potentially Sensitive Information *** --------------------------------------------- A remote authetnicated user can send specially crafted data to inject data query language (DQL) commands and obtain potentially sensitive information from the database on the target system. ... The D2CenterstageService.getComments method is affected [CVE-2015-0547]. ... The D2DownloadService.getDownloadUrls method is affected [CVE-2015-0548]. --------------------------------------------- http://www.securitytracker.com/id/1032769 *** Updated Point-to-Point Encryption standard now provides more flexibility *** --------------------------------------------- The Payment Card Industry Security Standards Council (PCI SSC) published an important update to one of its eight security standards, simplifying the development and use of Point-to-Point Encryption (P2PE) solutions that make payment card data unreadable and less valuable to criminals if stolen in a breach. --------------------------------------------- http://www.net-security.org/secworld.php?id=18581 *** Final Year Dissertation Paper Release: An Evaluation of the Effectiveness of EMET 5.1 *** --------------------------------------------- My paper covers three separate exploits that I converted to try bypass EMET 5.1s protections as best I could and the techniques that I used to do so as well as how successful EMET 5.1 was at preventing me from exploiting the vulnerable programs. --------------------------------------------- http://tekwizz123.blogspot.co.at/2015/07/final-year-dissertation-paper-rele… *** ENISA's Udo Helmbrecht at EPP Hearing on cybersecurity *** --------------------------------------------- ENISA's Udo Helmbrecht participated at the EPP Hearing on data driven security, which took place today 1st July 2015, at the European Parliament in Brussels. Topics discussed included: Session I: New trends in digital technology developments and cyber threats to security Session II: Fighting crime: use of new technologies and use of data Session III: Cyber Security: ensuring security and safety on state and individual levels --------------------------------------------- http://www.enisa.europa.eu/media/news-items/enisa2019s-udo-helmbrecht-at-ep… *** How safe is the Windows 10 Wi-Fi sharing feature? *** --------------------------------------------- ... what worries security experts is the fact that it allows users to share access to their password-protected Wi-Fi networks with their Outlook.com contacts, Skype contacts, and Facebook friends. ... While this feature can come very handy, it could also open users to security risks. --------------------------------------------- http://www.net-security.org/secworld.php?id=18584 *** Cisco Security Advisories/Vulnerability Alerts *** --------------------------------------------- Cisco Unified Communications Domain Manager Default Static Privileged Account Credentials http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- Cisco Adaptive Security Appliance SNMP Denial of Service Vulnerability http://tools.cisco.com/security/center/viewAlert.x?alertId=39611 --------------------------------------------- Cisco Nexus Operating System Devices Command Line Interface Local Privilege Escalation Vulnerability http://tools.cisco.com/security/center/viewAlert.x?alertId=39583 --------------------------------------------- Cisco Digital Content Manager Message Processing Denial of Service Vulnerability http://tools.cisco.com/security/center/viewAlert.x?alertId=39556 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 1-07-2015
by Daily end-of-shift report 01 Jul '15

01 Jul '15

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 30-06-2015 18:00 − Mittwoch 01-07-2015 18:00 Handler: Robert Waldner Co-Handler: n/a *** What is Wi-Fi Sense and Why Does It Want Your Facebook Account? *** --------------------------------------------- Wi-Fi Sense is a feature built into Windows 10. You may see a pop-up saying "Wi-Fi Sense needs permission to use your Facebook account." It also works with Outlook.com and Skype contacts. This feature allows you to share Wi-Fi login information - network names and passphrases - with your friends. It's designed to automatically connect Windows 10 devices to shared networks. ... Wi-Fi Sense was originally a Windows Phone 8.1 feature that made the jump to desktop PCs and tablets with Windows 10. --------------------------------------------- http://www.howtogeek.com/219700/what-is-wi-fi-sense-and-why-does-it-want-yo… *** EU-Kompromiss zu Meldepflichten bei Cyberangriffen steht *** --------------------------------------------- Betreiber "wesentlicher" Infrastrukturen und Dienste in der EU müssen bald Cyberangriffe melden, für Digitalplattformen wie soziale Netzwerke sollen abgestufte Regeln gelten. Darauf haben sich EU-Rat und Parlament geeinigt. --------------------------------------------- http://www.heise.de/newsticker/meldung/EU-Kompromiss-zu-Meldepflichten-bei-… *** Apple Patches Dozens of Flaws in iOS 8.4, OS X 10.10.4 *** --------------------------------------------- Apple has released new versions of iOS and OS X, both of which include a significant number of security patches, several for bugs that can lead to remote code execution and other serious issues. Version 8.4 of iOS contains fixes for more than 30 security vulnerabilities, including bugs in the iOS kernel, WebKit, and CoreText. --------------------------------------------- http://threatpost.com/apple-patches-dozens-of-flaws-in-ios-8-4-os-x-10-10-4… *** ZDI-15-275: (0Day) SolarWinds Storage Manager AuthenticationFilter Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SolarWinds Storage Manager. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-15-275/ *** TYPO3 CMS 6.2.14 and 7.3.1 released *** --------------------------------------------- We are announcing the release of the following TYPO3 CMS updates: TYPO3 CMS 6.2.14 LTS TYPO3 CMS 7.3.1 Both versions are maintenance releases and contain bug and security fixes. --------------------------------------------- http://www.typo3.org/news/article/typo3-cms-6214-and-731-released/ *** Apple gets around to fixing those 77 security holes in OS X Yosemite *** --------------------------------------------- Your OS X box can still be owned by, well, just about everything Apple has released a series of security updates to address 77 CVE-listed security vulnerabilities in OS X Yosemite. --------------------------------------------- http://www.theregister.co.uk/2015/06/30/apple_finally_gets_around_to_fixing… *** A third of iThings open to VPN-hijacking, app-wrecking attacks *** --------------------------------------------- Masques off: Researchers detail five ways to wreck Apple stuff A trio of FireEye researchers have reported twin app-demolishing iOS vulnerabilities Apple has partially fixed in its latest update that could wreck core apps such as the App Store and Settings. --------------------------------------------- http://www.theregister.co.uk/2015/07/01/masque_attack_ios_fireeye/ *** June 2015 Android malware review from Doctor Web *** --------------------------------------------- PRINCIPAL TRENDS IN JUNE - Activity of banking Trojans - Emergence of new downloader - Trojans Emergence of new Android ransomware - Growing number of SMS Trojans --------------------------------------------- http://news.drweb.com/show/?i=9511&lng=en&c=9 *** Cisco Vulnerability Alerts *** --------------------------------------------- Cisco Nexus Devices NX-OS Software Command-Line Interpreter Local Privilege Escalation Vulnerability http://tools.cisco.com/security/center/viewAlert.x?alertId=39569 --------------------------------------------- Cisco Nexus Devices Python Subsystem Local Privilege Escalation Vulnerabilities http://tools.cisco.com/security/center/viewAlert.x?alertId=39571 --------------------------------------------- Cisco Unified MeetingPlace SQL Injection Vulnerability http://tools.cisco.com/security/center/viewAlert.x?alertId=39570 --------------------------------------------- Cisco Nexus 7000 Devices Virtual Device Context Privilege Escalation Vulnerability http://tools.cisco.com/security/center/viewAlert.x?alertId=39568 --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- IBM Security Bulletin: Vulnerability with Diffie-Hellman ciphers may affect IBM WebSphere Application Server that shipped with WebSphere Enterprise Service Bus (CVE-2015-4000) http://www.ibm.com/support/docview.wss?uid=swg21961048 --------------------------------------------- IBM Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects PowerKVM (CVE-2015-4000) http://www.ibm.com/support/docview.wss?uid=isg3T1022395 --------------------------------------------- IBM Security Bulletin: Vulnerability with Diffie-Hellman ciphers may affect IBM WebSphere Application Server that shipped with WebSphere Enterprise Service Bus Registry Edition (CVE-2015-4000) http://www.ibm.com/support/docview.wss?uid=swg21961049 --------------------------------------------- IBM Security Bulletin: CICS Transaction Gateway for Multiplatforms http://www.ibm.com/support/docview.wss?uid=swg21903636 --------------------------------------------- IBM Security Bulletin: A security vulnerability in IBM WebSphere Application Server affects IBM Security Access Manager for Web version 7.0 software installations and IBM Tivoli Access Manager for e-business (CVE-2015-1920) http://www.ibm.com/support/docview.wss?uid=swg21960450 --------------------------------------------- IBM Security Bulletin: Multiple vulnerabilities in the FreeType library affect IBM Security Access Manager for Web http://www.ibm.com/support/docview.wss?uid=swg21960562 --------------------------------------------- IBM Security Bulletin: Multiple vulnerabilities in FreeType library affect IBM Security Access Manager for Mobile. http://www.ibm.com/support/docview.wss?uid=swg21958900 --------------------------------------------- IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Security Access Manager for Web http://www.ibm.com/support/docview.wss?uid=swg21960668 --------------------------------------------- IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Security Access Manager for Mobile. http://www.ibm.com/support/docview.wss?uid=swg21958903 --------------------------------------------- IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Access Manager for Web (CVE-2013-7423) http://www.ibm.com/support/docview.wss?uid=swg21960456 --------------------------------------------- Vulnerabilities in NTPv4 affect AIX http://www.ibm.com/support/ --------------------------------------------- IBM Security Bulletin: Multiple cross-site scripting (XSS) vulnerabilities in IBM Dojo Toolkit affects IBM Case Manager (CVE-2014-8917) http://www.ibm.com/support/docview.wss?uid=swg21883851 --------------------------------------------- IBM Security Bulletin: PowerKVM is affected by a kexec-tools vulnerability (CVE-2015-0267) http://www.ibm.com/support/docview.wss?uid=isg3T1022407 --------------------------------------------- IBM Security Bulletin: Dual_EC_DRBG vulnerability and RC4 stream cipher vulnerability affect WebSphere Transformation Extender Secure Adapter Collection (CVE-2007-6755, CVE-2015-2808) http://www.ibm.com/support/docview.wss?uid=swg21959577 --------------------------------------------- IBM Security Bulletin: XSS vulnerability in Error dialog which can execute scripts injected into addressability and comments features that affects IBM Case Manager (CVE-2015-1979) http://www.ibm.com/support/docview.wss?uid=swg21959695 --------------------------------------------- IBM Security Bulletin: Vulnerabilities in OpenSSL including Logjam affect Sterling Connect:Express for UNIX (CVE-2015-4000, CVE-2014-8176, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792) http://www.ibm.com/support/docview.wss?uid=swg21959308 --------------------------------------------- IBM Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects IBM Cognos Command Center (CVE-2015-4000) http://www.ibm.com/support/docview.wss?uid=swg21960508 --------------------------------------------- IBM Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects the Enterprise Common Collector component of the IBM Tivoli zEnterprise Monitoring Agent (CVE-2015-4000) http://www.ibm.com/support/docview.wss?uid=swg21960019 --------------------------------------------- IBM Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects IBM InfoSphere Optim Performance Manager (CVE-2015-4000) http://www.ibm.com/support/docview.wss?uid=swg21959591 --------------------------------------------- IBM Security Bulletin: JavaScript evaluation vulnerability in IBM Business Process Manager (CVE-2015-1961) http://www.ibm.com/support/docview.wss?uid=swg21959052 --------------------------------------------- IBM Security Bulletin: IBM Security Identity Manager Virtual Appliance affected by Java vulnerabilities (CVE-2015-0138 CVE-2015-0204 CVE-2015-1914 CVE-2015-2808 ) http://www.ibm.com/support/docview.wss?uid=swg21960515 --------------------------------------------- IBM Security Bulletin: Potential denial of service may affect IBM WebSphere Application Server shipped with IBM Tivoli Network Performance Manager (CVE-2015-1829) http://www.ibm.com/support/docview.wss?uid=swg21960364 --------------------------------------------- IBM Security Bulletin: PowerKVM is affected by a bind vulnerability (CVE-2015-1349) http://www.ibm.com/support/docview.wss?uid=isg3T1022295 --------------------------------------------- IBM Security Bulletin: PowerKVM is affected by a qemu vulnerability (CVE-2014-9718) http://www.ibm.com/support/docview.wss?uid=isg3T1022294 --------------------------------------------- IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security Access Manager for Mobile (CVE-2015-0488, CVE-2015-0478, CVE-2015-1916) http://www.ibm.com/support/docview.wss?uid=swg21959597 --------------------------------------------- IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Access Manager for Mobile (CVE-2013-7423) http://www.ibm.com/support/docview.wss?uid=swg21959604 --------------------------------------------- IBM Security Bulletin: IBM PowerVC is impacted by OpenStack Glance v2 API unrestricted path traversal (CVE-2014-9493, CVE-2015-1195) http://www.ibm.com/support/docview.wss?uid=nas8N1020785 --------------------------------------------- IBM Security Bulletin: IBM PowerVC is impacted by Apache Qpid security vulnerabilities (CVE-2015-0203, CVE-2015-0223, CVE-2015-0224) http://www.ibm.com/support/docview.wss?uid=nas8N1020787 --------------------------------------------- IBM Security Bulletin: A cross-site scripting vulnerability affects IBM Security Access Manager for Mobile (CVE-2015-1966) http://www.ibm.com/support/docview.wss?uid=swg21959068 --------------------------------------------- IBM Security Bulletin: A cross-site scripting vulnerability affects IBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway (CVE-2015-1966) http://www.ibm.com/support/docview.wss?uid=swg21959071 --------------------------------------------- IBM Security Bulletin: XSS Vulnerability in IBM Jazz Foundation affects multiple IBM Rational products based on IBM Jazz technology (CVE-2015-0130) http://www.ibm.com/support/docview.wss?uid=swg21960407 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 30-06-2015
by Daily end-of-shift report 30 Jun '15

30 Jun '15

======================= = End-of-Shift report = ======================= Timeframe: Montag 29-06-2015 18:00 − Dienstag 30-06-2015 18:00 Handler: Robert Waldner Co-Handler: n/a *** Windows kerberos ticket theft and exploitation on other platforms *** --------------------------------------------- I decided to take a look at how the kerberos tickets can be dumped from a Windows target and re-used on Linux. It was surprisingly easy to accomplish. --------------------------------------------- https://mikkolehtisalo.wordpress.com/2015/06/29/copying-windows-kerberos-ti… *** Why vulnerability disclosure shouldn't be a marketing tool *** --------------------------------------------- So now we have three approaches to vulnerability disclosure: full disclosure, responsible disclosure, and marketing disclosure. My concern with the latter is that by its very nature it will get more coverage in both the IT industry and mainstream media. ... In the cases where the vulnerability does affect the organization, the security team is called into action to remediate it, but this remediation may be based more on the impact the vulnerability has had on the news headlines rather than on the impact it actually may have on the environment, This results in already overstretched security teams being distracted from other core tasks. --------------------------------------------- http://www.net-security.org/article.php?id=2318 *** DSA-3297 unattended-upgrades - security update *** --------------------------------------------- It was discovered that unattended-upgrades, a script for automaticinstallation of security upgrades, did not properly authenticatedownloaded packages when the force-confold or force-confnew dpkg optionswere enabled via the DPkg::Options::* apt configuration. --------------------------------------------- https://www.debian.org/security/2015/dsa-3297 *** How Malware Campaigns Employ Google Redirects and Analytics, (Tue, Jun 30th) *** --------------------------------------------- The email message sent to the bank employee claimed that the sender received a wire transfer from the recipients organization and that the sender wanted to confirm that the payment went through without issues. The victim was encouraged to click a link that many people would considersafe, in part because it began with https://www.google.com/. How would you examine the nature of this email? Examining MSG and EML Files on Linux One way to analyze the suspicious message saved as an Outlook .msg file --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19843&rss *** Tearing Apart a Datto *** --------------------------------------------- Datto devices are becoming a popular backup solution for small to medium sized businesses. They are easy to use and well equipped out of the box. We recently found ourselves in an engagement where one of these devices was accessible via the LAN. Gaining access to backups is a bit of a goldmine during an assessment; unrestricted access to file shares, configuration information, extracting hashes from the NTDS.dit file, and a multitude of other things. --------------------------------------------- http://silentbreaksecurity.com/tearing-apart-a-datto/ *** Vulnerability in Citrix NetScaler Application Deliver Controller and NetScaler Gateway Management Interface Could Result in Arbitrary Command Injection *** --------------------------------------------- A vulnerability has been identified in Citrix NetScaler Application Delivery Controller (ADC) and Citrix NetScaler Gateway Management Interface that could allow an authenticated malicious user to execute shell commands on the appliance. CVE: CVE-2015-5080 --------------------------------------------- http://support.citrix.com/article/CTX201149 *** Viele Android-Geräte über Debugger angreifbar *** --------------------------------------------- Über eine Schwachstelle im Debugger können Angreifer den Inhalt des Hauptspeichers von über 90 Prozent aller Android-Geräte auslesen und so weitere Attacken fahren. --------------------------------------------- http://www.heise.de/newsticker/meldung/Viele-Android-Geraete-ueber-Debugger… *** Analyzing a Facebook Clickbait Worm *** --------------------------------------------- Here at Sucuri we suspect everything, especially when your friends start to share content written in another language with clickbait headlines. If you are not familiar with the term, clickbait is when web content is created in a way that psychologically exploits the reader's curiosity using compelling headlines. When someone clicks on the article to read it, the service promoting the article generates online advertisement revenue. --------------------------------------------- https://blog.sucuri.net/2015/06/analyzing-a-facebook-clickbait-worm.html *** Vulnerabilities in Cisco products*** --------------------------------------------- Cisco Unified IP Phones 9900 Series Denial of Service Vulnerability http://tools.cisco.com/security/center/viewAlert.x?alertId=39554 --------------------------------------------- Cisco Unified Communications Domain Manager Information Disclosure Vulnerability http://tools.cisco.com/security/center/viewAlert.x?alertId=39557 --------------------------------------------- *** Vulnerabilities in IBM products*** --------------------------------------------- Security Bulletin: Vulnerabilities in libxml2 affect System Networking Products (CVE-2014-0191, CVE-2013-2877, CVE-2014-3660) http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098306 --------------------------------------------- Security Bulletin: Vulnerabilities in OpenSSL affect Flex System FC3171 8Gb SAN Switch and Flex System FC3171 8Gb SAN Pass-thru (CVE-2014-3513, CVE-2014-3567, CVE-2014-3568) http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098265 --------------------------------------------- Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects IBM Flex System Manager (FSM) SMIA Configuration Tool (CVE-2015-4000) http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098403 --------------------------------------------- Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru firmware. (CVE-2015-2808) http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098314 --------------------------------------------- Security Bulletin: Vulnerability in RC4 stream cipher affects IBM System Networking RackSwitch (CVE-2015-2808) http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098302 ---------------------------------------------Security Bulletin: Vulnerability in RC4 stream cipher affects IBM BladeCenter Switches (CVE-2015-2808) http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098303 --------------------------------------------- Security Bulletin: Multiple vulnerabilities in xorg-x11-server affect IBM Flex System Manger (FSM) http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098372 --------------------------------------------- Security Bulletin: GNU C library (glibc) vulnerability affects IBM Flex System EN6131 40Gb Ethernet / IB6131 40Gb Infiniband Switch Firmware (CVE-2015-0235) http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098317 --------------------------------------------- Security Bulletin: Vulnerabilities in OpenSSL affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru Firmware (CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206) http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098358 --------------------------------------------- Security Bulletin: Vulnerabilities in OpenSSL affect IBM System x, BladeCenter and Flex Systems Unified Extensible Firmware Interface (UEFI) (CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275) http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098339 --------------------------------------------- IBM Security Bulletin: IBM SmartCloud Analytics - Log Analysis is affected by Open Source Python Vulnerability (CVE-2014-9365) http://www.ibm.com/support/docview.wss?uid=swg21958936 --------------------------------------------- IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Endpoint Manager for Remote Control http://www.ibm.com/support/docview.wss?uid=swg21903374 --------------------------------------------- IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime, affect Tivoli Endpoint Manager for Remote Control. http://www.ibm.com/support/docview.wss?uid=swg21903373 --------------------------------------------- IBM Security Bulletin: A vulnerability in cURL libcURL affects IBM Tivoli Composite Application Manager for Transactions (CVE-2014-8150) http://www.ibm.com/support/docview.wss?uid=swg21697198 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 29-06-2015
by Daily end-of-shift report 29 Jun '15

29 Jun '15

======================= = End-of-Shift report = ======================= Timeframe: Freitag 26-06-2015 18:00 − Montag 29-06-2015 18:00 Handler: Robert Waldner Co-Handler: n/a *** In eigener Sache: CERT.at sucht Verstärkung *** --------------------------------------------- Wir suchen aktuell eine/n ProgrammiererIn - vorerst als Karenzvertretung bis Jahresende. Details siehe https://cert.at/about/jobs/jobs.html --------------------------------------------- http://www.cert.at/services/blog/20150629141329-1553.html *** IETF Officially Deprecates SSLv3 *** --------------------------------------------- The IETF, in RFC7568, declared SSLv3 "not sufficiently secure" and prohibited its use. SSLv3 fallbacks were to blame for the POODLE and BEAST attacks. --------------------------------------------- http://threatpost.com/ietf-officially-deprecates-sslv3/113503 *** NIST Updates Random Number Generation Guidelines *** --------------------------------------------- An anonymous reader writes: Encryption weighs heavily on the public consciousness these days, as weve learned that government agencies are keeping an eye on us and a lot of our security tools arent as foolproof as weve thought. In response to this, the National Institute of Standards and Technology has issued a formal update to its document on how to properly generate a random number - crucial in many types of encryption. --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/JJ7XjyjPA9c/nist-updates-ra… *** Lücke im Flash Player: Exploit Kit erhöht Angriffs-Risiko *** --------------------------------------------- Bisher haben Angreifer die in der letzten Woche bekanntgewordene Schwachstelle in Adobes Flash Player nur vereinzelt und gezielt attackiert. Aktuell nutzt jedoch auch das Magnitude Exploit Kit die Lücke aus und vergrößert den Angriffsradius. --------------------------------------------- http://heise.de/-2730795 *** The State of the ESILE/Lotus Blossom Campaign *** --------------------------------------------- As is generally the case with backdoors, ESILE contacts a command-and-control server in order to receive commands from its attacker. How it does this is also a fingerprint of the campaign as well. It uses a URL based on the MAC address of the infected machine's network interface, as well as the current time. ... This distinctive pattern can be used to help spot and block ESILE-related endpoints on an organization's network. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/the-state-of-the… *** Migrating from SHA-1 to SHA-2 *** --------------------------------------------- Heres a comprehensive document on migrating from SHA-1 to SHA-2 in Active Directory certificates.... --------------------------------------------- https://www.schneier.com/blog/archives/2015/06/migrating_from_.html *** Cyber Security Challenge: Bundesheer sucht Nachwuchs-Hacker *** --------------------------------------------- Qualifikation läuft bis August, Veranstaltung von Cyber Security Austria und Abwehramt organisiert --------------------------------------------- http://derstandard.at/2000018220253 *** Bugtraq: ESA-2015-097: EMC Secure Remote Services (ESRS) Virtual Edition (VE) Multiple Security Vulnerabilities *** --------------------------------------------- Summary: ESRS VE version 3.06 contains security fixes for multiple vulnerabilities that could potentially be exploited by malicious uses to compromise the affected system Insufficient Certificate Validation CVE-2015-0543: CVSSv2 Base Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) Cookie Generated with Insufficient Randomness CVE-2015-0544: CVSSv2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) --------------------------------------------- http://www.securityfocus.com/archive/1/535851 *** The Powershell Diaries 2 - Software Inventory, (Mon, Jun 29th) *** --------------------------------------------- After last weeks story, hopefully youve got your problem users accounts identified. With that worked out, lets see about finding problem applications. We all need a handle on what applications are installed on workstations for a number of reasons to make sure that when upgrade time comes, that nobody gets left behind that older apps that have security vulnerabilities or have limited function get taken care of... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19851&rss *** Critical vulnerabilities in Polycom RealPresence Resource Manager (RPRM) *** --------------------------------------------- Business recommendation: By combining all vulnerabilities documented in this advisory an unprivileged authenticated remote attacker can gain full system access (root) on the RPRM appliance. This has an impact on all conferences taking place via this RP Resource Manager. Attackers can steal all conference passcodes and join or record any conference. SEC Consult recommends not to use this system until a thorough security review has been performed by security professionals and all identified issues have been resolved. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2015… *** TYPO3-EXT-SA-2015-015: Cross-Site Scripting in extension "404 Page not found handling" (pagenotfoundhandling) *** --------------------------------------------- It has been discovered that the extension "404 Page not found handling" (pagenotfoundhandling) is susceptible to Cross-Site Scripting Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C Affected Versions: version 2.1.0 and below --------------------------------------------- http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-e… *** Hacker-Angriff vermutet: Apache Build-Server offline *** --------------------------------------------- Bis jetzt wurde ein Angriff nicht offiziell bestätigt. Auch ist nicht bekannt, ob ein Eingriff in auf den Servern gebaute Software-Pakete stattgefunden hat. Die Build-Systeme der ASF werden unter anderem von OpenOffice, dem Tomcat-Projekt und dem Web-Framework Apache Wicket verwendet. Neben den Build-Servern und der Continuous-Integration-Webseite ist auch das CMS der Apache-Seiten betroffen. --------------------------------------------- http://heise.de/-2731265 *** Cisco Application Policy Infrastructure Controller Unauthorized Access Vulnerability *** --------------------------------------------- CVE: CVE-2015-4225, CVSS2 Base Score: 5.5 A vulnerability in the role-based access control (RBAC) of the Cisco Application Policy Infrastructure Controller (Cisco APIC) could allow an authenticated, remote attacker to have read access to certain information stored in the affected system. The vulnerability is due to improper handling of RBAC for health scoring. An attacker could exploit this vulnerability to gain access to information on the affected system. --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39529

1 0

Tageszusammenfassung - Freitag 26-06-2015
by Daily end-of-shift report 26 Jun '15

26 Jun '15

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 25-06-2015 18:00 − Freitag 26-06-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Multiple Default SSH Keys Vulnerabilities in Cisco Virtual WSA, ESA, and SMA *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Magento Platform Targeted By Credit Card Scrapers *** --------------------------------------------- We've been writing a lot about E-Commerce hacks and PCI Compliance recently. The more people buy things online, the more of an issue this will be come and the more important it will .. --------------------------------------------- https://blog.sucuri.net/2015/06/magento-platform-targeted-by-credit-card-sc… *** MMD-0034-2015 - New ELF Linux/DES.Downloader on Elasticsearch CVE-2015-1427 exploit *** --------------------------------------------- This is a tough writing, and will be many addition will be added after the initial release. We are pushed to release this as alert of an on going attack, it is a real malware incident .. --------------------------------------------- http://blog.malwaremustdie.org/2015/06/mmd-0034-2015-new-elf.html *** That shot you heard? SSLv3 is now DEAD *** --------------------------------------------- Its joined the choir invisible We really, really, really mean it this time: take SSL3 and bury .. --------------------------------------------- http://www.theregister.co.uk/2015/06/26/that_shot_you_heard_sslv3_is_now_de… *** EU-Ermittler zerschlagen Ring von Online-Banking-Betrügern *** --------------------------------------------- Verschiedenen Behörden aus Europa haben eine erfolgreiche Operation gegen Cyber-Kriminelle durchgeführt, die im großen Stil über alle Kontinente verteilt Banking-Trojaner eingesetzt haben. --------------------------------------------- http://heise.de/-2729777 *** Windows Server 2003 noch auf Drittel aller Server: Support-Ende im Juli *** --------------------------------------------- Am 14. Juli endet der Support von Windows Server 2003, Server 2003 R2 und Small Business Server 2003. Ab dann wird es für das zwölf Jahre alte System keine neuen Updates, Hotfixes oder Sicherheits-Aktualisierung mehr geben. --------------------------------------------- http://derstandard.at/2000018075592 *** Polycom RealPresence Resource Manager critical vulnerabilities allow surveillance on conferences *** --------------------------------------------- Multiple remote vulnerabilities (arbitrary file disclosure, path traversal, arbitrary file upload, privilege escalation in the web application) combined with local vulnerabilities (sudo misconfiguration, weak filesystem permissions) allow an .. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2015… *** Siemens Climatix BACnet/IP Communication Module Cross-site Scripting Vulnerability *** --------------------------------------------- This advisory provides mitigation details for an identified cross-site scripting vulnerability in the Siemens Climatix BACnet/IP communication module. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-176-01 *** PACTware Exceptional Conditions Vulnerability *** --------------------------------------------- This advisory provides mitigation details for a handling of exceptional conditions vulnerability in the PACTware Consortium PACTware application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-176-02 *** Latest spam filter test sees significant drop in catch rates *** --------------------------------------------- Despite a drop in catch rates, 15 products earn a VBSpam award, with four earning a VBSpam+ award.Spam is notoriously volatile and thus, while we like to make the news headlines with our tests as much as anyone, we would warn against .. --------------------------------------------- http://www.virusbtn.com/blog/2015/06_26.xml *** ZDI-15-262: HP System Management Homepage Single Sign On Stack Buffer Overflow Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard System Management Homepage. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-15-262/

1 0

Tageszusammenfassung - Donnerstag 25-06-2015
by Daily end-of-shift report 25 Jun '15

25 Jun '15

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 24-06-2015 18:00 − Donnerstag 25-06-2015 18:00 Handler: Robert Waldner Co-Handler: n/a *** Paper: Using .NET GUIDs to help hunt for malware *** --------------------------------------------- Tool to extract identifiers incorporated into VirusTotal. The large number of new malware samples found each day hasnt made malware analysis an easier task, and researchers could use anything that helps them automate this task. Today, we publish a paper by Cylance researcher Brian Wallace, who looks at two globally unique identifiers (GUIDs) found in malware created using .NET, which can help link multiple files to the same Visual Studio project. --------------------------------------------- http://www.virusbtn.com/blog/2015/06_24a.xml?rss *** The Powershell Diaries - Finding Problem User Accounts in AD, (Wed, Jun 24th) *** --------------------------------------------- Powershell has gotten a lot of attention lately as a pentesters tool of choice, since it has access to pretty much every low-level system function in the Microsoft ecosystem, and the AV industry isnt dealing well with that yet (aside from ignoring powershell completely that is). But what about day-to-day system administration? Really, the possibilities for admins are just as limitless as for pentesters - thats what Powershell was invented for after all ! --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19833&rss *** Shibboleth authentication - Moderately critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-129 *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2015-129 Project: Shibboleth authentication (third-party module) Version: 6.x, 7.x Date: 2015-June-24 Security risk: 13/25 ( Moderately Critical) AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All Vulnerability: Cross Site Scripting Description Shibboleth authentication module allows users to log in and get permissions based on federated (SAML2) authentication.The module didnt filter the text that is displayed as a login link. --------------------------------------------- https://www.drupal.org/node/2511518 *** HybridAuth Social Login - Less Critical - Access bypass - SA-CONTRIB-2015-127 *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2015-127 Project: HybridAuth Social Login (third-party module) Version: 7.x Date: 2015-June-24 Security risk: 8/25 ( Less Critical) AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypass Description The HybridAuth Social Login module enables you to allow visitors to authenticate or login to a Drupal site using their identities from social networks like Facebook or Twitter. --------------------------------------------- https://www.drupal.org/node/2511410 *** Web security subtleties and exploitation of combined vulnerabilities, (Thu, Jun 25th) *** --------------------------------------------- The goal of a penetration test is to report all identified vulnerabilities to the customer. Of course, every penetration tester puts most of his effort into finding critical security vulnerabilities: SQL injection, XSS and similar, which have the most impact for the tested web application (and, indeed, it does not hurt a penetration testers ego when such a vulnerability is identified :) However, I strongly push towards reporting of every single vulnerability, no matter how harmless it might appear ... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19837&rss *** Samsung deaktiviert keine Sicherheitsupdates von Windows *** --------------------------------------------- PR-Desaster im Eigenbau: Samsung veröffentlicht ein Tool namens "disable_Windowsupdate.exe". Doch das macht gar nicht das, was der Name vermuten lässt. --------------------------------------------- http://www.heise.de/newsticker/meldung/Samsung-deaktiviert-keine-Sicherheit… *** Von wegen Schutz: NOD32 erlaubt das Kapern von Rechnern *** --------------------------------------------- Statt die Nutzer zu schützen erlaubte NOD32 von Eset es Angreifern, die Rechner der Opfer komplett zu übernehmen. Das Update, welches die Lücke schließt, sollte schleunigst eingespielt werden. --------------------------------------------- http://heise.de/-2728967 *** SSA-142512 (Last Update 2015-06-25): Cross-Site Scripting Vulnerability in Climatix BACnet/IP Communication Module *** --------------------------------------------- SSA-142512 (Last Update 2015-06-25): Cross-Site Scripting Vulnerability in Climatix BACnet/IP Communication Module --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** Multiple vulnerabilities in Cisco products *** *** Cisco Wireless LAN Controller Command Injection Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39517 *** Cisco IOS XR MPLS LDP Packet Processing Denial of Service Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39509 *** Cisco Unified Presence Server Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39504 *** Cisco IM and Presence Service Leaked Encrypted Passwords Privilege Escalation Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39505 *** Cisco IM and Presence Service SQL Injection Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39506

1 0

Tageszusammenfassung - Mittwoch 24-06-2015
by Daily end-of-shift report 24 Jun '15

24 Jun '15

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 23-06-2015 18:00 − Mittwoch 24-06-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Operation Clandestine Wolf � Adobe Flash Zero-Day in APT3 PhishingCampaign *** --------------------------------------------- In June, FireEye�s FireEye as a Service team in Singapore uncovered a phishing campaign exploiting an Adobe Flash Player zero-day vulnerability (CVE-2015-3113). The attackers� emails included links to compromised web servers that served either benign content or a malicious Adobe Flash Player file that exploits CVE-2015-3113. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-… *** Digital Snake Oil *** --------------------------------------------- One of the most common complaints we see on our forums, and from our users, concerns a particular category of program called �Registry Optimizers� or �Registry Cleaners� or �Registry Defragmenters�. For this post, we will just refer to them as .. --------------------------------------------- https://blog.malwarebytes.org/social-engineering/2015/06/digital-snake-oil/ *** Websites Hacked Via Website Backups *** --------------------------------------------- The past few months we�ve been spending a good deal of time talking about backups. This is for good reason, they are often your safety net when things go wrong; interestingly enough though, they are often the forgotten pillar of security. It�s why we .. --------------------------------------------- https://blog.sucuri.net/2015/06/websites-hacked-via-website-backups.html *** Cisco AnyConnect Client for Windows Privilege Escalation Vulnerability *** --------------------------------------------- A vulnerability in Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to install and execute an arbitrary executable file with privileges equivalent to the Microsoft Windows operating system SYSTEM account. --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39466 *** MMD-0033-2015 - Linux/XorDDoS infection incident report (CNC: HOSTASA.ORG) *** --------------------------------------------- This post is an actual malware infection incident of the"Linux/XOR.DDoS" malware, see this previous post as reference, malware was in attempt to infect a real service. Incident details: Source of attack: An attack .. --------------------------------------------- http://blog.malwaremustdie.org/2015/06/mmd-0033-2015-linuxxorddos-infection… *** Analysis and Exploitation of an ESET Vulnerability *** --------------------------------------------- Many antivirus products include emulation capabilities that are intended to allow unpackers to run for a few cycles before signatures are applied. ESET NOD32 uses a minifilter or kext to intercept all disk I/O, which is analyzed and then emulated if .. --------------------------------------------- http://googleprojectzero.blogspot.com/2015/06/analysis-and-exploitation-of-… *** Of Privacy, Security, and the Art of Scanning *** --------------------------------------------- With all the recent news and attention on world events the concept and concern around privacy has increased over the last several years. This is an excellent progression of personal protection and should be pursued .. --------------------------------------------- http://blog.shadowserver.org/2015/06/23/of-privacy-security-and-the-art-of-… *** Attacking Ruby Gem Security with CVE-2015-3900 *** --------------------------------------------- A Ruby gem is a standard packaging format used for Ruby libraries and applications. This packaging format allows Ruby software developers a clearly defined format in which they can .. --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Secu… *** Samsung deliberately disabling Windows Update *** --------------------------------------------- On my home forum Sysnative, a user (wavly) was being assisted with a WU issue, which was going well, aside from the fact that wavlys WU kept getting disabled randomly. It was figured out eventually after using auditpol.exe and registry security .. --------------------------------------------- http://bsodanalysis.blogspot.de/2015/06/samsung-deliberately-disabling-wind… *** Kaspersky hilft Facebook User-PCs nach Viren zu scannen *** --------------------------------------------- Facebook will die Verbreitung von Malware über das soziale Netzwerk eindämmen. Dafür werden nicht nur Profile nach verdächtigen Aktivitäten gescannt. Das Unternehmen bietet Nutzern auch die Möglichkeit an, einen kostenlosen Scan ihres Computers durchzuführen. Seit einiger Zeit .. --------------------------------------------- http://derstandard.at/2000017946165 *** Identifying vulnerable code *** --------------------------------------------- No matter how much care you take during development of any software, security issues creep in. Hence, it is important to get the code reviewed for security loopholes. Code is the only advantage for organizations over the hackers and they need .. --------------------------------------------- http://resources.infosecinstitute.com/identifying-vulnerable-code/ *** Am 30. Juni ist DNSSEC-Day *** --------------------------------------------- Am 30. Juni 2015 veranstalten das BSI, der DENIC und heise online den DNSSEC-Day. Kern der Veranstaltung ist ein Livestreaming, bei dem Fachleute Nutzen und .. --------------------------------------------- http://heise.de/-2723932 *** Results of my recent PostScript Charstring security research unveiled *** --------------------------------------------- Some months ago, I started reverse engineering and investigating the security posture of the Adobe Type Manager Font Driver (ATMFD.DLL) module, which provides support for Type 1 and OpenType fonts in the Windows kernel since Windows NT 4.0, .. --------------------------------------------- http://j00ru.vexillium.org/?p=2520

1 0

Tageszusammenfassung - Dienstag 23-06-2015
by Daily end-of-shift report 23 Jun '15

23 Jun '15

======================= = End-of-Shift report = ======================= Timeframe: Montag 22-06-2015 18:00 − Dienstag 23-06-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Security updates available for Adobe Flash Player (APSB15-14) *** --------------------------------------------- A Security Bulletin (APSB15-14) has been published regarding security updates for Adobe Flash Player. These updates address a critical vulnerability (CVE-2015-3113), and Adobe recommends users update their product installations to the latest .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1210 *** Multiple vulnerabilities in Cisco products *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39439 http://tools.cisco.com/security/center/viewAlert.x?alertId=39440 http://tools.cisco.com/security/center/viewAlert.x?alertId=39455 http://tools.cisco.com/security/center/viewAlert.x?alertId=39457 http://tools.cisco.com/security/center/viewAlert.x?alertId=39459 http://tools.cisco.com/security/center/viewAlert.x?alertId=39460 http://tools.cisco.com/security/center/viewAlert.x?alertId=39377 http://tools.cisco.com/security/center/viewAlert.x?alertId=39458 *** �Free� Proxies Aren�t Necessarily Free *** --------------------------------------------- Netflix, Hulu and a host of other content streaming services block non-U.S. users from viewing their content. As a result, many people residing in or traveling outside of the United States seek to circumvent such restrictions by using services that advertise "free" and "open" Web proxies capable of .. --------------------------------------------- http://krebsonsecurity.com/2015/06/free-proxies-arent-necessarily-free *** Security hole in MacKeeper used to shove malware onto Macs *** --------------------------------------------- According to researchers at BAE, a recent Mac malware infestation was carried out using a security hole in a utility called MacKeeper. --------------------------------------------- https://nakedsecurity.sophos.com/2015/06/22/security-hole-in-mackeeper-used… *** New Dridex infection vector identified - Banking Trojan�s authors use Microsoft Office trick and a legitimate service to infect systems *** --------------------------------------------- Malware authors can sometimes be creative in order to manipulate their human targets on the one hand and to circumvent security products, too. The experts of G DATA�s SecurityLabs analyzed a specially crafted Microsoft Word document .. --------------------------------------------- https://blog.gdatasoftware.com/blog/article/new-dridex-infection-vector-ide… *** XOR DDOS Mitigation and Analysis, (Tue, Jun 23rd) *** --------------------------------------------- I have struggled over the past recent months with a clients environment becoming infected and reinfected with an XOR DDOS trojan. The disruption and reinfection rates were costly at times. The client in question .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19827 *** This Radio Bug Can Steal Laptop Crypto Keys, Fits Inside a Pita *** --------------------------------------------- The list of paranoia-inducing threats to your computer�s security grows daily: Keyloggers, trojans, infected USB sticks, ransomware�and now the rogue falafel sandwich. --------------------------------------------- http://www.wired.com/2015/06/radio-bug-can-steal-laptop-crypto-keys-fits-in… *** mTAN-Trojaner hat es erneut auf Android-Nutzer abgesehen *** --------------------------------------------- Gefälschte E-Mails im Namen der Postbank machen aktuell die Runde und fordern Nutzer dazu auf, eine SSL-Zertifikat-App zu installieren. Dahinter verbirgt sich jedoch ein Trojaner, der unter anderem mTANs für Online-Banking mitschneidet. --------------------------------------------- http://heise.de/-2721682 *** Moose Malware-Part 1 *** --------------------------------------------- In this article series, we will learn about a famous Linux family of malware known as MOOSE, which is used to steal unencrypted traffic over the wire and infect other devices automatically. This malware steals HTTP cookies and performs .. --------------------------------------------- http://resources.infosecinstitute.com/moose-malware-part-1/ *** Edges for file renames and process kills. *** --------------------------------------------- With build 47 ProcDOT introduced brand new edges to visualize situations where a file is being renamed or a process is being killed by some thread. While the latter was quite easy to implement it�s the renaming of files which stands out of the mass of typical frames/events in terms of ProcDOT�s animation capabilities. --------------------------------------------- http://procdot.com/blog_20150623.htm *** Support-Ende beim Windows Server 2003 am 14. Juli *** --------------------------------------------- Länger als Windows XP hat Microsoft sein Server-Betriebssystem derselben Generation mit Sicherheits-Updates versorgt. Aber am 14. Juli ist damit endgültig Schluss. --------------------------------------------- http://www.heise.de/newsticker/meldung/Support-Ende-beim-Windows-Server-200…

1 0

Tageszusammenfassung - Montag 22-06-2015
by Daily end-of-shift report 22 Jun '15

22 Jun '15

======================= = End-of-Shift report = ======================= Timeframe: Freitag 19-06-2015 18:00 − Montag 22-06-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Owning Internet Printing - A Case Study in Modern Software Exploitation *** --------------------------------------------- Modern exploit mitigations draw attackers into a game of diminishing marginal returns. With each additional mitigation added, a subset of software bugs become unexploitable, .. --------------------------------------------- http://googleprojectzero.blogspot.com/2015/06/owning-internet-printing-case… *** Cacti Input Validation Flaw Permits Cross-Site Scripting and SQL Injection Attacks *** --------------------------------------------- The software does not properly filter HTML code from user-supplied input before displaying the input [CVE-2015-2665]. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The .. --------------------------------------------- http://www.securitytracker.com/id/1032672 *** Multiple vulnerabilities in Cisco products *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39432 http://tools.cisco.com/security/center/viewAlert.x?alertId=39431 http://tools.cisco.com/security/center/viewAlert.x?alertId=39422 http://tools.cisco.com/security/center/viewAlert.x?alertId=39424 http://tools.cisco.com/security/center/viewAlert.x?alertId=39423 *** Banking Trojan has targeted Bundestag *** --------------------------------------------- After the initial reports on the attacks on the Bundestag (German Federal Parliament), variants of the Swatbanker family are now putting the Bundestags intranet on a watch list. The operators of the botnet are apparently trying to steal access data and server responses associated with this .. --------------------------------------------- https://blog.gdatasoftware.com/blog/article/banking-trojan-has-targeted-bun… *** Microsoft website dedicated to online privacy gets hacked *** --------------------------------------------- Digital Constitution was running outdated of version of WordPress. --------------------------------------------- http://arstechnica.com/security/2015/06/microsoft-website-dedicated-to-onli… *** Microsoft: Meine Lücken schließ' ich nicht *** --------------------------------------------- Sicherheitsexperten geben Details zu Lücken in Internet Explorer heraus, weil Microsoft die Lücken nicht schließen will. --------------------------------------------- http://heise.de/-2718449 *** Standardschlüssel gefährdet SAPs Datenbank Hana *** --------------------------------------------- Bei der Installation wird die Benutzerdatenbank in SAPs Hana mit dem stets gleichen Standardschlüssel abgesichert. Weil dieser nur selten geändert wird, könnten sich Unberechtigte leicht Zugriff auf die dort gespeicherten Administratorkonten verschaffen. --------------------------------------------- http://www.golem.de/news/it-sicherheit-standardschluessel-gefaehrdet-saps-d… *** VMware Workstation: Der Einbruch �über Port COM1 *** --------------------------------------------- Über Schwachstellen in VMwares Workstation und Player ist ein vollständiger Zugriff auf das Wirtssystem aus einem Gastsystem heraus möglich. VMware hat bereits Updates veröffentlicht. --------------------------------------------- http://www.golem.de/news/vmware-workstation-der-einbruch-ueber-port-com1-15… *** Advertising: The Digital Turf War on your Desktop *** --------------------------------------------- https://blog.malwarebytes.org/privacy-2/2015/06/advertising-the-digital-tur… *** XARA-Lücke: Apple kündigt Fix für iOS und OS X an *** --------------------------------------------- Das Sicherheitsproblem, über das unter anderem Passwörter ausgelesen werden könnten, soll demnächst in der Software behoben werden. Zudem versucht sich der iPhone-Hersteller an anderen Lösungen. --------------------------------------------- http://heise.de/-2718624 *** The most common information security mistakes of e-commerces *** --------------------------------------------- Almost every month a new incident involving a big retailer, e-commerce or web platform makes the news headlines. Most retail fraud is now committed online, and in 2014 alone hackers managed to steal more than 61 million records from .. --------------------------------------------- https://www.htbridge.com/blog/the-most-common-information-security-mistakes… *** Adware for OS X distributes Trojans *** --------------------------------------------- Lately, reports about distribution of new malicious and potentially dangerous programs for OS X have been emerging with great frequency. Doctor Web security researches have registered a growing number of various adware and installers .. --------------------------------------------- http://news.drweb.com/show/?i=9502&lng=en&c=9 *** Steal That Car in 60 Seconds *** --------------------------------------------- Introduction Cars are everywhere and they are being upgraded with new technology as often as any other device we use. Taking some inspiration from the movie Knight and Day, .. --------------------------------------------- http://resources.infosecinstitute.com/the-car-in-60-seconds/ *** NSA spionierte österreichische Antiviren-Hersteller aus *** --------------------------------------------- Ikarus und Emsisoft genannt – NSA überwachte E-Mails an Firmen, um Entdeckung von Schadprogrammen mitzubekommen --------------------------------------------- http://derstandard.at/2000017842807 *** Magnitude EK: Traffic Analysis *** --------------------------------------------- Hello and welcome! Recently I have been skilling up in malware analysis. Specifically, my focus has been centred on client-side exploit kits, such common kits include: Angler, Nuclear, Magnitude, Neutrino, RIG... There are quite a few reasons for my new found .. --------------------------------------------- http://www.fuzzysecurity.com/tutorials/21.html *** Android Activtity Security *** --------------------------------------------- Each Android Application is made up of Activity, Service, Content Provider and Broadcast Receiver, which are the basic components of Android. Among those components, An Activity is .. --------------------------------------------- http://translate.wooyun.io/2015/06/22/android-activtity-security.html *** A month with BADONIONS *** --------------------------------------------- A few weeks ago I got the idea of testing how much sniffing is going on in the Tor network by setting up a phishing site where I login with unique password and then store them. I .. --------------------------------------------- https://chloe.re/2015/06/20/a-month-with-badonions/ *** Poseidon and Backoff POS � the links and similarities *** --------------------------------------------- Poseidon, also known as FindPOS, is a malware family designed for Windows point-of-sale systems. Poseidon scans the memory for running processes and employs keystroke logging .. --------------------------------------------- https://blog.team-cymru.org/2015/06/poseidon-and-the-backoff-pos-link *** Bypassing Microsoft EMET 5.2 - a neverending story? *** --------------------------------------------- The experts of the SEC Consult Vulnerability Lab managed to adapt the EMET 5.0 / 5.1 bypasses to additionally work against the latest Microsoft EMET version which is 5.2. Results of the research were already presented this year at .. --------------------------------------------- http://blog.sec-consult.com/2015/06/bypassing-microsoft-emet-52-neverending…

1 0

Tageszusammenfassung - Freitag 19-06-2015
by Daily end-of-shift report 19 Jun '15

19 Jun '15

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 18-06-2015 18:00 − Freitag 19-06-2015 18:00 Handler: Stephan Richter Co-Handler: n/a *** So Long, and Thanks for All the Domains *** --------------------------------------------- While Trojans like Dyre and Dridex are dominating malware-related news, we take the time to have a closer look at Tinba (Tiny Banker, Zusy, Illi), yet another Trojan which targets Windows users. In the first part of this post, we... --------------------------------------------- http://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-dom… *** Understanding type confusion vulnerabilities: CVE-2015-0336 *** --------------------------------------------- In March 2014, we observed a patched Adobe Flash vulnerability (CVE-2015-0336) being exploited in the wild. Adobe released the patch on March 12, 2014, and exploit code using this vulnerability first appeared about a week later. To help stay protected: Keep your Microsoft security software, such as Windows Defender for Windows 8.1 up-to-date. Keep your third-party software, such as Adobe Flash Player, up-to-date. Be cautious when browsing potentially malicious or compromised websites. --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2015/06/18/understanding-type-confu… *** Tapatalk-Plug-in liest Daten von Forennutzern aus *** --------------------------------------------- Wie die Administratoren des HardwareLuxx-Forums entdeckten, liest das Plug-in der Mobil-App die E-Mail-Adressen ihrer 200.000 Nutzer auf Anfrage aus und schickt diese an eigene Server. Tapatalk hält das Ganze für ein Versehen. --------------------------------------------- http://heise.de/-2716662 *** Paper: Beta exploit pack: one more piece of crimeware for the infection road! *** --------------------------------------------- Exploit kit currently being tested focuses primarily on Flash Player exploits.Nuclear, Angler, Magnitude and Rig. Security researchers know were talking about exploit kits (or browser exploit packs), toolkits that automate the exploitation of client-side vulnerabilities and thus facilitate infection through drive-by downloads.Today, we publish an article by researchers Aditya K. Sood and Rohit Bansal, in which they look at a new exploit kit, Beta. Though it is still in a testing phase, Aditya... --------------------------------------------- http://www.virusbtn.com/blog/2015/06_19.xml?rss *** SAP Hana users warned of security vulnerability *** --------------------------------------------- Hard on the heels of the release of a newly updated version of SAP Hana, a security researcher has warned of a potentially serious vulnerability in the in-memory platform. "If an attacker can exploit this vulnerability, he can get access to all encrypted data stored in an SAP Hana database," said Alexander Polyakov, CTO with ERPScan, which presented the details Thursday at the Black Hat Sessions XIII conference in the Netherlands. --------------------------------------------- http://www.cio.com/article/2937953/sap-hana-users-warned-of-security-vulner… *** Identifying Your Prey *** --------------------------------------------- User hunting is one of my favorite phases of an engagement. Whether it's performed for lateral spread and escalation, or to demonstrate impact by tracking down incident responders and executives, we end up hunting for users on nearly every assessment we conduct. I presented this topic at the Shmoocon '15 Firetalks, and published the "I Hunt Sys Admins" post to help highlight some of the ways we track down where users are located in Windows domains. --------------------------------------------- http://www.verisgroup.com/2015/06/17/identifying-your-prey/ *** an awesome list of honeypot resources *** --------------------------------------------- A curated list of awesome honeypots, tools, components and much more. The list is divided into categories such as web, services, and others, focusing on open source projects. There is no pre-established order of items in each category, the order is for contribution. If you want to contribute, please read the guide. --------------------------------------------- https://github.com/paralax/awesome-honeypots *** The Samsung SwiftKey Vulnerability - What You Need To Know, And How To Protect Yourself *** --------------------------------------------- Recently, researchers announced that a vulnerability in Samsung Android devices had been found which allowed attackers to run malicious code on vulnerable devices if they became the targets of a man-in-the-middle attack. In this post we will explain how this vulnerability works, and what can users do to protect themselves. The Vulnerability The stock Android... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/Y8_n4zFsafI/ *** Security CheatSheets - A collection of cheatsheets for various infosec tools and topics *** --------------------------------------------- These security cheatsheets are part of a project for the Ethical Hacking and Penetration Testing course offered at the University of Florida. Expanding on the default set of cheatsheets, the purpose of these cheatsheets are to aid penetration testers/CTF participants/security enthusiasts in remembering commands that are useful, but not frequently used. Most of the tools that will be covered have been included in our class and are available in Kali Linux. --------------------------------------------- http://www.kitploit.com/2015/06/security-cheatsheets-collection-of.html *** Bundestag: Linksfraktion veröffentlicht Malware-Analyse *** --------------------------------------------- Die Linksfraktion veröffentlicht im Zusammenhang mit dem Bundestags-Hack eine Analyse von Malware, die auf ihren Servern gefunden wurde. Darin wird eine Verbindung zur russischen Organisation APT28 nahegelegt. Doch wirklich überzeugend sind die Belege dafür nicht. --------------------------------------------- http://www.golem.de/news/bundestag-linksfraktion-veroeffentlicht-malware-an… *** Bugtraq: ZTE ZXV10 W300 v3.1.0c_DR0 - UI Session Delete Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/535797 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Content Manager Enterprise Edition (CVE-2015-0478, CVE-2015-0488, CVE-2015-1916, CVE-2015-2808) *** http://www.ibm.com/support/docview.wss?uid=swg21960248 *** IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM InfoSphere Discovery (CVE-2015-0488) *** http://www.ibm.com/support/docview.wss?uid=swg21903544 *** IBM Security Bulletin: Rational Test Control Panel component in Rational Test Workbench and Rational Test Virtualization Server affected by Apache Tomcat vulnerability (CVE-2014-0230) *** http://www.ibm.com/support/docview.wss?uid=swg21959294 *** IBM Security Bulletin: Rational Test Control Panel component in Rational Test Workbench and Rational Test Virtualization Server uses an insecure hashing scheme for handling user passwords (CVE-2015-1913) *** http://www.ibm.com/support/docview.wss?uid=swg21959298 *** IBM Security Bulletin: Rational Test Control Panel component in Rational Test Workbench and Rational Test Virtualization Server affected by Apache Tomcat vulnerability (CVE-2014-0227) *** http://www.ibm.com/support/docview.wss?uid=swg21959291 *** IBM Security Bulletin: GNU C library (glibc) vulnerabilities affect IBM SmartCloud Entry (CVE-2014-6040 CVE-2014-7817) *** http://www.ibm.com/support/docview.wss?uid=isg3T1022093 *** Wind River VXWorks TCP Predictability Vulnerability in ICS Devices *** --------------------------------------------- This advisory provides mitigation details for a TCP predictability vulnerability identified in Wind River's VxWorks. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-169-01 *** Cisco WebEx Meeting Center Web-Based Administrative Interface User Enumeration Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39420

1 0

Tageszusammenfassung - Donnerstag 18-06-2015
by Daily end-of-shift report 18 Jun '15

18 Jun '15

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 17-06-2015 18:00 − Donnerstag 18-06-2015 18:00 Handler: Stephan Richter Co-Handler: n/a *** OS X and iOS Unauthorized Cross Application Resource Access (XARA), (Thu, Jun 18th) *** --------------------------------------------- The last couple of days, a paper with details about XARA vulnerabilities in OS X and iOS is getting a lot of attention [1]. If you havent seen the term XARA before, then this is probably because cross-application-resource-access was normal in the past. Different applications has access to each others data as long as the same user ran them. But more recently, operating systems like OS X and iOS made attempts to sandbox applications and isolate applications from each other even if the same user... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19815&rss *** Apple OS X and iOS in the vulnerability spotlight - meet "CORED," also known as "XARA" *** --------------------------------------------- The security issue of the week has arrived in iOS and OS X, and its attracted a funky name already. The researchers called it XARA, but others had different ideas, and dubbed it "CORED." As in "Apple CORED." --------------------------------------------- http://feedproxy.google.com/~r/nakedsecurity/~3/Q4IwUfvQIVM/ *** IT-Sicherheitskonferenz FIRST: Ohne Vertrauen geht nichts, aber das Vertrauen geht *** --------------------------------------------- Die FIRST-Konferenz in Berlin beschäftigte sich damit, wie die Sicherheit von Computernetzen verbessert werden kann. Am Ende stand die Erkenntnis, dass die Arbeit komplizierter wird, weil Staaten zunehmend in IT-Sicherheit eingreifen. --------------------------------------------- http://heise.de/-2716841 *** Caching Out: The Value of Shimcache for Investigators *** --------------------------------------------- During a recent investigation, we found references to timestamps associated with probable malicious files that preceded the earliest known date of compromise. These Application Compatibility Cache (“Shimcache”) timestamps were the only evidence linked to this timeframe. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2015/06/caching_out_the_val.ht… *** Uncovering Tor users: where anonymity ends in the Darknet *** --------------------------------------------- Intelligence services have not disclosed any technical details of how they detained cybercriminals who created Tor sites to distribute illegal goods; in particular, they are not giving any clues how they identify cybercriminals who act anonymously. This may mean that the implementation of the Tor Darknet contains some vulnerabilities and/or configuration defects that make it possible to unmask any Tor user. In this research, we will present practical examples to demonstrate how Tor users may... --------------------------------------------- http://securelist.com/analysis/publications/70673/uncovering-tor-users-wher… *** Drupal-Lücken erlauben das Kapern von Admin-Konten *** --------------------------------------------- In Drupal 6 und 7 klaffen vier Sicherheitslücken. Die schwerwiegendste erlaubt es Angreifer, Admin-Konten des CMS über OpenID zu kapern. Updates, welche die Lücken schließen, stehen zum Download bereit. --------------------------------------------- http://heise.de/-2715975 *** Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2015-002 *** --------------------------------------------- Advisory ID: DRUPAL-SA-CORE-2015-002Project: Drupal core Version: 6.x, 7.xDate: 2015-June-17Security risk: 15/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypass, Information Disclosure, Open Redirect, Multiple vulnerabilitiesDescriptionImpersonation (OpenID module - Drupal 6 and 7 - Critical)A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their --------------------------------------------- https://www.drupal.org/SA-CORE-2015-002 *** Security Advisories for Drupal Third-Party Modules *** --------------------------------------------- https://www.drupal.org/security/contrib *** Bugtraq: [security bulletin] HPSBGN03350 rev.1 - HP SiteScope Using RC4, Remote Disclosure of Information *** --------------------------------------------- http://www.securityfocus.com/archive/1/535785 *** Bugtraq: [security bulletin] HPSBGN03338 rev.1 - HP Service Manager running RC4, Remote Disclosure of Information *** --------------------------------------------- http://www.securityfocus.com/archive/1/535786 *** Cisco IOS XR IPv6 Packet Processing Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39383 *** Cisco IOS XR SSH Disconnect Error Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39402 *** Symantec Endpoint Protection Manager and Client Issues *** ---------------------------------------------  Revisions None Severity CVSS2Base ScoreImpactExploitabilityCVSS2 VectorSEPM Auth User Blind SQLi in PHP prepared state... --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** [R2] PHP < 5.4.41 Vulnerabilities Affect Tenable SecurityCenter *** --------------------------------------------- http://www.tenable.com/security/tns-2015-06 *** Rack denial of service *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/103917 *** SQL Injection in EXT:sb_akronymmanager *** --------------------------------------------- It has been discovered that the extension "Akronymmanager" (sb_akronymmanager) is susceptible to SQL Injection --------------------------------------------- http://www.typo3.org/news/article/sql-injection-in-extsb-akronymmanager/ *** pure-ftpd 1.0.39 remote denial of service in glob_() *** --------------------------------------------- Topic: pure-ftpd 1.0.39 remote denial of service in glob_() Risk: Medium Text:Version 1.0.40 of pure-FTPd fixes a potential denial of service issue. From the NEWS file: - The process handling a user... --------------------------------------------- http://cxsecurity.com/issue/WLB-2015060101

1 0

Tageszusammenfassung - Mittwoch 17-06-2015
by Daily end-of-shift report 17 Jun '15

17 Jun '15

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 16-06-2015 18:00 − Mittwoch 17-06-2015 18:00 Handler: Stephan Richter Co-Handler: n/a *** Unpatched OS X, iOS flaws allow password, token theft from keychain, apps *** --------------------------------------------- Six researchers from Indiana University Bloomington, Peking University and Georgia Tech have recently published a paper in which they detail the existence of critical security weaknesses in Apples OS... --------------------------------------------- http://www.net-security.org/secworld.php?id=18523 *** Security: Unverschlüsselte App-Updates gefährden Samsungs Smartphones *** --------------------------------------------- Wenn Apps ihre Aktualisierungen unverschlüsselt abholen, sind sie leicht zu manipulieren. Vor allem bei systemnahen Anwendungen ist das ein gravierendes Problem, wie ein aktueller Fall belegt, der vor allem die Galaxy-Reihe von Samsung betrifft. --------------------------------------------- http://www.golem.de/news/security-unverschluesselte-app-updates-gefaehrden-… *** CVE-2014-4114 and an Interesting AV Bypass Technique, (Tue, Jun 16th) *** --------------------------------------------- Citizenlabs recently reported on a CVE-2014-4114 campaign against pro-democracy / pro-Tibetian groups in Hong Kong. The attacks happening should not surprise anyone, nor that the attacks were sophisticated. The vulnerability itself was patched with MS14-060 and has been used by APT and crime groups for sometime. Trend Micro wrote a good write-up of the issue here. What is interesting is what, in effect, is an anti-virus bypass that was employed by the actors. This bypass was discussed in this... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19809&rss *** VU#155412: Samsung Galaxy S phones fail to properly validate Swiftkey language pack updates *** --------------------------------------------- Vulnerability Note VU#155412 Samsung Galaxy S phones fail to properly validate Swiftkey language pack updates Original Release date: 16 Jun 2015 | Last revised: 16 Jun 2015 Overview Samsung Galaxy S phones, including the S4 Mini, S4, S5, and S6, fail to properly validate Swiftkey language pack updates. Description CWE-345: Insufficient Verification of Data Authenticity - CVE-2015-2865Samsung Galaxy S phones, including the S4 Mini, S4, S5, and S6, are pre-installed with a version of Swiftkey... --------------------------------------------- http://www.kb.cert.org/vuls/id/155412 *** EMC Unified Infrastructure Manager/Provisioning Authentication Flaw Lets Remote Users Access the System *** --------------------------------------------- http://www.securitytracker.com/id/1032589 *** Red Hat OpenSSL Locking Error in ssleay_rand_bytes() Lets Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1032587 *** Vulnerabilities in Cisco Products *** --------------------------------------------- *** Cisco Cloud Portal Appliance Pregenerated Default Host Keys Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39380 *** Cisco Prime Collaboration Manager SQL Injection Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39365 *** Cisco Prime Collaboration Assurance Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=31998 *** Cisco Adaptive Security Appliance Encrypted IPSec or IKEv2 Packet Modification Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39366 *** [HTB23261]: OS Command Injection in Vesta Control Panel *** --------------------------------------------- Product: Vesta Control Panel v0.9.8Vulnerability Type: OS Command Injection [CWE-78]Risk level: Critical Creater: http://vestacp.comAdvisory Publication: May 20, 2015 [without technical details]Public Disclosure: June 17, 2015 CVE Reference: CVE-2015-4117 CVSSv2 Base Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C) Vulnerability Details: High-Tech Bridge Security Research Lab discovered critical vulnerability in Vesta Control Panel, which can be exploited to execute arbitrary system commands and gain... --------------------------------------------- https://www.htbridge.com/advisory/HTB23261 *** VU#842780: Vesta Control Panel is vulnerable to cross-site request forgery *** --------------------------------------------- Vulnerability Note VU#842780 Vesta Control Panel is vulnerable to cross-site request forgery Original Release date: 16 Jun 2015 | Last revised: 16 Jun 2015 Overview Vesta Control Panel is vulnerable to a cross-site request forgery (CSRF) attack. Description CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2015-2861Vesta Control Panel contains a cross-site request forgery (CSRF) vulnerability. An attacker can perform actions with the same permissions as a victim user, provided the victim has --------------------------------------------- http://www.kb.cert.org/vuls/id/842780 *** Bugtraq: ESA-2015-043: RSA Validation Manager Security Update for Multiple Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/535777 *** GarrettCom Magnum Series Devices Vulnerabilities *** --------------------------------------------- This advisory provides mitigation details for multiple vulnerabilities in GarrettCom's Magnum 6k and Magnum 10k product lines. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-167-01-0 *** Security update available for Adobe Photoshop CC *** --------------------------------------------- Adobe has released an update for Photoshop CC for Windows and Macintosh. This update addresses vulnerabilities that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. --------------------------------------------- https://helpx.adobe.com/security/products/photoshop/apsb15-12.html *** Security update available for Adobe Bridge CC *** --------------------------------------------- Adobe has released an update for Adobe Bridge CC for Windows and Macintosh. This update addresses vulnerabilities that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. --------------------------------------------- https://helpx.adobe.com/security/products/bridge/apsb15-13.html *** Bugtraq: VCE3570: VCE Vision(TM) Intelligent Operations Cryptographic and Cleartext Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/535781 *** [R1] PHP < 5.4.41 Vulnerabilities Affect Tenable SecurityCenter *** --------------------------------------------- June 15, 2015 --------------------------------------------- http://www.tenable.com/security/tns-2015-06

1 0

Tageszusammenfassung - Dienstag 16-06-2015
by Daily end-of-shift report 16 Jun '15

16 Jun '15

======================= = End-of-Shift report = ======================= Timeframe: Montag 15-06-2015 18:00 − Dienstag 16-06-2015 18:00 Handler: Stephan Richter Co-Handler: n/a *** Dude, where's my heap? *** --------------------------------------------- Guest posted by Ivan Fratric, spraying 1TB of memoryThe ability to place controlled content to a predictable location in memory can be an important primitive in exploitation of memory corruption vulnerabilities. A technique that is commonly used to this end in browser exploitation is heap spraying: By allocating a large amount of memory an attacker ensures that some of the allocations happen in a predictable memory region. In order to break this technique, in Windows 8 Microsoft introduced High... --------------------------------------------- http://googleprojectzero.blogspot.com/2015/06/dude-wheres-my-heap.html *** RFC 7540 - HTTP/2 protocol, (Mon, Jun 15th) *** --------------------------------------------- RFC 7540 has been out for a month now. What should we expect with this new version? 1. New frame: HTTP/2 implements a binary protocol with the following frame structure: Length: The length of the frame payload expressed as an unsigned 24-bit integer. Values greater than 2^14 must not be sent unless the receiver has set a larger value for SETTINGS_MAX_FRAME_SIZE parameter. Type: The 8-bit type of the frame. It determines the format and semantics of the frame.">Length: The length of the... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19799&rss *** LastPass Security Notice *** --------------------------------------------- We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised. --------------------------------------------- https://blog.lastpass.com/2015/06/lastpass-security-notice.html/ *** Blackhats exploiting MacKeeper hole to foist dangerous trojan *** --------------------------------------------- Peskware now net nasty Last months MacKeeper vulnerability is now being exploited in the wild to hijack Apple machines, according to BAE security researcher Sergei Shevchenko. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2015/06/16/blackhats_e… *** Odd HTTP User Agents, (Tue, Jun 16th) *** --------------------------------------------- Many web application firewalls do block odd user agents. However, decent vulnerability scanners will try to evade these simple protections by trying to emulate the user agent string of commonly used browsers. To figure out if I can distinguish bad from good, I compared some of the logs from our honeypotsto logs from a normalweb server (isc.sans.edu). Many of the top user agents hitting the honeypot are hardly seen on normal web sites, allowing me to identify possible vulnerability scanners. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19805&rss *** Phone hacking blitz hammers UK.bizs poor VoIP handsets *** --------------------------------------------- If I ever get my hands on those phreaking kids who hacked my phones... UK businesses are getting disproportionately targeted by a surge of attacks against Voice over IP (VoIP) systems. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2015/06/16/voip_hackin… *** iOS Application Security Part 45 - Enhancements in Damn Vulnerable iOS app version 2.0 *** --------------------------------------------- In this article, i would like to give a quick walkthrough of the new vulnerabilities and challenges that we have added in version 2.0 of Damn Vulnerable iOS app. In the Insecure Data storage section, we have added challenges for the following databases. Realm Database Couchbase Lite YapDatabase We have also added a new section... --------------------------------------------- http://resources.infosecinstitute.com/ios-application-security-part-45-enha… *** DSA-3289 p7zip - security update *** --------------------------------------------- Alexander Cherepanov discovered that p7zip is susceptible to adirectory traversal vulnerability. While extracting an archive, itwill extract symlinks and then follow them if they are referenced infurther entries. This can be exploited by a rogue archive to writefiles outside the current directory. --------------------------------------------- https://www.debian.org/security/2015/dsa-3289 *** VU#101500: Retrospect Backup Client uses weak password hashing *** --------------------------------------------- Vulnerability Note VU#101500 Retrospect Backup Client uses weak password hashing Original Release date: 15 Jun 2015 | Last revised: 15 Jun 2015 Overview Retrospect Backup Client is a client to a network-based backup utility. This client stores passwords in a hashed format that is weak and susceptible to collision, allowing an attacker to generate a password hash collision and gain access to the targets backup files. Description CWE-916: Use of Password Hash With Insufficient Computational... --------------------------------------------- http://www.kb.cert.org/vuls/id/101500 *** VU#626420: Pearson ProctorCache contains hard coded credentials *** --------------------------------------------- Vulnerability Note VU#626420 Pearson ProctorCache contains hard coded credentials Original Release date: 16 Jun 2015 | Last revised: 16 Jun 2015 Overview The Pearson ProctorCache software uses a hard coded password for administrative tasks. Description The ProctorCache is designed to cache the testing content, as well as cache the responses and maintain a client list of active test-takers. ProctorCache is a server software package installed locally within the LAN on a Windows system.CWE-259: --------------------------------------------- http://www.kb.cert.org/vuls/id/626420 *** Bugtraq: ESA-2015-106: EMC Unified Infrastructure Manager/Provisioning (UIM/P) Authentication Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/535776 *** Security Advisory: MIT Kerberos 5 vulnerability CVE-2014-5355 *** --------------------------------------------- (SOL16743) --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/16000/700/sol16743.htm… *** RLE Nova-Wind Turbine HMI Unsecure Credentials Vulnerability (Update A) *** --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-15-162-01 RLE Nova Wind Turbine HMI Unsecure Credentials Vulnerability that was published June 11, 2015, on the NCCIC/ICS-CERT web site. This updated advisory provides publicly disclosed vulnerabilities and mitigation measures for the RLE Nova-Wind Turbine HMI Unsecure Credentials Vulnerability. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-162-01A *** IBM Security Bulletins *** --------------------------------------------- Vulnerability in Diffie-Hellman ciphers affects TS3400 (CVE-2015-4000) Vulnerability in Diffie-Hellman ciphers affects TS2900 (CVE-2015-4000) Vulnerability in Diffie-Hellman ciphers affects IBM Cognos Metrics Manager (CVE-2015-4000) Vulnerability in Diffie-Hellman ciphers affects the IBM Installation Manager and IBM Packaging Utility (CVE-2015-4000) Vulnerability with Diffie-Hellman ciphers may affect Lotus Quickr 8.5 for WebSphere Portal (CVE-2015-4000) Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Integrated Operations Management (CVE-2015-0491, CVE-2015-0459, CVE-2015-0469, CVE-2015-0458, CVE-2015-0480, CVE-2015-0488, CVE-2015-0478, CVE-2015-047...) IBM QRadar Incident Forensics 7.2.4 is vulnerable to a cross site scripting vulnerability. (CVE-2015-1919) Vulnerabilities in OpenSSL affect IBM Campaign, IBM ContactOptimization (CVE-2015-0209, CVE-2015-0286, CVE-2015-0288, CVE-2015-0292, CVE-2015-0293) Open Source Apache Tomcat prior to 6.0.42 as used in IBM QRadar Security Information and Event Manager 7.1 MR2, and 7.2.4 is vulnerable to HTTP request smuggling. (CVE-2014-0227) Vulnerabilities in OpenSSL affect IBM Campaign, IBM ContactOptimization (CVE-2014-3569) IBM Tealeaf Customer Experience is affected by a vulnerability in OpenSSL (CVE-2014-3511, CVE-2014-3512) Vulnerability in Diffie-Hellman ciphers affects IBM Operations Analytics - Predictive Insights (CVE-2015-4000) Vulnerability in OpenSSL affects IBM XIV Storage System Gen3 (CVE-2014-3570) Multiple vulnerabilities in IBM SDK Java Technology Edition affect IBM Business Process Manager and WebSphere Lombardi Edition April 2015 CPU --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/?lang=en_us

1 0

Tageszusammenfassung - Montag 15-06-2015
by Daily end-of-shift report 15 Jun '15

15 Jun '15

======================= = End-of-Shift report = ======================= Timeframe: Freitag 12-06-2015 18:00 − Montag 15-06-2015 18:00 Handler: Stephan Richter Co-Handler: n/a *** Hey kids, who wants to pwn a million BIOSes? *** --------------------------------------------- IT security bods warn of dysfunctional ecosystem, fraught with vulnerability The overlooked task of patching PC BIOS and UEFI firmware vulnerabilities leaves corporations wide open to attack, a new paper by security researchers warns. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2015/06/12/bios_securi… *** Oh look - JavaScript Droppers *** --------------------------------------------- In a typical drive-by-download attack scenario the shellcode would download and execute a malware binary. The malware binary is usually wrapped in a dropper that unpacks or de-obfuscates and executes it. Droppers' main goal is to launch malware without being detected by antiviruses and HIPS. Nowadays the most popular way of covert launching would probably... --------------------------------------------- http://labs.bromium.com/2015/06/12/oh-look-javascript-droppers/ *** NTP für Windows: Schaltsekunde könnte Probleme bereiten *** --------------------------------------------- Wer den NTP-Client für Windows installiert hat, sollte vor dem 30. Juni ein Update durchführen --------------------------------------------- http://derstandard.at/2000017430786 *** Windows Server 2003 End of Life: You Can't RIP *** --------------------------------------------- Windows XP reached end of support last year and now it's time for another end of life: Windows Server 2003. On July 14, 2015, this widely deployed Microsoft operating system will reach its end of life - a long run since its launch in April 2003. Estimates on the number of still-active Windows Server 2003 users vary from... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/FwOEN1rriTc/ *** OPM hack: Vast amounts of extremely sensitive data stolen *** --------------------------------------------- The extent of the breach suffered by the US Office of Personnel Management has apparently widened. Reports are coming in that the hackers have not only accessed Social Security numbers, job assign... --------------------------------------------- http://feedproxy.google.com/~r/HelpNetSecurity/~3/FaMAmsBY66Y/secworld.php *** Dnstwist variiert und testet Domainnamen *** --------------------------------------------- Wer überwachen will, wie Vertipper- und Phishing-Domains für einen Domainnamen verbreitet sind, kann das Python-Skript Dnstwist nutzen. Es übernimmt viel Handarbeit und hilft bei der Analyse. --------------------------------------------- http://heise.de/-2690418 *** The top mistakes banks make defending against hackers *** --------------------------------------------- Many financial institutions fail to perform comprehensive risk analysis and assessment, exposing their companies and clients to enormous risk. --------------------------------------------- https://www.htbridge.com/blog/the-top-mistakes-banks-make-defending-against… *** Call to participate in the EU28 Cloud Security Conference *** --------------------------------------------- On June 16, in Riga, the Ministry of Defence of the Republic of Latvia and the European Union Agency for Network and Information Security (ENISA) will organise the EU28 Cloud Security Conference: Reaching the Cloud Era in the European Union. The participants of the conference will discuss the cloud security in the two parallel tracks: "Legal & Compliance" and "Technologies and Solutions". --------------------------------------------- http://www.enisa.europa.eu/media/news-items/call-to-participate-in-the-eu28… *** The Duqu 2.0 persistence module *** --------------------------------------------- We have described how Duqu 2.0 does not have a normal "persistence" mechanism. This can lead users to conclude that flushing out the malware is as simple as rebooting all the infected machines. In reality, things are a bit more complicated. --------------------------------------------- http://securelist.com/blog/research/70641/the-duqu-2-0-persistence-module/ *** Duqu 2.0 Attackers Used Stolen Foxconn Certificate to Sign Driver *** --------------------------------------------- The attackers behind the recently disclosed Duqu 2.0 APT have used stolen digital certificates to help sneak their malware past security defenses, and one of the certificates used in the attacks was issued to Foxconn, the Chinese company that manufactures products for Apple, BlackBerry, Dell, and many other companies. Researchers at Kaspersky Lab, who discovered... --------------------------------------------- http://threatpost.com/duqu-2-0-attackers-used-stolen-foxconn-certificate-to… *** Massive route leak causes Internet slowdown *** --------------------------------------------- Earlier today a massive route leak initiated by Telekom Malaysia (AS4788) caused significant network problems for the global routing system. Primarily affected was Level3 (AS3549 - formerly known as Global Crossing) and their customers. Below are some of the details as we know them now. --------------------------------------------- https://www.bgpmon.net/massive-route-leak-cause-internet-slowdown/ *** Cisco issues 16 patches to pop pesky peccant packets *** --------------------------------------------- Remote code execution for some, denial of service for the rest of us Cisco has issued a string of patches for 16 faults including a fix for a possible remote code execution in its IOS and IOS XE routing software. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2015/06/15/cisco_ipv6_… *** Vulnerabilities in Cisco Products *** --------------------------------------------- *** Multiple Vulnerabilities in OpenSSL (June 2015) Affecting Cisco Products *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Email Security Appliance Anti-Spam Scanner Bypass Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39339 *** Cisco IOS Software TCL Script Interpreter Privilege Escalation Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39343 *** Cisco Virtualization Experience Client 6215 Devices Command Injection Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39347 *** Novell ZENworks Mobile Management Input Validation Flaw Permits Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1032576 *** Novell Messenger 3.0 Support Pack 1 *** --------------------------------------------- Abstract: Novell Messenger 3.0 Support Pack 1 has been released. Please be aware that there are security fixes to Messengers server and client components (see the change log below and the Readme documentation on the web). It is recommended that they are updated on an expedited basis.Document ID: 5212230Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:consoleone1.3.6h_windows.zip (46.82 MB)nm301_full_linux_multi.tar.gz (269.54 MB)nm301_client_mac_multi.zip (40.62... --------------------------------------------- https://download.novell.com/Download?buildid=o8Y11QiTuc4~ *** DSA-3285 qemu-kvm - security update *** --------------------------------------------- Several vulnerabilities were discovered in qemu-kvm, a fullvirtualization solution on x86 hardware. --------------------------------------------- https://www.debian.org/security/2015/dsa-3285 *** DSA-3284 qemu - security update *** --------------------------------------------- Several vulnerabilities were discovered in qemu, a fast processoremulator. --------------------------------------------- https://www.debian.org/security/2015/dsa-3284 *** DSA-3288 libav - security update *** --------------------------------------------- Several security issues have been corrected in multiple demuxers anddecoders of the libav multimedia library. A full list of the changes isavailable at https://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v11.4 --------------------------------------------- https://www.debian.org/security/2015/dsa-3288 *** DSA-3287 openssl - security update *** --------------------------------------------- Multiple vulnerabilities were discovered in OpenSSL, a Secure SocketsLayer toolkit. --------------------------------------------- https://www.debian.org/security/2015/dsa-3287 *** DSA-3286 xen - security update *** --------------------------------------------- Multiple security issues have been found in the Xen virtualisationsolution: --------------------------------------------- https://www.debian.org/security/2015/dsa-3286 *** Vulnerabilities in multiple third party TYPO3 CMS extensions *** --------------------------------------------- *** SQL Injection vulnerability in extension FAQ - Frequently Asked Questions (js_faq) *** http://www.typo3.org/news/article/sql-injection-vulnerability-in-extension-… *** SQL Injection vulnerability in extension Developer Log (devlog) *** http://www.typo3.org/news/article/sql-injection-vulnerability-in-extension-… *** SQL Injection vulnerability in extension Smoelenboek (ncgov_smoelenboek) *** http://www.typo3.org/news/article/sql-injection-vulnerability-in-extension-… *** SQL Injection vulnerability in extension Store Locator (locator) *** http://www.typo3.org/news/article/sql-injection-vulnerability-in-extension-… *** SQL Injection vulnerability in extension wt_directory (wt_directory) *** http://www.typo3.org/news/article/sql-injection-vulnerability-in-extension-… *** Arbitrary Code Execution in extension Frontend User Upload (feupload) *** http://www.typo3.org/news/article/arbitrary-code-execution-in-extension-fro… *** Cross-Site Scripting in extension BE User Log (beko_beuserlog) *** http://www.typo3.org/news/article/cross-site-scripting-in-extension-be-user… *** Arbitrary Code Execution in extension Job Fair (jobfair) *** http://www.typo3.org/news/article/arbitrary-code-execution-in-extension-job… *** Security Advisory - Web UI Authentication Vulnerability in Huawei E5756S *** --------------------------------------------- Jun 15, 2015 18:00 --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor… *** Filezilla 3.11.0.2 sftp module denial of service vulnerability *** --------------------------------------------- Topic: Filezilla 3.11.0.2 sftp module denial of service vulnerability Risk: Medium Text: # Exploit title: filezilla 3.11.0.2 sftp module denial of service vulnerability # Date: 5-6-2015 # Vendor homepage: http... --------------------------------------------- http://cxsecurity.com/issue/WLB-2015060077 *** putty v0.64 denial of service vulnerability *** --------------------------------------------- Topic: putty v0.64 denial of service vulnerability Risk: Medium Text: # Exploit title: putty v0.64 denial of service vulnerability # Date: 5-6-2015 # Vendor homepage: http://www.chiark.green... --------------------------------------------- http://cxsecurity.com/issue/WLB-2015060076 *** E-Detective Lawful Interception System multiple security vulnerabilities *** --------------------------------------------- Topic: E-Detective Lawful Interception System multiple security vulnerabilities Risk: Medium Text:Advisory: E-Detective Lawful Interception System multiple security vulnerabilities Date: 14/06/2015 CVE: ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2015060075

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily