- Daily - CERT.at

Tageszusammenfassung - Montag 17-02-2014
by Daily end-of-shift report 17 Feb '14

17 Feb '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 14-02-2014 18:00 − Montag 17-02-2014 18:00 Handler: Alexander Riepl Co-Handler: Christian Wojner *** Not Just Pills or Payday Loans, It's Essay SEO SPAM! *** --------------------------------------------- Remember back in school or college when you had to write pages and pages of long essays, but you had no time write them? Or maybe you were just too lazy? Yeah, good times. Well, it seems like some companies are trying to end this problem. They are offering services where clients pay .. --------------------------------------------- http://blog.sucuri.net/2014/02/not-just-pills-or-payday-loans-its-essay-seo… *** New IE 10 Zero Day Targeting Military Intelligence *** --------------------------------------------- A new campaign, dubbed Operation SnowMan, has been spotted leveraging a previously unknown zero-day in Internet Explorer 10 to compromise the U.S. Veterans of Foreign Wars website this week. --------------------------------------------- http://threatpost.com/new-ie-10-zero-day-targeting-military-intelligence/10… *** Microsoft Internet Explorer 10 remote code execution exploit *** --------------------------------------------- Microsoft Internet Explorer 10 remote code execution exploit, Use-after-free vulnerability in Microsoft Internet Explorer 10 allows remote attackers to execute arbitrary code via vectors in... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014020123 *** The New Normal: 200-400 Gbps DDoS Attacks *** --------------------------------------------- KrebsOnSecurity has been targeted by countless denial-of-service attacks intended to knock it offline. Earlier this week, KrebsOnSecurity was hit by easily the most massive and intense such attack yet -- a nearly 200 Gpbs assault leverging a simple attack method that industry experts is becoming alarmingly common. --------------------------------------------- http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gbps-ddos-attacks/ *** More Malware Embedded in RTFs *** --------------------------------------------- RTF (Rich Text Format) files have been used before by cybercriminals, but of late it seems their use of this format is becoming more creative. We have earlier talked about how CPL files were being embedded in RTF files and sent to would-be victims as an e-mail attachment. These CPL files would then proceed to download malicious .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/more-malware-emb… *** More on HNAP - What is it, How to Use it, How to Find it, (Sat, Feb 15th) *** --------------------------------------------- Weve had a ton of discussion on the most recent set of home router vulnerabilities based on the HNAP protocol. But what is the HNAP protocol for, and why is it so persistently enabled? HNAP (Home Network Administration Protocol) is a network device management protocol, useful for anyone, but I think meant primarily for ISPs to manage fleets of .. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17648&rss *** Crowdfunding-Plattform Kickstarter gehackt *** --------------------------------------------- Die Crowdfunding-Plattform Kickstarter wurde Opfer eines Hackerangriffs. Jenseits von Benutzernamen und Mail-Adressen griffen die Hacker auch auf verschlüsselte Passwörter zu. --------------------------------------------- http://www.heise.de/security/meldung/Crowdfunding-Plattform-Kickstarter-geh… *** Zugangsdaten im Umlauf: FTP-Server von Webseiten angegriffen *** --------------------------------------------- Es sollen wohl tausende Zugangsdaten zu FTP-Servern im Umlauf sein, darunter auch Zugänge für bekannte Webseiten. Erste Fälle, in denen Schadinhalte auf Webseiten wie der New York Times untergebracht wurden, gab es schon. (Virus, Server-Applikationen) --------------------------------------------- http://www.golem.de/news/zugangsdaten-im-umlauf-ftp-server-von-webseiten-an… *** HP Data Protector EXEC_BAR Remote Command Execution *** --------------------------------------------- Topic: HP Data Protector EXEC_BAR Remote Command Execution, import argparse import socket .. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014020134 *** WebSphere Application Server Multiple Java Vulnerabilities *** --------------------------------------------- WebSphere Application Server Multiple Java Vulnerabilities --------------------------------------------- https://secunia.com/advisories/56778 *** Mapping Hacking Team's "Untraceable" Spyware *** --------------------------------------------- Remote Control System (RCS) is sophisticated computer spyware marketed and sold exclusively to governments by Milan-based Hacking Team. Hacking Team was first thrust into the public spotlight in 2012 when RCS was used against award-winning Moroccan media outlet Mamfakinch, and United Arab Emirates (UAE) human rights activist Ahmed Mansoor. Most recently, Citizen Lab research found that RCS was used to target Ethiopian journalists in the Washington DC area. --------------------------------------------- https://citizenlab.org/2014/02/mapping-hacking-teams-untraceable-spyware/

1 0

Tageszusammenfassung - Freitag 14-02-2014
by Daily end-of-shift report 14 Feb '14

14 Feb '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 13-02-2014 18:00 − Freitag 14-02-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Angriffe über Zero-Day-Lücke im Internet Explorer *** --------------------------------------------- Im IE klafft eine kritische Schwachstelle, durch die man seinen Rechner beim Surfen mit Schadcode infizieren kann. Sie wird bereits für gezielte Cyber-Angriffe missbraucht. --------------------------------------------- http://www.heise.de/security/meldung/Angriffe-ueber-Zero-Day-Luecke-im-Inte… http://www.securitytracker.com/id/1029765 http://www.kb.cert.org/vuls/id/732479 *** BSI warnt Admins: "Zahlreiche deutsche Server mit Ebury-Rootkit infiziert" *** --------------------------------------------- Das CERT-Bund hat das Linux-Rootkit bereits auf hunderten deutschen Servern lokalisiert; vermutlich sind deutlich mehr betroffen. Admins sollten ihr System jetzt testen. --------------------------------------------- http://www.heise.de/security/meldung/BSI-warnt-Admins-Zahlreiche-deutsche-S… *** Bizarre attack infects Linksys routers with self-replicating malware *** --------------------------------------------- Some 1,000 devices have been hit by the worm, which seeks out others to infect. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/9tO67obVxlY/story01… *** Apples iCloud verschickt und empfängt Mail im Klartext *** --------------------------------------------- Ein kurzer Nachtest von Apples iCloud-Mail-Diensten förderte zu Tage, dass Apples Mail-Server weniger Schutz vor Schnüfflern bieten als fast aller anderen Mail-Provider. --------------------------------------------- http://www.heise.de/security/meldung/Apples-iCloud-verschickt-und-empfaengt… *** DoubleClick malvertising campaign exposes long-run beneath the radar malvertising infrastructure *** --------------------------------------------- Today, at 2014-02-12 12:16:20 (CET), we became aware of a possible evasive/beneath the radar malvertising based g01pack exploit kit attack, taking place through the DoubleClick ad network using an advertisement featured at About.com. Investigating further, we were able to identify the actual domains/IPs involved in the campaign, and perhaps most interestingly, managed to establish a rather interesting connection between the name servers of one of the domains involved in the attacks, and what... --------------------------------------------- http://www.webroot.com/blog/2014/02/14/doubleclick-malvertising-campaign-ex… *** SYM14-004 Symantec Endpoint Protection Management Vulnerabilities *** --------------------------------------------- On Tuesday, February 18, SEC Consult Vulnerability Lab, an Austrian-based security consultancy, is planning to release an advisory to the public regarding vulnerabilities that it found within Symantec Endpoint Protection. For additional information on the SYM14-004 vulnerability, read the Symantec Security Response SYM14-004 Security Advisory. --------------------------------------------- http://www.symantec.com/business/support/index?page=content&id=TECH214866 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… http://www.heise.de/security/meldung/Update-fuer-kritische-Luecken-im-Syman… *** CA 2E Web Option Unauthenticated Privilege Escalation *** --------------------------------------------- Topic: CA 2E Web Option Unauthenticated Privilege Escalation Risk: Medium Text:Vulnerability title: Unauthenticated Privilege Escalation in CA 2E Web Option CVE: CVE-2014-1219 Vendor: CA Product: 2E W... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014020111 http://www.securityfocus.com/archive/1/531064 *** GnuTLS Intermediate Certificate Processing Flaw May Let Remote Users Bypass Certificate Validation *** --------------------------------------------- http://www.securitytracker.com/id/1029766 *** Bugtraq: Critical security flaws in Nagios NRPE client/server crypto *** --------------------------------------------- http://www.securityfocus.com/archive/1/531063

1 0

Tageszusammenfassung - Donnerstag 13-02-2014
by Daily end-of-shift report 13 Feb '14

13 Feb '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 12-02-2014 18:00 − Donnerstag 13-02-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** In the wild: Phony SSL certificates impersonating Google, Facebook, and iTunes *** --------------------------------------------- Bogus credentials may be enough to ensnare some smartphone apps, researchers say. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/_AvaaGHbDLo/story01… *** Gameover Zeus most active banking trojan in 2013, researchers report *** --------------------------------------------- The most active banking trojan of 2013 was the Gameover variant Zeus, according to the latest research by the experts with the Dell SecureWorks Counter Threat Unit. --------------------------------------------- http://www.scmagazine.com/gameover-zeus-most-active-banking-trojan-in-2013-… *** Decoding Domain Generation Algorithms (DGAs) - Part I *** --------------------------------------------- Part 1 - Unpacking the binary to properly view it in IDA Pro --------------------------------------------- http://vrt-blog.snort.org/2014/02/decoding-domain-generation-algorithms.html *** Weekly Metasploit Update: Android WebView Exploit, Clipboard Monitor, and Mass Checks *** --------------------------------------------- Weekly Metasploit Update: Android WebView Exploit, Clipboard Monitor, and Mass Checks --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/02/13/weekly-me… *** TYPO3: Several vulnerabilities in third party extensions *** --------------------------------------------- Several vulnerabilities have been found in the following third-party TYPO3 extensions: alpha_sitemap, femanager ke_stats, outstats, px_phpids, smarty, wec_map --------------------------------------------- http://typo3.org/news/article/several-vulnerabilities-in-third-party-extens… *** python-gnupg Command Injection Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/56616 *** Security Bulletin: Multiple vulnerabilities in current IBM SDK for Java for WebSphere Application Server January 2014 CPU *** --------------------------------------------- Multiple security vulnerabilities exist in the IBM SDK for Java that is shipped with IBM WebSphere Application Server. CVE(s): CVE-2014-0411 Affected product(s) and affected version(s): SDK shipped with IBM WebSphere Application Server Version 8.5.0.0 through 8.5.5.1, Version 8.0.0.0 through 8.0.0.8, Version 7.0.0.0 through 7.0.0.31, Version 6.1.0.0 through 6.1.0.47 Refer to the following reference URLs for remediation and additional vulnerability details. --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul… *** Drupal - Vulnerabilities in third-party Contributions *** --------------------------------------------- https://drupal.org/node/2194135 https://drupal.org/node/2194589 https://drupal.org/node/2194621 https://drupal.org/node/2194639 https://drupal.org/node/2194655 https://drupal.org/node/2194671 https://drupal.org/node/2194809 https://drupal.org/node/2194877 *** SAP NetWeaver Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/56947 *** Juniper Networks - 2014-02 Security Threat Response Manager: Multiple vulnerabilities *** --------------------------------------------- Product Affected: STRM series devices and virtual machines with SRTM software releases: 2010.0, 2012.0, 2012.1, 2013.1, 2013.2 --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10614

1 0

Tageszusammenfassung - Mittwoch 12-02-2014
by Daily end-of-shift report 12 Feb '14

12 Feb '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 11-02-2014 18:00 − Mittwoch 12-02-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Security update available for Adobe Shockwave Player (APSB14-06) *** --------------------------------------------- A Security Bulletin (APSB14-06) has been published regarding an update for Adobe Shockwave Player 12.0.7.148 and earlier for Windows and Macintosh. This update addresses critical vulnerabilities that could potentially allow an attacker to remotely take control of the affected system. --------------------------------------------- http://blogs.adobe.com/psirt/?p=1051 *** Assessing risk for the February 2014 security updates *** --------------------------------------------- Today we released seven security bulletins addressing 31 unique CVEs. Four bulletins have a maximum severity rating of Critical while the other three have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. --------------------------------------------- https://blogs.technet.com/b/srd/archive/2014/02/11/assessing-risk-for-the-f… *** Vulnerability in Microsoft Forefront Protection for Exchange Could Allow Remote Code Execution (2927022) *** --------------------------------------------- This security update resolves a privately reported vulnerability in Microsoft Forefront. The vulnerability could allow remote code execution if a specially crafted email message is scanned. This security update is rated Critical for all supported builds of Microsoft Forefront Protection for Exchange 2010. --------------------------------------------- http://technet.microsoft.com/en-us/security/bulletin/ms14-008 *** Attacking ICS Systems "Like Hacking in the 1980s" *** --------------------------------------------- Here's how nuts the world of ICS security is: Jonathan Pollet, a security consultant who specializes in ICS systems, was at a Texas amusement park recently and the ride he was waiting for was malfunctioning. The operator told him the ride used a Siemens PLC as part of the control system, so he went... --------------------------------------------- http://threatpost.com/attacking-ics-systems-like-hacking-in-the-1980s/104200 *** CVE-2014-0050: Exploit with Boundaries, Loops without Boundaries *** --------------------------------------------- In this article I will discuss CVE-2014-0050: Apache Commons FileUpload and Apache Tomcat Denial-of-Service in detail. The article reviews the vulnerabilitys technical aspects in depth and includes recommendations that can help administrators defend from future exploitation of this security issue. How do we know about this vulnerability? About five days ago, Mark Thomas, a Project Management Committee Member and Committer in the Apache Tomcat project, sent an email about the accidentally leaked --------------------------------------------- http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-lo… *** Suspected Mass Exploit Against Linksys E1000 / E1200 Routers, (Wed, Feb 12th) *** --------------------------------------------- Brett, who operates an ISP in Wyoming, notified us that he had a number of customers with compromissed Linksys routers these last couple of days. The routers, once compromissed, scan port 80 and 8080 as fast as they can (saturating bandwidth available). It is not clear which vulnerability is being exploited, but Brett eliminated weak passwords. E1200 routers with the latest firmware (2.0.06) appear to be immune agains the exploit used. E1000 routers are end-of-life and dont appear to have an... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17621&rss *** Cracking Linksys "Encryption" *** --------------------------------------------- Perusing the release notes for the latest Linksys WRT120N firmware, one of the more interesting comments reads: Firmware 1.0.07 (Build 01) - Encrypts the configuration file. Having previously reversed their firmware obfuscation and patched their code to re-enable JTAG debugging, I thought that surely I would be able to use... --------------------------------------------- http://www.devttys0.com/2014/02/cracking-linksys-crypto/ *** MSRT February 2014 - Jenxcus *** --------------------------------------------- We have been seeing a lot more VBScript malware in recent months, thanks in most part to VBS/Jenxcus. Jenxcus is a worm coded in VBScript that is capable of propagating via removable drives. Its payload opens a backdoor on an infected machine, allowing it to be controlled by a remote attacker. For the past few months we have seen the number of affected machines remain constantly high. For this reason we have included Jenxcus in the February release of the Microsoft Malicious Software... --------------------------------------------- https://blogs.technet.com/b/mmpc/archive/2014/02/11/msrt-february-2014-jenx… *** BSI empfiehlt, dringend Fritz!Box-Update einzuspielen *** --------------------------------------------- Routerhersteller AVM hat am vergangenen Wochenende ein Update für seine Fritz!Box Routermodelle zur Verfügung gestellt, um eine in der letzten Woche bekannt gewordene Schwachstelle zu schließen. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2014/Fritz-Box-U… *** MatrikonOPC Improper Input Validation *** --------------------------------------------- Adam Crain of Automatak and independent researcher Chris Sistrunk have identified an improper input validation vulnerability in the MatrikonOPC SCADA DNP3 OPC Server application. MatrikonOPC has produced a patch that mitigates this vulnerability. The researchers have tested the patch to validate that it resolves the vulnerability.This vulnerability could be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-010-01 *** Cisco Unified Communications Manager several Vulnerabilities *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** VU#727318: DELL SonicWALL GMS/Analyzer/UMA contains a cross-site scripting (XSS) vulnerability *** --------------------------------------------- Vulnerability Note VU#727318 DELL SonicWALL GMS/Analyzer/UMA contains a cross-site scripting (XSS) vulnerability Original Release date: 11 Feb 2014 | Last revised: 11 Feb 2014 Overview DELL SonicWALL GMS/Analyzer/UMA version 7.1, and possibly earlier versions, contains a cross-site scripting (XSS) vulnerability. (CWE-79) Description CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)DELL SonicWALL GMS/Analyzer/UMA version 7.1 contains a cross-site... --------------------------------------------- http://www.kb.cert.org/vuls/id/727318 *** FreePBX 2.x Code Execution *** --------------------------------------------- Topic: FreePBX 2.x Code Execution Risk: High Text:App : Freepbx 2.x download : schmoozecom.com Author : i-Hmx mail : n0p1337(a)gmail.com Home : sec4ever.com , secarrays ltd ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014020088 *** TYPO3 - Several vulnerabilities in third party extensions *** --------------------------------------------- http://typo3.org/news/article/several-vulnerabilities-in-third-party-extens… http://typo3.org/news/article/several-vulnerabilities-in-extension-mm-forum… http://typo3.org/news/article/access-bypass-in-extensions-yet-another-galle… http://typo3.org/news/article/mass-assignment-in-extension-direct-mail-subs… http://typo3.org/news/article/insecure-unserialize-in-extension-news-tt-new… *** [webapps] - NetGear DGN2200 N300 Wireless Router - Multiple Vulnerabilities *** --------------------------------------------- http://www.exploit-db.com/exploits/31617 *** McAfee Firewall Enterprise OpenSSL OCSP Response Verification Denial of Service Vulnerability *** --------------------------------------------- https://secunia.com/advisories/56930 https://secunia.com/advisories/56932 *** [webapps] - jDisk (stickto) v2.0.3 iOS - Multiple Vulnerabilities *** --------------------------------------------- http://www.exploit-db.com/exploits/31618 *** MyBB Extended Useradmininfo Plugin "User-Agent" Script Insertion Vulnerability *** --------------------------------------------- https://secunia.com/advisories/56921 *** Puppet Enterprise - CVE-2013-6393 (Threat of denial of service and potential for arbitrary code execution due to a flaw in libyaml) *** --------------------------------------------- A flaw in the way `libyaml` parsed YAML tags could lead to a heap-based buffer overflow. An attacker could submit a YAML document that, when parsed by an application using `libyaml`, would cause the application to crash or potentially execute malicious code. This has been patched in PE 3.1.3. --------------------------------------------- http://puppetlabs.com/security/cve/cve-2013-6393 *** FFmpeg Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/56838

1 0

Tageszusammenfassung - Dienstag 11-02-2014
by Daily end-of-shift report 11 Feb '14

11 Feb '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 10-02-2014 18:00 − Dienstag 11-02-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Update (2/10) - Advance Notification Service for February 2014 Security Bulletin Release *** --------------------------------------------- Update as of February 10, 2014 We are adding two updates to the February release. There will be Critical-rated updates for Internet Explorer and VBScript in addition to the previously announced updates scheduled for release on February 11, 2014. These updates have completed testing and will be included in tomorrow's release. This brings the total for Tuesday's release to seven bulletins, four Critical. Please review the ANS summary page for updated information to help customers... --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2014/02/10/advance-notification-ser… *** IBMs remote firmware configuration protocol *** --------------------------------------------- I spent last week looking into the firmware configuration protocol used on current IBM system X servers. IBM provide a tool called ASU for configuring firmware settings, either in-band (ie, running on the machine you want to reconfigure) or out of band (ie, running on a remote computer and communicating with the baseboard management controller - IMM in IBM-speak). Im not a fan of using vendor binaries for this kind of thing. They tend to be large (ASU is a 20MB executable) and difficult to --------------------------------------------- http://mjg59.dreamwidth.org/29210.html *** Das Ende des Magnetstreifens - USA wechseln auf Chip&Pin *** --------------------------------------------- Die USA ist eine Hochburg für den Betrug mit geklauten Kreditkartendaten. Doch ab 2015 soll damit Schluss sein -- Visa und Mastercard stellen auf die in Europa seit langem üblichen Karten mit SmartCard-Chip um. --------------------------------------------- http://www.heise.de/security/meldung/Das-Ende-des-Magnetstreifens-USA-wechs… *** Survey: Just 1 in 3 Euro biz slackers meets card security standards *** --------------------------------------------- Yet PCI-DSS has largely been a failure, wails securo-bod European businesses are lagging far behind the rest of the world in compliance with global payment card industry security standards, according to a new survey. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/02/11/pci_survey_… *** NTP-Reflection: Cloudflare meldet massiven DDoS-Angriff *** --------------------------------------------- Der Netzwerksicherheitsanbieter Cloudflare hat in der Nacht einen massiven DDoS-Angriff auf einen seiner Kunden gemeldet. Es handele sich um einen NTP-Reflection-Angriff, der größer sein soll als der Angriff auf Spamhaus Mitte 2013. (Server, DE-CIX) --------------------------------------------- http://www.golem.de/news/ntp-reflection-cloudfare-meldet-massiven-ddos-angr… *** Anti-Diebstahl-Software für Notebooks als Einfallstor *** --------------------------------------------- Sicherheitsexperten haben die auf Notebooks oft vorinstallierte Anwendung Computrace unter die Lupe genommen. Ergebnis: Die Software hat eine massive Sicherheitslücke. Außerdem lässt sie sich nicht immer deaktivieren. --------------------------------------------- http://www.heise.de/security/meldung/Anti-Diebstahl-Software-fuer-Notebooks… *** The Mask/Careto: Hochentwickelter Cyberangriff auf Energieunternehmen *** --------------------------------------------- Bis Januar 2014 war die Cyberwaffe The Mask aktiv, die Sicherheitslücken in Kaspersky-Software und im Adobe Flash Player ausnutzte. Die Malware arbeitet mit Rootkit, Bootkit und Versionen für Mac OS X, Linux, Android und iOS und löscht ihre Logdateien durch überschreiben. --------------------------------------------- http://www.golem.de/news/the-mask-careto-hochentwickelter-cyberangriff-auf-… *** Blog: The Careto/Mask APT: Frequently Asked Questions *** --------------------------------------------- The Mask is an advanced threat actor that has been involved in cyber-espionage operations since at least 2007. --------------------------------------------- http://www.securelist.com/en/blog/208216078/The_Careto_Mask_APT_Frequently_… *** Five OAuth Bugs Lead to Github Hack *** --------------------------------------------- A Russian researcher was able to take five low severity OAuth bugs and string them together to create what he calls a "simple but high severity exploit" in Github. --------------------------------------------- http://threatpost.com/five-oauth-bugs-lead-to-github-hack/104178 *** Your PenTest Tools Arsenal *** --------------------------------------------- When it comes about information security one of the major problems is to set your PenTest Tools Arsenal. The truth is there are too many tools out there and it would take forever to try half of them to see if it fit your needs. Over the years, there are some well established tools that most of security professionals use them but that doesn't mean that out there are not unknown still very good pentest tools. --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/02/11/your-pent… *** Symantec Web Gateway Security Management Console Multiple Security Issues *** --------------------------------------------- Symantec Web Gateway (SWG) Appliance management console is susceptible to both local and remote access cross-site scripting (XSS) and local access SQL injection (sqli) vulnerabilities. Successful exploitation may result in an authorized user gaining unauthorized access to files on the management console or possibility being able to manipulate the backend data base. There is also potential for remote hijacking of an authorized user session with associated privileges. --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** Schneider ClearSCADA File Parsing Vulnerability *** --------------------------------------------- https://secunia.com/advisories/56880 *** [webapps] - WiFi Camera Roll 1.2 iOS - Multiple Vulnerabilities *** --------------------------------------------- http://www.exploit-db.com/exploits/31573 *** IBM WebSphere Portal Arbitrary File Upload Security Bypass Vulnerability *** --------------------------------------------- https://secunia.com/advisories/56805 *** Bugtraq: Open-Xchange Security Advisory 2014-02-10 *** --------------------------------------------- http://www.securityfocus.com/archive/1/531005 *** parcimonie (0.6 to 0.8, included) possible correlation between key fetches *** --------------------------------------------- Topic: parcimonie (0.6 to 0.8, included) possible correlation between key fetches Risk: Low Text:Hi, Holger Levsen discovered that parcimonie [1], a privacy-friendly helper to refresh a GnuPG k... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014020072 *** Joomla JomSocial Remote Code Execution Vulnerability *** --------------------------------------------- The JomSocial team just released an update that fixes a very serious remote code execution vulnerability that affects any JomSocial version older than 3.1.0.4. From their hot-fix update: Yesterday we released version 3.1.0.4 which fixes two vulnerabilities. As a result of the first vulnerability, our own site was hacked. Thankfully, our security experts spotted the... --------------------------------------------- http://blog.sucuri.net/2014/02/joomla-jomsocial-remote-code-execution-vulne… *** Perl Regex Processing Flaw Lets Remote and Local Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1029735 *** Titan FTP Server 10.32 Build 1816 Directory Traversals *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2014020075 *** Avaya Call Management System (CMS) Security Issue and Two Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/56926 *** Google Android addJavascriptInterface code execution *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/90998

1 0

Tageszusammenfassung - Montag 10-02-2014
by Daily end-of-shift report 10 Feb '14

10 Feb '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 07-02-2014 18:00 − Montag 10-02-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Darkleech + Bitly.com = Insightful Statistics *** --------------------------------------------- This post is about how hackers abuse popular web services, and how this helps security researchers obtain interesting statistics about malware attacks. We, at Sucuri, work with infected websites every day. While we see some particular infections on one site or on multiple sites, we can't accurately tell how many more sites out there are... --------------------------------------------- http://blog.sucuri.net/2014/02/darkleech-bitly-com-insightful-statistics.ht… *** The Internet is Broken - Act Accordingly *** --------------------------------------------- Costin Raiu is a cautious man. He measures his words carefully and says exactly what he means, and is not given to hyperbole or exaggeration. Raiu is the driving force behind much of the intricate research into APTs and targeted attacks that Kaspersky Lab's Global Research and Analysis Team has been doing for the last... --------------------------------------------- http://threatpost.com/the-internet-is-broken-act-accordingly/104141 *** Linkup ransomware blocks internet access, mines Bitcoins *** --------------------------------------------- A trojan variant, Linkup, identified by Emsisoft, takes control of DNS servers, blocks internet access and mines Bitcoins. --------------------------------------------- http://www.scmagazine.com/linkup-ransomware-blocks-internet-access-mines-bi… *** February 2014 Threat Stats *** --------------------------------------------- Its no surprise that this months threat stats reveal that the largest breach to take place in December involved Target, where 40 million individuals were affected by the point-of-sale malware that swiped the data. --------------------------------------------- http://www.scmagazine.com/february-2014-threat-stats/slideshow/1809/#0 *** iOS: Sicherheitsforscher warnt vor DoS-Möglichkeit über Snapchat *** --------------------------------------------- Durch Wiederverwendung alter App-Tokens soll es möglich sein, große Mengen an Nachrichten an Nutzer des Bilderdienstes zu schicken, was dann auch dem iPhone Probleme bereiten soll. Snapchat ist das Problem neu. --------------------------------------------- http://www.heise.de/security/meldung/iOS-Sicherheitsforscher-warnt-vor-DoS-… *** Want to remotely control a car? $20 in parts, some oily fingers, and youre in command *** --------------------------------------------- Spanish hackers have been showing off their latest car-hacking creation; a circuit board using untraceable, off-the-shelf parts worth $20 that can give wireless access to the cars controls while its on the road. --------------------------------------------- http://www.theregister.co.uk/2014/02/06/want_to_hack_a_car_20_in_parts_some… *** Mac Trojan Steals Bitcoin Wallet Credentials *** --------------------------------------------- A new Trojan for Mac OS X disguised as an app for sending and receiving payments steals Bitcoin wallet login credentials. --------------------------------------------- http://threatpost.com/mac-trojan-steals-bitcoin-wallet-credentials/104152 *** Security Bulletin: Fix available for Cross Site Scripting vulnerabilities in IBM Connections Portlets for WebSphere Portal (CVE-2014-0855) *** --------------------------------------------- A fix is available for Cross Site Scripting (XSS) vulnerabilities in IBM Connections Portlets for WebSphere Portal. --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21663921 *** Bugtraq: [oCERT-2014-001] MantisBT input sanitization errors *** --------------------------------------------- http://www.securityfocus.com/archive/1/530980 *** Bugtraq: ASUS AiCloud Enabled Routers 12 Models - Authentication bypass and Sensitive file/path disclosure *** --------------------------------------------- http://www.securityfocus.com/archive/1/530985 *** Contao "Input::postRaw()" PHP Object Injection Vulnerability *** --------------------------------------------- https://secunia.com/advisories/56755 *** Xerox ColorQube 8700 / 8900 Unspecified Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/56889

1 0

Tageszusammenfassung - Freitag 7-02-2014
by Daily end-of-shift report 07 Feb '14

07 Feb '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 06-02-2014 18:00 − Freitag 07-02-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Advance Notification Service for February 2014 Security Bulletin Release *** --------------------------------------------- Today we are providing advance notification for the release of five bulletins, two rated Critical and three rated Important, for February 2014. The Critical updates address vulnerabilities in Microsoft Windows and Security Software while the Important-rated updates address issues in Windows and the .NET Framework. --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2014/02/06/advance-notification-ser… *** Syrian Electronic Army nimmt beinahe Facebook vom Netz *** --------------------------------------------- Die Hacker der Syrian Electronic Army haben es fast geschafft, Facebooks Domain zu kapern. Zugang verschafften sie sich wohl durch das Administrationsinterface der Registrars MarkMonitor. --------------------------------------------- http://www.heise.de/security/meldung/Syrian-Electronic-Army-nimmt-beinahe-F… *** Bug in iOS 7: Fernortung lässt sich abdrehen *** --------------------------------------------- Mit einem Trick ist es möglich, bei iOS-7-Geräten Apples "Mein iPhone/iPad suchen", mit dem auch ein geklautes Gerät wiedergefunden werden kann, ohne Passwort zu deaktivieren. Dazu muss das Gerät allerdings entsperrt sein. --------------------------------------------- http://www.heise.de/security/meldung/Bug-in-iOS-7-Fernortung-laesst-sich-ab… *** A Look at Malware with Virtual Machine Detection *** --------------------------------------------- It's not uncommon for the malware of today to include some type of built-in virtual machine detection. Virtual Machines (VMs) are an essential part of a malware analyst's work environment. After all, we wouldn't want to infect our physical - or "bare-metal" computers - to all the... --------------------------------------------- http://blog.malwarebytes.org/intelligence/2014/02/a-look-at-malware-with-vi… *** Large-scale DNS redirection on home routers for financial theft *** --------------------------------------------- In late 2013 CERT Polska received confirmed reports about modifications in e-banking websites observed on... iPhones. Users were presented with messages about alleged changes in account numbers that required confirmation with mTANs. This behavior would suggest that some Zeus-like trojan had been ported to iOS. As this would be the first confirmed case of such malware... --------------------------------------------- https://www.cert.pl/news/8019/langswitch_lang/en *** Fritzbox-Angriff analysiert: AVM bereitet Firmware-Updates vor *** --------------------------------------------- AVM hat den für Telefoniemissbrauch benutzten Angriffsweg nachvollzogen und bereitet Firmware-Updates für Fritzboxen vor, die am Wochenende erscheinen sollen. --------------------------------------------- http://www.heise.de/security/meldung/Fritzbox-Angriff-analysiert-AVM-bereit… *** Joomla! PROJOOM Smart Flash Header Component Arbitrary File Upload Vulnerability *** --------------------------------------------- https://secunia.com/advisories/56831 *** Bugtraq: CVE-2014-1214 - Remote Code Execution in Projoom NovaSFH Plugin *** --------------------------------------------- http://www.securityfocus.com/archive/1/530938 *** Core FTP Server Vulnerabilities *** --------------------------------------------- CVE-2014-1441: Race condition leading to Denial of Service on the "AUTH SSL" command with invalid SSL data CVE-2014-1442: "XCRC" Directory Traversal Information Disclosure CVE-2014-1443: Password Disclosure Vulnerability --------------------------------------------- http://permalink.gmane.org/gmane.comp.security.full-disclosure/91518 *** Bugtraq: [SECURITY] CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat DoS *** --------------------------------------------- http://www.securityfocus.com/archive/1/530936 *** IBM Tealeaf CX Passive Capture Application remote code execution *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/89228 *** IBM Tealeaf CX Passive Capture Application local file include *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/89229 *** Symantec Encryption Management Server Web Email Protection information disclosure *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/90946 *** Palo Alto Networks PAN-OS Certificate Invalidation on Master Key Change Security Bypass Security Issue *** --------------------------------------------- https://secunia.com/advisories/56392 *** Schneider Electric SCADAPack VxWorks Debugger Vulnerability *** --------------------------------------------- https://secunia.com/advisories/56811 *** osCommerce 2.3.3.4 SQL Injection *** --------------------------------------------- Topic: osCommerce 2.3.3.4 SQL Injection Risk: Medium Text:# Title: osCommerce v2.x SQL Injection Vulnerability # Dork: Powered by osCommerce # Author: Ahmed Aboul-Ela # Contact: ahme... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014020042

1 0

Tageszusammenfassung - Donnerstag 6-02-2014
by Daily end-of-shift report 06 Feb '14

06 Feb '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 05-02-2014 18:00 − Donnerstag 06-02-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Target Hackers Broke in Via HVAC Company *** --------------------------------------------- Last week, Target told reporters at The Wall Street Journal and Reuters that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now tell KrebsOnSecurity that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers. --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/JuvkO7plF2E/ *** Angriffe auf Fritzboxen: AVM empfiehlt Abschaltung der Fernkonfiguration *** --------------------------------------------- Nach ersten Fällen von Telefonie-Missbrauch halten Angriffe auf Fritzboxen über die Fernkonfiguration an. Um Schäden vorzubeugen, sollen Fritzbox-Nutzer die Funktion vorübergehend deaktivieren. --------------------------------------------- http://www.heise.de/security/meldung/Angriffe-auf-Fritzboxen-AVM-empfiehlt-… *** Demystifying Point of Sale Malware and Attacks *** --------------------------------------------- Cybercriminals have an insatiable thirst for credit card data. There are multiple ways to steal this information on-line, but Point of Sales are the most tempting target. An estimated 60 percent of purchases at retailers' Point of Sale (POS) are paid for using a credit or debit card. Given that large retailers may process thousands of transactions daily though their POS, it stands to reason that POS terminals have come into the crosshairs of cybercriminals seeking large volumes of credit... --------------------------------------------- http://www.symantec.com/connect/blogs/demystifying-point-sale-malware-and-a… *** Malware Uses ZWS Compression for Evasion Tactic *** --------------------------------------------- Cybercriminals can certainly be resourceful when it comes to avoiding detection. We have seen many instances wherein malware came equipped with improved evasion techniques, such as preventing execution of analysis tools, hiding from debuggers, blending in with normal network traffic, along with various JavaScript techniques. Security researchers have now come across malware that uses a legitimate compression technique to go unnoticed by security solutions. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/malware-uses-zws… *** New Asprox Variant Goes Above and Beyond to Hijack Victims *** --------------------------------------------- [UPDATE] After further analysis, this threat was identified as Asprox botnet and not Zbot --------------------------------------------- http://research.zscaler.com/2014/02/new-zbot-variant-goes-above-and-beyond.… *** OpenLDAP 2.4.36 Remote Users Deny Of Service *** --------------------------------------------- Topic: OpenLDAP 2.4.36 Remote Users Deny Of Service Risk: Medium Text:It was discovered that OpenLDAP, with the rwm overlay to slapd, could segfault if a user were able to query the directory and i... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014020032 *** Rockwell RSLogix 5000 Password Vulnerability *** --------------------------------------------- OVERVIEW: This advisory was originally posted to the US-CERT secure Portal library on January 21, 2014, and is now being released to the NCCIC/ICS-CERT Web site.Independent researcher Stephen Dunlap has identified a password vulnerability in the Rockwell Automation RSLogix 5000 software. Rockwell Automation has produced a new version that mitigates this vulnerability. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-021-01 *** NETGEAR Router D6300B Telnet Backdoor Lets Remote Users Gain Root Access *** --------------------------------------------- http://www.securitytracker.com/id/1029727 *** DSA-2855 libav *** --------------------------------------------- several vulnerabilities --------------------------------------------- http://www.debian.org/security/2014/dsa-2855 *** Security Bulletin: IBM Domino IMAP Server Denial of Service Vulnerability (CVE-2014-0822) *** --------------------------------------------- The IMAP server in IBM Domino contains a denial of service vulnerability. A remote unauthenticated attacker could exploit this security vulnerability to cause a crash of the Domino server. The fix for this issue is available as a hotfix and is planned to be incorporated in all upcoming Interim Fixes, Fix Packs and Maintenance Releases. --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21663023 *** Bugtraq: ESA-2014-005: EMC Documentum Foundation Services (DFS) Content Access Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/530929 *** Vulnerabilities in Drupal Third-Party Modules *** --------------------------------------------- https://drupal.org/node/2187453 https://drupal.org/node/2189509 https://drupal.org/node/2189643 https://drupal.org/node/2189751 *** WordPress WooCommerce SagePay Direct Payment Gateway Cross-Site Scripting Vulnerability *** --------------------------------------------- https://secunia.com/advisories/56801

1 0

Tageszusammenfassung - Mittwoch 5-02-2014
by Daily end-of-shift report 05 Feb '14

05 Feb '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 04-02-2014 18:00 − Mittwoch 05-02-2014 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner *** WordPress Stop User Enumeration Plugin "author" User Enumeration Weakness *** --------------------------------------------- Andrew Horton has discovered a weakness in the Stop User Enumeration plugin for WordPress, which can be exploited by malicious people to disclose certain sensitive information. The weakness is caused due to an error when handling the "author" POST parameter, which can be exploited to enumerate valid usernames. The weakness is confirmed in version 1.2.4. Other versions may also be affected. --------------------------------------------- https://secunia.com/advisories/56643 *** Chrome Web Store Beset by Spammy Extensions *** --------------------------------------------- Twelve seemingly legitimate Chrome browser extensions installed by more than 180,000 users are injecting advertisements on 44 popular websites. --------------------------------------------- http://threatpost.com/chrome-web-store-beset-by-spammy-extensions/104031 *** Joomla! JomSocial Component Arbitrary Code Execution Vulnerability *** --------------------------------------------- A vulnerability has been reported in the JomSocial component for Joomla!, which can be exploited by malicious people to compromise a vulnerable system. --------------------------------------------- https://secunia.com/advisories/56692 *** New Zbot Variant Goes Above and Beyond to Hijack Victims *** --------------------------------------------- Zbot is an extremely venomous threat, which has strong persistent tactics to ensure that the victim remains infected despite removal attempts. We will get to the overabundance of methods used to keep the victim infected later on. --------------------------------------------- http://feedproxy.google.com/~r/zscaler/research/~3/ZKiYWwxWXJA/new-zbot-var… *** Microsoft Security Advisory (2755801): Update for Vulnerabilities in Adobe Flash Player in Internet Explorer - Version: 19.0 *** --------------------------------------------- The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10 and Internet Explorer 11. --------------------------------------------- http://technet.microsoft.com/en-us/security/advisory/2755801 *** Cybercriminals release Socks4/Socks5 based Alexa PageRank boosting application *** --------------------------------------------- A newly released, commercially available, DIY tool is pitching itself as being capable of boosting a given domain/list of domains on Alexa’s PageRank, relying on the syndication of Socks4/Socks5 malware-infected/compromised hosts through a popular Russian service. --------------------------------------------- http://feedproxy.google.com/~r/WebrootThreatBlog/~3/VIunL9T8af4/ *** Peinliches Loch in BlackBerrys Geschäftsdaten-Tresor *** --------------------------------------------- Beim BlackBerry 10 versagt eine Policy, die geschäftliche Kontakte vor Zugriffen durch persönliche Apps schützen soll. Die Schwachstelle macht persönlichen Android-Apps Namen und Telefonnummern zugänglich. --------------------------------------------- http://www.heise.de/security/meldung/Peinliches-Loch-in-BlackBerrys-Geschae… *** Standard Operational Procedures to manage multinational cyber-crises finalised by EU, EFTA Member States and ENISA *** --------------------------------------------- Today, with the development of the EU-Standard Operational Procedures (EU-SOPs), a milestone has been reached for the management of multinational cyber crises. These procedures were developed by the EU and European Free Trade Association (EFTA) Member States in collaboration with the EU Agency ENISA. --------------------------------------------- http://www.enisa.europa.eu/media/press-releases/standard-operational-proced… *** #Asusgate: Zehntausende Router geben private Dateien preis *** --------------------------------------------- Im Netz sind IP-Adressen für zehntausende verwundbare Asus-Router aufgetaucht. Unter dem Titel "#ASUSGATE" veröffentlichten Unbekannte zudem Listen mit privaten Dateien auf angeschlossenen USB-Geräten. --------------------------------------------- http://www.heise.de/security/meldung/Asusgate-Zehntausende-Router-geben-pri… *** How to fail at Incident Response *** --------------------------------------------- Im a firm believer in having a sound incident response plan (and policies to go with it). One big piece of this is having a plan with regards to how the IR team should communicate. How should you communicate? Well, thats going to depend on your situation. But let me first answer the easier question: how you should not communicate. --------------------------------------------- http://malwarejake.blogspot.se/2014/02/how-to-fail-at-incident-response.html *** Blog: CVE-2014-0497 – a 0-day vulnerability *** --------------------------------------------- A short while ago, we came across a set of similar SWF exploits and were unable to determine which vulnerability they exploited. --------------------------------------------- http://www.securelist.com/en/blog/8177/CVE_2014_0497_a_0_day_vulnerability

1 0

Tageszusammenfassung - Dienstag 4-02-2014
by Daily end-of-shift report 04 Feb '14

04 Feb '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 03-02-2014 18:00 − Dienstag 04-02-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** New iFrame Injections Leverage PNG Image Metadata *** --------------------------------------------- We're always trying to stay ahead of the latest trends, and today we caught a very interesting one that we have either been missing, or it's new. We'll just say it's new.. We're all familiar with the idea of iFrame Injections, right? Understanding an iFrame Injection The iFrame HTML tag is very standard today, it's... --------------------------------------------- http://blog.sucuri.net/2014/02/new-iframe-injections-leverage-png-image-met… *** These Guys Battled BlackPOS at a Retailer *** --------------------------------------------- Ever since news broke that thieves stole more than 40 million debit and credit card accounts from Target using a strain of Point-Of-Sale malware known as BlackPOS, much speculation has swirled around unanswered questions, such as how this malware was introduced into the network, and what mechanisms were used to infect thousands of Targets cash registers. --------------------------------------------- http://krebsonsecurity.com/2014/02/these-guys-battled-blackpos-at-a-retaile… *** Search Engines for OSINT and Recon *** --------------------------------------------- Based on the title to this post, you're thinking, "Awesome, Dave! Welcome to 2006!" Well hang on there. There's an amazing number of awesome search facilities that can be useful when doing OSINT and recon work for pen testing. I'll list a lot of different sites that I have discovered and use regularly for both. --------------------------------------------- http://daveshackleford.com/?p=999 *** Defending Against Tor-Using Malware, Part 2 *** --------------------------------------------- Last week, we talked about what Tor is, how it works, and why system administrators need to be aware of it. Now the question is: should I block Tor, and if I do decide to do that, what can be done to block Tor? Tor, by itself, is not inherently malicious. If a user wants... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/njzW9v7v14w/ *** VU#228886: ZTE ZXV10 W300 router contains hardcoded credentials *** --------------------------------------------- Vulnerability Note VU#228886 ZTE ZXV10 W300 router contains hardcoded credentials Original Release date: 03 Feb 2014 | Last revised: 03 Feb 2014 Overview ZTE ZXV10 W300 router version 2.1.0, and possibly earlier versions, contains hardcoded credentials. (CWE-798) Description ZTE ZXV10 W300 router contains hardcoded credentials that are useable for the telnet service on the device. The username is "admin" and the password is "XXXXairocon" where "XXXX" is the last... --------------------------------------------- http://www.kb.cert.org/vuls/id/228886 *** VU#593118: Fortinet Fortiweb 5.0.3 contains a reflected cross-site scripting vulnerability *** --------------------------------------------- Vulnerability Note VU#593118 Fortinet Fortiweb 5.0.3 contains a reflected cross-site scripting vulnerability Original Release date: 03 Feb 2014 | Last revised: 03 Feb 2014 Overview Fortinet Fortiweb 5.0.3, and possibly earlier versions, contains a cross-site scripting vulnerability. (CWE-79) Description CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)Fortinet Fortiweb 5.0.3, and possibly earlier versions, contains a cross-site scripting... --------------------------------------------- http://www.kb.cert.org/vuls/id/593118 *** VU#728638: Fortinet FortiOS 5.0.5 contains a reflected cross-site scripting (XSS) vulnerability *** --------------------------------------------- Vulnerability Note VU#728638 Fortinet FortiOS 5.0.5 contains a reflected cross-site scripting (XSS) vulnerability Original Release date: 03 Feb 2014 | Last revised: 03 Feb 2014 Overview Fortinet FortiOS 5.0.5, and possibly earlier versions, contains a cross-site scripting vulnerability. (CWE-79) Description CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)Fortinet FortiOS 5.0.5, and possibly earlier versions, contains a cross-site scripting... --------------------------------------------- http://www.kb.cert.org/vuls/id/728638 *** VU#813382: Dell KACE K1000 management appliance contains a cross-site scripting vulnerability *** --------------------------------------------- Vulnerability Note VU#813382 Dell KACE K1000 management appliance contains a cross-site scripting vulnerability Original Release date: 04 Feb 2014 | Last revised: 04 Feb 2014 Overview Dell KACE K1000 management appliance version 5.5.90545, and possibly earlier versions, contains a cross-site scripting (XSS) vulnerability. (CWE-79) Description Dell KACE K1000 management appliance version 5.5.90545, and possibly earlier versions, contains a cross-site scripting (XSS) vulnerability. The --------------------------------------------- http://www.kb.cert.org/vuls/id/813382 *** Security Bulletins: Vulnerability in Citrix XenMobile Device Manager server, formerly known as Zenprise Device Manager server, could result in unauthenticated information disclosure *** --------------------------------------------- A vulnerability in Citrix XenMobile Device Manager server, formerly known as Zenprise Device Manager server, that could allow a remote, unauthenticated attacker to gain access to stored data. --------------------------------------------- http://support.citrix.com/article/CTX140044 *** MyBB 1.6.12 POST Cross Site Scripting *** --------------------------------------------- Topic: MyBB 1.6.12 POST Cross Site Scripting Risk: Low Text: <!-- Exploit-Title: MyBB 1.6.12 POST XSS 0day Google-Dork: inurl:index.php intext:Powered By MyBB Date: Februrary 2n... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014020018 *** Chrony chronyc Protocol Response Amplification Denial of Service Vulnerability *** --------------------------------------------- https://secunia.com/advisories/56727 *** mpg123 MP3 Decoding Buffer Overflow Vulnerability *** --------------------------------------------- https://secunia.com/advisories/56729

1 0

Tageszusammenfassung - Montag 3-02-2014
by Daily end-of-shift report 03 Feb '14

03 Feb '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 31-01-2014 18:00 − Montag 03-02-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Telefonie-Missbrauch anscheinend kein Massenhack von AVMs Fritzboxen *** --------------------------------------------- In den letzten Tagen wunderten sich einige Fritzbox-Nutzer über hohe, teils exorbitante Telefongebühren. Dahinter stecken anscheinend Angriffe mit bekannten Zugangsdaten auf die Fernkonfiguration der verwendeten Fritzboxen. --------------------------------------------- http://www.heise.de/security/meldung/Telefonie-Missbrauch-anscheinend-kein-… *** Hackers Use a Trick to Deliver Zeus Banking Malware *** --------------------------------------------- IDG News Service - Hackers found a new way to slip past security software and deliver Zeus, a long-known malicious software program that steals online banking details. Security company Malcovery Security, based in Georgia, alerted security analysts after finding that none of 50 security programs on Googles online virus scanning service VirusTotal were catching it as of early Sunday. --------------------------------------------- http://www.cio.com/article/747601/Hackers_Use_a_Trick_to_Deliver_Zeus_Banki… *** More than a million Android devices infected with bootkit trojan *** --------------------------------------------- More than a million Android mobile devices worldwide are now infected with a crafty bootkit trojan known as Android.Oldboot.1.origin - a number that has more than tripled in a week. --------------------------------------------- http://www.scmagazine.com//more-than-a-million-android-devices-infected-wit… *** DailyMotion Still Infected, Serving Fake AV Malware *** --------------------------------------------- DailyMotion, one of the most popular websites on the Web, is still serving fake AV malware three weeks after it was notified of a compromise. --------------------------------------------- http://threatpost.com/dailymotion-still-infected-serving-fake-av-malware/10… *** SSA-342587 (Last Update 2014-02-03): Vulnerabilities in SIMATIC WinCC Open Architecture *** --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** VU#250358: Various Inmarsat broadband satellite terminals contain multiple vulnerabilities *** --------------------------------------------- A number of broadband satellite terminals which utilize the Inmarsat satellite telecommunications network have been found to contain undocumented hardcoded login credentials (CWE-798). Additionally, these broadband satellite terminals utilize an insecure proprietary communications protocol that allows... --------------------------------------------- http://www.kb.cert.org/vuls/id/250358 *** DSA-2851 drupal6 *** --------------------------------------------- impersonation --------------------------------------------- http://www.debian.org/security/2014/dsa-2851 *** IBM Financial Transaction Manager multiple vulnerabilities *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/90584 http://xforce.iss.net/xforce/xfdb/90585 http://xforce.iss.net/xforce/xfdb/90586 http://xforce.iss.net/xforce/xfdb/90612 *** Security Bulletin: Cross-Site Request Forgery in IBM InfoSphere Master Data Management - Collaborative Edition (CVE-2013-5427) *** --------------------------------------------- Due to insufficient safeguards against cross-site request forgery, an attacker can trick a legitimate user into opening a URL that results in an action being taken as that user, potentially without the knowledge of that user. Any actions taken require that the legitimate user be already authenticated or to authenticate separately as part of the attack. --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21663181

1 0

Tageszusammenfassung - Freitag 31-01-2014
by Daily end-of-shift report 31 Jan '14

31 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 30-01-2014 18:00 − Freitag 31-01-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Researcher Warns of Critical Flaws in Oracle Servers *** --------------------------------------------- There are two vulnerabilities in some of Oracle's older database packages that allow an attacker to access a remote server without a password and even view the server's filesystem and dump arbitrary files. Oracle has not released a patch for one of the flaws, even though it was reported by a researcher more than two... --------------------------------------------- http://threatpost.com/researcher-warns-of-critical-flaws-in-oracle-servers/… *** Linux: Sicherheitslücke in x32-Code *** --------------------------------------------- Eine Sicherheitslücke im Linux-Kernel ermöglicht Nutzern das Schreiben in beliebige Speicherbereiche. Betroffen sind nur Kernel mit Unterstützung für x32-Code, in Ubuntu ist dies standardmäßig aktiviert. --------------------------------------------- http://www.golem.de/news/linux-sicherheitsluecke-in-x32-code-1401-104300-rs… *** Yahoo! Mail! users! change! your! passwords! NOW! *** --------------------------------------------- Web giant blames third-party database compromise Yahoo! is urging users of its Mail service to change their passwords to something secure and unique to the web giant - after a security breach exposed account login details to theft. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/01/31/yahoo_mail_… *** Akamai Releases Third Quarter, 2013 State of the Internet Report *** --------------------------------------------- Akamai Technologies, Inc. (NASDAQ: AKAM), the leading provider of cloud services for delivering, optimizing and securing online content and business applications, today released its Third Quarter, 2013 State of the Internet Report. Based on data gathered from the Akamai Intelligent Platform, the report provides insight into key global statistics such as network connectivity and connection speeds, attack traffic, and broadband adoption and availability, among many others. --------------------------------------------- http://www.akamai.com/html/about/press/releases/2014/press_012814.html *** Chewbacca Point-of-Sale Malware Campaign Found in 10 Countries *** --------------------------------------------- A criminal campaign using the Tor-based Chewbacca Trojan, which includes memory-scraping malware and a keylogger, is responsible for the theft of more than 49,000 credit card numbers in 10 countries. --------------------------------------------- http://threatpost.com/chewbacca-point-of-sale-malware-campaign-found-in-10-… *** 3S CoDeSys Runtime Toolkit NULL Pointer Dereference *** --------------------------------------------- Independent researcher Nicholas Miles has identified a NULL pointer dereference vulnerability in Smart Software Solutions (3S) CoDeSys Runtime Toolkit application. 3S has produced an update that mitigates this vulnerability. Nicholas Miles has tested the update to validate that it resolves the vulnerability. This vulnerability could be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-030-01 *** Schneider Electric Telvent SAGE RTU DNP3 Improper Input Validation Vulnerability *** --------------------------------------------- This advisory was originally posted to the US-CERT secure portal library on January 06, 2014, and is now being released to the NCCIC/ICS-CERT Web site. Adam Crain of Automatak and independent researchers Chris Sistrunk and Adam Todorski have identified an improper input validation in the Schneider Electric Telvent SAGE 3030 remote terminal unit (RTU). Schneider Electric has produced a patch that mitigates this vulnerability. This vulnerability could be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-006-01 *** Moodle - MSA-14-0002: Group constraints lacking in "login as" *** --------------------------------------------- Users were able to log in as a user who in a is not in the same group without the permission to see all groups. --------------------------------------------- https://moodle.org/mod/forum/discuss.php?d=252415 *** TYPO3-PSA-2014-001: Cross-Site Request Forgery Protection in TYPO3 CMS 6.2 *** --------------------------------------------- In TYPO3 CMS, protection against CSRF has been implemented for many important actions (like creating, editing or deleting records) but is still missing in other places (like Extension Manager, file upload, configuration module). The upcoming 6.2 LTS version will finally close this gap and will protect editors or administrators from these kind of attacks. --------------------------------------------- https://typo3.org/teams/security/security-bulletins/psa/typo3-psa-2014-001/ *** Puppet - CVE-2013-6450 - Potential denial of service (daemon crash) via crafted traffic from a TLS 1.2 client. *** --------------------------------------------- The DTLS retransmission implementation in OpenSSL through 0.9.8y and 1.x through 1.0.1e does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context by interfering with packet delivery, related... --------------------------------------------- http://puppetlabs.com/security/cve/cve-2013-6450 *** VU#108062: Lexmark laser printers contain multiple vulnerabilities *** --------------------------------------------- Certain Lexmark devices are vulnerable to unverified password changes and stored cross-site scripting attacks. --------------------------------------------- http://www.kb.cert.org/vuls/id/108062 *** A10 Networks Loadbalancer GET directory traversal *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/90814 *** Check Point Endpoint Security MI Server Certificate Validation Flaw Lets Remote Users Conduct Man-in-the-Middle Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1029704 *** Bugtraq: [SECURITY] [DSA 2849-1] curl security update *** --------------------------------------------- http://www.securityfocus.com/archive/1/530910 *** Bugtraq: Joomla! JomSocial component < 3.1.0.1 - Remote code execution *** --------------------------------------------- http://www.securityfocus.com/archive/1/530909 *** Joomla! JV Comment Component "id" SQL Injection Vulnerability *** --------------------------------------------- https://secunia.com/advisories/56588 *** Vuln: OpenStack Compute (Nova) Compressed qcow2 Disk Images Denial of Service Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63467

1 0

Tageszusammenfassung - Donnerstag 30-01-2014
by Daily end-of-shift report 30 Jan '14

30 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 29-01-2014 18:00 − Donnerstag 30-01-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** New Clues in the Target Breach *** --------------------------------------------- An examination of the malware used in the Target breach suggests that the attackers may have taken advantage of a poorly secured feature built into a widely-used IT management software product that was running on the retailers internal network. --------------------------------------------- http://krebsonsecurity.com/2014/01/new-clues-in-the-target-breach/ *** How to Debug DKIM, (Wed, Jan 29th) *** --------------------------------------------- DKIM is one way to make it easier for other servers to figure out if an e-mail sent on behalf of your domain is spoofed. Your mail server will add a digital signature to each email authenticating the source. This isnt as good a signing the entire e-mail, but it is a useful tool to at least validate the domain used as part of the "From" header. The problem is that DKIM can be tricky to debug. If you have mail rejected, it is useful to be able to manually verify what went wrong. For --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17528 *** Honey Encryption Tricks Hackers with Decryption Deception *** --------------------------------------------- Honey Encryption is an encryption tool in the works that fools an attacker with bogus decrypted data that looks like it could be a plausible guess at an encryption key or password. --------------------------------------------- http://threatpost.com/honey-encryption-tricks-hackers-with-decryption-decep… *** Attacker extorts coveted Twitter username in elaborate social engineering scheme *** --------------------------------------------- Naoki Hiroshima recently relinquished to an attacker a prized possession that he owned since 2007: a very rare Twitter username so coveted that not only have people tried to steal it, but one person offered $50,000 for it. --------------------------------------------- http://www.scmagazine.com//attacker-extorts-coveted-twitter-username-in-ela… *** Security 101 fail: 3G/4G modems expose control panels to hackers *** --------------------------------------------- Embedded kit depressingly riddled with cross-site request forgery vulns, says researcher Vulnerabilities in a number of 3G and 4G USB modems can be exploited to steal login credentials - or rack up victims mobile bills by sending text messages to premium-rate numbers - a security researcher warns. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/01/30/3gmodem_sec… *** Energy: cyber security is crucial for protection against threats for smart grids which are key for energy availability claims EU cyber security Agency in new report *** --------------------------------------------- The EU's cyber security agency ENISA signals that assessing the threats for smart grids is crucial for their protection and is therefore a key element in ensuring energy availability. --------------------------------------------- http://www.enisa.europa.eu/media/press-releases/energy-cyber-security-is-cr… *** Code-Einschleusung durch MediaWiki-Lücke *** --------------------------------------------- In der beliebten Wiki-Software klafft eine kritische Lücke, durch die Angreifer den Server kompromittieren können. Gepatchte Versionen sorgen für Abhilfe. --------------------------------------------- http://www.heise.de/security/meldung/Code-Einschleusung-durch-MediaWiki-Lue… *** Windows-Taskmanager Process Explorer 16 mit Einbindung von VirusTotal *** --------------------------------------------- Die nun erschienene Version 16 des Process Explorer befragt auf Wunsch den web-basierten Multi-Scanner VirusTotal. Dort prüfen rund 50 Virenscanner, ob eine Datei gefährlich ist. --------------------------------------------- http://www.heise.de/security/meldung/Windows-Taskmanager-Process-Explorer-1… *** Critical infrastructure hack data found in public domain *** --------------------------------------------- Data available from mainstream online media - such as blogs, social networking websites, and specialist online publications - could be used by malevolent agents to mount a cyber-attack on UK critical national infrastructure (CNI), the findings of an investigative assessment to be presented next week will warn. --------------------------------------------- http://eandt.theiet.org/news/2014/jan/ics-security.cfm *** Pidgin Multiple Vulnerabilities *** --------------------------------------------- Multiple vulnerabilities have been reported in Pidgin, which can be exploited by malicious people to compromise a user's system. --------------------------------------------- https://secunia.com/advisories/56693 *** Bugtraq: SimplyShare v1.4 iOS - Multiple Web Vulnerabilities *** --------------------------------------------- The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official SimplyShare v1.4 iOS mobile application. --------------------------------------------- http://www.securityfocus.com/archive/1/530906 *** OTRS Security Advisory 2014-01 - CSRF issue in customer web interface *** --------------------------------------------- An attacker that managed to take over the session of a logged in customer could create tickets and/or send follow-ups to existing tickets due to missing challenge token checks. --------------------------------------------- https://www.otrs.com/security-advisory-2014-01-csrf-issue-customer-web-inte… *** OTRS Security Advisory 2014-02 - SQL injection issue *** --------------------------------------------- Affected by this vulnerability are all releases of OTRS 3.1.x up to and including 3.1.18, 3.2.x up to and including 3.2.13 and 3.3.x up to and including 3.3.3. --------------------------------------------- https://www.otrs.com/security-advisory-2014-02-sql-injection-issue/ *** VLC Media Player RTSP Processing "parseRTSPRequestString()" Buffer Overflow Vulnerability *** --------------------------------------------- A vulnerability has been discovered in VLC Media Player, which can be exploited by malicious people to compromise a user's system. --------------------------------------------- https://secunia.com/advisories/56676 *** SA-CONTRIB-2014-007 - Services - Multiple access bypass vulnerabilities *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-007 Project: Services (third-party module) Version: 7.xDate: 2014-January-29 Security risk: Highly critical Exploitable from: Remote Vulnerability: Multiple access bypass vulnerabilitiesDescriptionThis module enables you to expose an API to third party systems using REST, XML-RPC or other protocols.The form API provides a method for developers to submit forms programmatically using the function drupal_form_submit(). During programmatic form submissions, all access... --------------------------------------------- https://drupal.org/node/2184843 *** SA-CONTRIB-2014-008 - Tribune - Cross Site Scripting (XSS) *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-008 Project: Tribune (third-party module)Version: 6.x, 7.xDate: 2014-January-29 Security risk: Moderately critical Exploitable from: Remote Vulnerability: Cross Site Scripting DescriptionA tribune is a type of chatroom.The module doesnt sufficiently filter user provided text from Tribune node titles.This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create a Tribune node. --------------------------------------------- https://drupal.org/node/2184845

1 0

Tageszusammenfassung - Mittwoch 29-01-2014
by Daily end-of-shift report 29 Jan '14

29 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 28-01-2014 18:00 − Mittwoch 29-01-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Introducing ModSecurity Status Reporting *** --------------------------------------------- The Trustwave SpiderLabs Research team is committed to making ModSecurity the best open source WAF possible. To this end, we have deployed Buildbot platforms and revamped regression tests for our different ports to ensure code quality and reliability. But we want to take it even further. The question is, how else can we improve ModSecurity development and support? To best answer that question, we need some basic insight into the ModSecurity user community: How many ModSecurity deployments are... --------------------------------------------- http://blog.spiderlabs.com/2014/01/introducing-modsecurity-status-reporting… *** Defending Against Tor-Using Malware, Part 1 *** --------------------------------------------- In the past few months, the Tor anonymity service as been in the news for various reasons. Perhaps most infamously, it was used by the now-shuttered Silk Road underground marketplace. We delved into the topic of the Deep Web in a white paper titled Deepweb and Cybercrime. In our 2014 predictions, we noted that cybercriminals would go deeper... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/F4F76IP9KP8/ *** Eyeing SpyEye *** --------------------------------------------- Earlier this week, it was announced by the United States Department of Justice that the creator of the notorious SpyEye banking malware, Aleksandr Andreevich Panin (also known as Gribodemon or Harderman), had pleaded guilty before a federal court to charges related to creating and distributing SpyEye. Trend Micro was a key part of this investigation... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/4eIEz-KJvXo/ *** This tool demands access to YOUR ENTIRE DIGITAL LIFE. Is it from GCHQ? No - its by IKEA *** --------------------------------------------- Order a flat-pack kitchen, surrender your HDDs contents If the Target hack - along with all its predecessors - taught us anything, its that the database isnt the vulnerability. Its the data thats the problem. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/01/29/ikea_demand… *** Botnetz nutzt Lücke in alten Java-Versionen *** --------------------------------------------- Sicherheitsexperten haben Schadsoftware entdeckt, die eine vor Monaten geschlossene Java-Lücke ausnutzt, um ein Botnetz aufzubauen. Das Programm läuft auf Windows, Linux und Mac OSX; Abhilfe ist einfach möglich. --------------------------------------------- http://www.heise.de/security/meldung/Botnetz-nutzt-Luecke-in-alten-Java-Ver… *** Cisco Network Time Protocol Distributed Reflective Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the Network Time Protocol (NTP) package of several Cisco products could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… *** Cisco Identity Services Engine Cross-Site Scripting Vulnerabilities *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** WordPress WebEngage Plugin Multiple Cross-Site Scripting Vulnerabilities *** --------------------------------------------- Multiple vulnerabilities have been discovered in the WebEngage plugin for WordPress, which can be exploited by malicious people to conduct cross-site scripting attacks. --------------------------------------------- https://secunia.com/advisories/56700

1 0

Tageszusammenfassung - Dienstag 28-01-2014
by Daily end-of-shift report 28 Jan '14

28 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 27-01-2014 18:00 − Dienstag 28-01-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Making Your Printer Say "Feed Me a Kitten" and Also Exfiltrate Sensitive Data *** --------------------------------------------- As of this last release, PJL (HP's Printer Job Language) is now a grown-up Rex::Proto protocol! Since extending a protocol in Metasploit is beyond the scope of this post, we'll just be covering how to use the PoC modules included with the new protocol. Feel free to dig around in lib/rex/proto/pjl*, though! --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/01/23/hacking-p… *** Coordinated malware eradication *** --------------------------------------------- Today, as an industry, we are very effective at disrupting malware families, but those disruptions rarely eradicate them. Instead, the malware families linger on, rearing up again and again to wreak havoc on our customers. To change the game, we need to change the way we work. It is counterproductive when you think about it. The antimalware ecosystem encompasses many strong groups: security vendors, service providers, CERTs, anti-fraud departments, and law enforcement. Each group uses their... --------------------------------------------- https://blogs.technet.com/b/mmpc/archive/2014/01/27/industry-needs-to-work-… *** Trustworthy electronic signatures, secure e-Government and trust: the way forward for improving EU citizens' trust in web services, outlined by EU Agency ENISA *** --------------------------------------------- The EU's cyber security Agency, ENISA, is publishing a series of new studies about the current security practices of Trust Service Providers (TSPs) and recommendations for improving cross-border trustworthiness and interoperability for the new regulated TSPs and for e-Government services using them. --------------------------------------------- http://www.enisa.europa.eu/media/press-releases/trustworthy-electronic-sign… *** Android VPN redirect vuln now spotted lurking in Kitkat 4.4 *** --------------------------------------------- Now may be a good time to check this out, says securo-bod Israeli researchers who specialise in ferreting out Android vulns have discovered a new flaw in KitKat 4.4 that allows an attacker to redirect secure VPN traffic to a third-party server. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/01/28/android_vpn… *** File Infectors and ZBOT Team Up, Again *** --------------------------------------------- File infectors and ZBOT don't usually go together, but we recently saw a case where these two kinds of threats did. This particular file infector - PE_PATNOTE.A - appends its code to all executable files on the infected system,... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/n_0oP1-kYzo/ *** Login-Diebstahl: Warnung vor manipuliertem Filezilla-Client *** --------------------------------------------- Avast warnt vor manipulierten Programmversionen des beliebten Filezilla-Clients. Wer die falsche Version des FTP-Programms nutzt, gibt Kriminellen die Zugangsdaten für die verwendeten FTP-Server. Betroffen sind nur Anwender, die Filezilla von der falschen Quelle heruntergeladen haben. --------------------------------------------- http://www.golem.de/news/login-diebstahl-warnung-vor-manipuliertem-filezill… *** Blog: A cross-platform java-bot *** --------------------------------------------- Early this year, we received a malicious Java application for analysis, which turned out to be a multi-platform bot capable of running on Windows, Mac OS and Linux. The bot was written entirely in Java. The attackers used vulnerability CVE-2013-2465 to infect users with the malware. --------------------------------------------- http://www.securelist.com/en/blog/8174/A_cross_platform_java_bot *** DDoS attacks become smarter, faster and more severe *** --------------------------------------------- DDoS attacks will continue to be a serious issue in 2014 - as attackers become more agile and their tools become more sophisticated, according to Radware. Their report was compiled using data from over 300 cases and the Executive Survey consisting of personal interviews with 15 high-ranking security executives. --------------------------------------------- http://www.net-security.org/secworld.php?id=16268 *** Worldwide Infrastructure Security Report *** --------------------------------------------- Arbor's annual Worldwide Infrastructure Security Report offers unique insight from network operators on the front lines in the global battle against network threats. --------------------------------------------- http://www.arbornetworks.com/resources/infrastructure-security-report *** SI6 Networks IPv6 Toolkit *** --------------------------------------------- A security assessment and troubleshooting tool for the IPv6 protocols --------------------------------------------- http://www.si6networks.com/tools/ipv6toolkit/ *** Security Bulletin: Multiple vulnerabilities in IBM QRadar SIEM (CVE-2014-0838, CVE-2014-0835, CVE-2014-0836, CVE-2014-0837) *** --------------------------------------------- Multiple vulnerabilities exist in the AutoUpdate settings page and the AutoUpdate process within the IBM QRadar SIEM that when used together could result in remote code execution. --------------------------------------------- https://www-304.ibm.com/support/docview.wss?uid=swg21663066 *** VU#686662: Fail2ban postfix and cyrus-imap filters contain denial-of-service vulnerabilities *** --------------------------------------------- Fail2ban versions prior to 0.8.11 are susceptible to a denial-of-service attack when a maliciously crafted email address is parsed by the postfix or cyrus-imap filters. If users have not deployed either of these filters then they are not affected. --------------------------------------------- http://www.kb.cert.org/vuls/id/686662 *** VU#863369: Mozilla Thunderbird does not adequately restrict HTML elements in email message content *** --------------------------------------------- Mozilla Thunderbird does not adequately restrict HTML elements in email content, which could allow an attacker to execute arbitrary script when a specially-crafted email message is forwarded or replied to. --------------------------------------------- http://www.kb.cert.org/vuls/id/863369

1 0

Tageszusammenfassung - Montag 27-01-2014
by Daily end-of-shift report 27 Jan '14

27 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 24-01-2014 18:00 − Montag 27-01-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** ModSecurity Advanced Topic of the Week: HMAC Token Protection *** --------------------------------------------- This blog post presents a powerful feature of ModSecurity v2.7 that has been highly under-utilized by most users: HMAC Token Protection. There was a previous blog post written that outlined some usage examples here, however we did not properly demonstrate the protection coverage gained by its usage. Specifically, by using the HMAC Token Protection capabilities of ModSecurity, you can reduce the attack surface of the following attacks/vulnerabilities: Forceful Browsing of Website Content --------------------------------------------- http://feedproxy.google.com/~r/SpiderlabsAnterior/~3/4JiUhR_1fSQ/modsecurit… *** Mitigation of NTP amplification attacks involving Junos *** --------------------------------------------- When an NTP client or server is enabled within the [edit system ntp] hierarchy level of the Junos configuration, REQ_MON_GETLIST and REQ_MON_GETLIST_1 control messages supported by the monlist feature within NTP may allow remote attackers to cause a denial of service. NTP is not enabled in Junos by default. Once NTP is enabled, an attacker can exploit these control messages in two different ways:... --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10613 *** Sicherheitslücke in Pages: Update angeraten *** --------------------------------------------- Nutzer der Mac- und iOS-Version von Pages sollten die neueste Version installieren - eine Sicherheitslücke in älteren Versionen erlaubt unter Umständen das Ausführen von Schadcode. --------------------------------------------- http://www.heise.de/security/meldung/Sicherheitsluecke-in-Pages-Update-ange… *** First Android bootkit has infected 350,000 devices *** --------------------------------------------- January 24, 2014 Russian anti-virus company Doctor Web is warning users about a dangerous Trojan for Android that resides in the memory of infected devices and launches itself early on in the OS loading stage, acting as a bootkit. This allows the Trojan to minimize the possibility that it will be deleted, without tampering with the devices file system. Currently, this malignant program is operating on more than 350,000 mobile devices belonging to users in various countries,... --------------------------------------------- http://news.drweb.com/show/?i=4206&lng=en&c=9 *** Security Advisory-DoS Vulnerability in Eudemon8000E *** --------------------------------------------- Huawei Eudemon8000E firewall allows users to log in to the device using Telnet or SSH. When an attacker sends to the device a mass of TCP packets with special structure, the logging process become slowly and users may be unable to log in to the device (HWNSIRT-2014-0101). --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor… *** Security Bulletin: GSKit certificate chain vulnerability in IBM Security Directory Server and Tivoli Directory Server (CVE-2013-6747) *** --------------------------------------------- A vulnerability has been identified in the GSKit component utilized by IBM Security Directory Server (ISDS) and IBM Tivoli Directory Server (TDS). A malformed certificate chain can cause the ISDS or TDS client application or server process using GSKit to hang or crash. --------------------------------------------- https://www-304.ibm.com/support/docview.wss?uid=swg21662902 *** Security Bulletin: IBM Security SiteProtector System can be affected by a vulnerability in the IBM Java JRE (CVE-2013-5809) *** --------------------------------------------- IBM Security SiteProtector System can be affected by vulnerability in the IBM Java JRE. This vulnerability could allow a remote attacker to affect confidentiality, integrity, and availability by means of unknown vectors related to the Java 2D component. --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21662685 *** Security Bulletin eDiscovery Manager (CVE-2013-5791 and CVE-2013-5763) *** --------------------------------------------- CVE-2013-5791 - CVSS Score: 10 An unspecified vulnerability in Oracle Outside In Technology related to the Outside In Filters component could allow a local attacker to cause a denial of service. CVE-2013-5763 - CVSS Score: 6.8 Oracle Outside In technology is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the OS/2 Metafile parser. By causing a vulnerable application to process a malicious file, a remote attacker... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21659481 *** Vulnerability Note VU#168751 - Emerson Network Power Avocent MergePoint Unity 2016 KVM switches contain a directory traversal vulnerability *** --------------------------------------------- Emerson Network Power Avocent MergePoint Unity 2016 (MPU2016) KVM switches running firmware version 1.9.16473 and possibly previous versions contain a directory traversal vulnerability. An attacker can use directory traversal to download critical files such as /etc/passwd to obtain the credentials for the device. --------------------------------------------- http://www.kb.cert.org/vuls/id/168751 *** Vulnerability Note VU#105686 - Thecus NAS Server N8800 contains multiple vulnerabilities *** --------------------------------------------- CVE-2013-5667 - Thecus NAS Server N8800 Firmware 5.03.01 get_userid OS Command Injection CVE-2013-5668 - Thecus NAS Server N8800 Firmware 5.03.01 CVE-2013-5669 - Thecus NAS Server N8800 Firmware 5.03.01 plain text administrative password --------------------------------------------- http://www.kb.cert.org/vuls/id/105686 *** Cisco Video Surveillance Operations Manager MySQL Database Insufficient Authentication Controls *** --------------------------------------------- A vulnerability in the configuration of the MySQL database as installed by Cisco Video Surveillance Operations Manager (VSOM) could allow an unauthenticated, remote attacker to access the MySQL database. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Security update available for Adobe Digital Editions *** --------------------------------------------- Adobe has released a security update for Adobe Digital Editions for Windows and Macintosh. This update addresses a vulnerability in the software that could cause the application to crash and potentially allow an attacker to take control of the affected system. --------------------------------------------- http://helpx.adobe.com/security/products/Digital-Editions/apsb14-03.html *** Hitachi Cosminexus Products Multiple Java Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/56545 *** Drupal Doubleclick for Publishers Module Slot Names Script Insertion Vulnerability *** --------------------------------------------- https://secunia.com/advisories/56521 *** WordPress SS Downloads Plugin Multiple Cross-Site Scripting Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/56532

1 0

Tageszusammenfassung - Freitag 24-01-2014
by Daily end-of-shift report 24 Jan '14

24 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 23-01-2014 18:00 − Freitag 24-01-2014 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Russische Spione im Tor-Netz enttarnt *** --------------------------------------------- Forscher stießen auf 20 Exit Nodes, welche die HTTPS-Verbindungen von Tor-Nutzern aufzubrechen versuchten. Die meisten davon stammen aus Russland. --------------------------------------------- http://www.heise.de/security/meldung/Russische-Spione-im-Tor-Netz-enttarnt-… *** Bug Exposes IP Cameras, Baby Monitors *** --------------------------------------------- A bug in the software that powers a broad array of Webcams, IP surveillance cameras and baby monitors made by Chinese camera giant Foscam allows anyone with access to the devices Internet address to view live and recorded video footage, KrebsOnSecurity has learned. --------------------------------------------- http://krebsonsecurity.com/2014/01/bug-exposes-ip-cameras-baby-monitors/ *** "Syrian Electronic Army" attackierten Twitter-Account von CNN *** --------------------------------------------- Sender: "Ja, es ist auch uns passiert. CNN-Accounts gehackt" --------------------------------------------- http://derstandard.at/1389858074081 *** 65.000 E-Mail-Konten bei Salzburg AG gehackt *** --------------------------------------------- Bei der Salzburg AG sind die Zugangsdaten von mehr als 65.000 E-Mail- und Internetkonten gehackt worden. Bankdaten seien nicht betroffen, betonte das Unternehmen. Die Hintergründe der Tat sind unklar. User und Kunden üben Kritik. --------------------------------------------- http://news.orf.at/stories/2215391/ *** Angebliche Sicherheitslücke in aktuellem Chrome nicht zu finden *** --------------------------------------------- Ein Fehler in Googles Browser lässt sich mit der aktuellen Version nicht reproduzieren. Google will die Lücke schon vor Längerem geschlossen haben. --------------------------------------------- http://www.heise.de/security/meldung/Angebliche-Sicherheitsluecke-in-aktuel… *** Malicious links for iOS users *** --------------------------------------------- January 23, 2014 Russian anti-virus company Doctor Web is warning iOS device users about a growing number of incidents involving the distribution of links to bogus sites via mobile app advertisements. An iOS user misguided by such fraud can end up subscribed to a pseudo-service and thus lose money from their mobile account. Recently, users of mobile devices running iOS have been encountering advertisements with increasing frequency in the free applications on their smart phones and tablets. Ads --------------------------------------------- http://news.drweb.com/show/?i=4204&lng=en&c=9 *** GE Proficy Multiple Vulnerabilities *** --------------------------------------------- Researchers amisto0x07 and Z0mb1E of Zero Day Initiative (ZDI) have identified two vulnerabilities in the General Electric (GE) Proficy human-machine interface/supervisory control and data acquisition (HMI/SCADA) - CIMPLICITY application. GE has released security advisories, GEIP13-05 and GEIP13-06, to inform customers about these vulnerabilities.These vulnerabilities could be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-023-01 *** DSA-2848 mysql-5.5 *** --------------------------------------------- Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.35. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details. --------------------------------------------- http://www.debian.org/security/2014/dsa-2848 *** Bugtraq: [CVE-2014-1607.] Cross Site Scripting(XSS) in Drupal Event calendar module *** --------------------------------------------- Reflected cross-site scripting (XSS) vulnerability in Drupal 7.14 EventCalendar Module, found in eventcalendar/year allows remote attackers to inject arbitrary web scripts or HTML after the inproperly sanitizited Year Parameter. --------------------------------------------- http://www.securityfocus.com/archive/1/530876 *** Cisco TelePresence Video Communication Server Expressway Default SSL Certificate Vulnerability *** --------------------------------------------- A vulnerability in the Cisco TelePresence Video Communication Server (VCS) Expressway could allow an unauthenticated, remote attacker to execute a man-in-the-middle (MITM) attack between one or more affected devices. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…

1 0

Tageszusammenfassung - Donnerstag 23-01-2014
by Daily end-of-shift report 23 Jan '14

23 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 22-01-2014 18:00 − Donnerstag 23-01-2014 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** SA-CONTRIB-2014-005 - Leaflet - Access bypass *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-005 Project: Leaflet (third-party module) Version: 7.xDate: 2014-January-22 Security risk: Critical Exploitable from: Remote Vulnerability: Access bypass Description The Leaflet module enables you to display an interactive map using the Leaflet library, using entities as map features.The module exposes complete data from entities used as map features to any site visitor with a Javascript inspector (like Firebug). --------------------------------------------- https://drupal.org/node/2179103 *** New Android Malware Steals SMS Messages, Intercepts Calls *** --------------------------------------------- A new strain of Android malware has emerged that masquerades as an Android security app but once installed, can steal text messages and intercept phone calls. --------------------------------------------- http://threatpost.com/new-android-malware-steals-sms-messages-intercepts-ca… *** Official PERL Blogs hacked, 2,924 Author Credentials Leaked by ICR *** --------------------------------------------- The breach has seen 2,924 user account credentials published to quickleak.org as well as the blog having a deface page added but was not obtrusive to the actually website. --------------------------------------------- http://www.cyberwarnews.info/2014/01/22/official-perl-blogs-hacked-2924-aut… *** CrowdStrike Takes On Chinese, Russian Attack Groups in Threat Report *** --------------------------------------------- Russian attackers targeted energy sector targets and a Chinese nexus intrusion group infected foreign embassies with malware using watering hole tactics in 2013, CrowdStrike researchers found in its first-ever Global Threat Report. --------------------------------------------- http://www.securityweek.com/crowdstrike-takes-chinese-russian-attack-groups… *** Outdated energy, water and transport Industrial Control Systems without sufficient cyber security controls require coordinated testing of capability at EU levels, says the EU's cyber security Agency ENISA *** --------------------------------------------- Today, the EU's cyber security Agency ENISA published a new report to give advice regarding the next steps towards coordinated testing of capability of the often outdated Industrial Control Systems (ICS) for European industries. Among the key recommendations is the testing of ICS is a concern for all EU Member States and could be dealt with at EU levels according to ENISA. --------------------------------------------- http://www.enisa.europa.eu/media/press-releases/ics-without-sufficient-cybe… *** Analysis: Spam in December 2013 *** --------------------------------------------- In December, spammers continued to honor the traditions of the season and tried to attract potential customers with a variety of original gift and winter vacation offers, taking advantage of the approaching holidays. --------------------------------------------- http://www.securelist.com/en/analysis/204792323/Spam_in_December_2013 *** Chrome Eavesdropping Exploit Published *** --------------------------------------------- Exploit code has been published for a Google Chrome bug that allows malicious websites granted permission to use a computers microphone for speech recognition to continue listening after a user leaves the website. --------------------------------------------- http://threatpost.com/chrome-eavesdropping-exploit-published/103798

1 0

Tageszusammenfassung - Mittwoch 22-01-2014
by Daily end-of-shift report 22 Jan '14

22 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 21-01-2014 18:00 − Mittwoch 22-01-2014 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** [2014-01-22] Backdoor account & command injection vulnerabilities in Allnet IP-Cam ALL2281 *** --------------------------------------------- The IP camera Allnet ALL2281 is affected by critical vulnerabilities that allow an attacker to gain access to the webinterface via a backdoor account. Furthermore, executing arbitrary OS commands is possible. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** Feodo Tracker kämpft gegen Rechnungs-Spam *** --------------------------------------------- Das Feodo-Botnet beschert Deutschland aktuell massenhaft Viren-Spam – vermeintlich im Namen bekannter Mobilfunkprovider und Banken. Der Feodo-Tracker sammelt Indizien, um das Spam-Netzwerk zu bremsen. --------------------------------------------- http://www.heise.de/security/meldung/Feodo-Tracker-kaempft-gegen-Rechnungs-… *** Security Bulletins: Citrix XenServer Multiple Security Updates *** --------------------------------------------- A number of security vulnerabilities have been identified in Citrix XenServer. These vulnerabilities affect all currently supported versions of Citrix XenServer up to and including Citrix XenServer 6.2 Service Pack 1. The following vulnerabilities have been addressed: CVE-2013-4494, CVE-2013-4554, CVE-2013-6885 --------------------------------------------- http://support.citrix.com/article/CTX140038 *** Security Bulletins: Citrix XenClient XT Multiple Security Updates *** --------------------------------------------- A number of security vulnerabilities have been identified in Citrix XenClient XT. These vulnerabilities affect all currently supported versions of Citrix XenClient XT up to and including version 3.2. The following vulnerabilities have been addressed: CVE-2013-4355, CVE-2013-4370, CVE-2013-4416, CVE-2013-4494, CVE-2013-4554 --------------------------------------------- http://support.citrix.com/article/CTX139624 *** SSL Labs: Stricter security requirements for 2014 *** --------------------------------------------- Today, were releasing a new version of SSL Rating Guide as well as a new version of SSL Test to go with it. Because the SSL/TLS and PKI ecosystem continues to move at a fast pace, we have to periodically evaluate our rating criteria to keep up. --------------------------------------------- http://blog.ivanristic.com/2014/01/ssl-labs-stricter-security-requirements-… *** [2014-01-22] Critical vulnerabilities in T-Mobile HOME NET Router LTE (Huawei B593u-12) *** --------------------------------------------- Attackers are able to completely compromise the T-Mobile Austria HOME NET router (based on Huawei B593u-12) without prior authentication. Depending on the configuration of the router it is also possible to exploit the flaws directly from the Internet. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** Digitally signed data-stealing malware targets Mac users in "undelivered courier item" attack *** --------------------------------------------- Our colleagues at SophosLabs pointed us at a interesting item of malware the other day, namely a data-stealing Trojan aimed at Mac users. In fact, it was somewhat more than that: it was one of those "undelivered courier item" emails linking to a dodgy web server that guessed whether you were running Windows or OS X, and targeted you accordingly. --------------------------------------------- http://nakedsecurity.sophos.com/2014/01/21/data-stealing-malware-targets-ma… *** Cisco TelePresence System Software Command Execution Vulnerability *** --------------------------------------------- Cisco TelePresence System Software contains a vulnerability in the System Status Collection Daemon (SSCD) code that could allow an unauthenticated, adjacent attacker to execute arbitrary commands with the privileges of the root user. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco TelePresence Video Communication Server SIP Denial of Service Vulnerability *** --------------------------------------------- Cisco TelePresence Video Communication Server (VCS) contains a vulnerability that could allow an unauthenticated, remote attacker to trigger the failure of several critical processes which may cause active call to be dropped and prevent users from making new calls until the affected system is reloaded. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco TelePresence ISDN Gateway D-Channel Denial of Service Vulnerability *** --------------------------------------------- Cisco TelePresence ISDN Gateway contains a vulnerability that could allow an unauthenticated, remote attacker to trigger the drop of the data channel (D-channel), causing all calls to be terminated and preventing users from making new calls. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…

1 0

Tageszusammenfassung - Dienstag 21-01-2014
by Daily end-of-shift report 21 Jan '14

21 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 20-01-2014 18:00 − Dienstag 21-01-2014 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** Sicherheitstest eingerichtet: BSI meldet millionenfachen Identitätsdiebstahl *** --------------------------------------------- Behörden haben bei der Analyse von Botnetzen rund 16 Millionen betroffene Benutzerkonten entdeckt. Das BSI bietet einen Sicherheitstest an, um E-Mails auf Identitätsdiebstahl zu überprüfen. (Internet, Security) --------------------------------------------- http://www.golem.de/news/sicherheitstest-eingerichtet-bsi-meldet-millionenf… *** Android Vulnerability Enables VPN Bypass *** --------------------------------------------- A hole in Androids VPN feature could expose what should be securely communicated data as clear, unencrypted text. --------------------------------------------- http://threatpost.com/android-vulnerability-enables-vpn-bypass/103719 *** Details on Patched Microsoft Office 365 XSS Vulnerability Disclosed *** --------------------------------------------- A cross-site scripting vulnerability in Microsoft Office 365 casts attention on the need to shore up the security of cloud-based enterprise applications. --------------------------------------------- http://threatpost.com/details-on-patched-microsoft-office-365-xss-vulnerabi… *** Kampf um die Hintertüren einer vernetzten Welt *** --------------------------------------------- Adam Philpott vom Netzwerk-Riesen Cisco bestreitet Kooperation mit Geheimdiensten und skizziert neue Bedrohungen im Netz der Zukunft --------------------------------------------- http://derstandard.at/1389857261752 *** Blog: WhatsApp for PC - a guaranteed Trojan banker *** --------------------------------------------- WhatsApp for PC - now from Brazil and bringing banker which will steal your money. It hides itself as an mp3 file and has a low VT detection. --------------------------------------------- http://www.securelist.com/en/blog/208214225/WhatsApp_for_PC_a_guaranteed_Tr… *** EU cyber security Agency ENISA calls for secure e-banking and e-payments: non-replicable, single-use credentials for e-identities are needed in the financial sector *** --------------------------------------------- Different tokens, devices, mobile phones, e-signatures, etc. are used to authenticate our e-identities. Yet, some financial institutions are still not considering the risk of inadequate authentication mechanisms according to a new study by the EU Agency ENISA. --------------------------------------------- http://www.enisa.europa.eu/media/press-releases/enisa-calls-for-secure-e-ba… *** Spoiled Onions *** --------------------------------------------- As of January 2014, the Tor anonymity network consists of 5,000 relays of which almost 1,000 are exit relays. As the diagram to the right illustrates, exit relays bridge the gap between the Tor network and the open Internet. As a result, exit relays are able to see anonymised network traffic as it is sent by Tor clients. While most exit relays are innocuous and run by well-meaning volunteers, there are exceptions: In the past, some exit relays were documented to have sniffed and --------------------------------------------- http://www.cs.kau.se/philwint/spoiled_onions/ *** Merkur-Kundendaten mit Nocard geknackt *** --------------------------------------------- Studenten der FH Salzburg ist mit dem Kundenkartengenerator Zugriff auf Kundenprofile gelungen --------------------------------------------- http://derstandard.at/1389857747260 *** WordPress WordFence Plugin "User-Agent" Script Insertion Vulnerability *** --------------------------------------------- Input passed via the "User-Agent" HTTP header is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a administrator's browser session in context of an affected site when the malicious data is being viewed. --------------------------------------------- https://secunia.com/advisories/56558

1 0

Tageszusammenfassung - Montag 20-01-2014
by Daily end-of-shift report 20 Jan '14

20 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 17-01-2014 18:00 − Montag 20-01-2014 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** NCR: Weltweit 95 Prozent aller Geldautomaten mit Windows XP *** --------------------------------------------- Laut einem hochrangigen Manager des Herstellers NCR laufen fast alle Geldautomaten weltweit noch mit Windows XP. Die Deutsche Kreditwirtschaft will davon nichts wissen, und erklärt, dass die Geldautomaten in Deutschland nicht am Internet hängen. Daher spiele die Art des Betriebssystems keine Rolle. --------------------------------------------- http://www.golem.de/news/ncr-weltweit-95-prozent-aller-geldautomaten-mit-wi… *** Adware vendors buy Chrome Extensions to send ad- and malware-filled updates *** --------------------------------------------- A first-hand account of this, which was first spotted by OMGChrome, was given by Amit Agarwal, developer of the "Add to Feedly" extension. One morning, Agarwal got an e-mail offering "4 figures" for the sale of his Chrome extension. The extension was only about an hours worth of work, so Agarwal agreed to the deal, the money was sent over PayPal, and he transferred ownership of the extension to another Google account.. --------------------------------------------- http://arstechnica.com/security/2014/01/malware-vendors-buy-chrome-extensio… *** VPN Related Vulnerability Discovered on an Android device - Disclosure Report *** --------------------------------------------- As part of our ongoing mobile security research we have uncovered a network vulnerability on Android devices which has serious implications for users using VPN. This vulnerability enables malicious apps to bypass active VPN configuration (no ROOT permissions required) and redirect secure data communications to a different network address. These communications are captured in CLEAR TEXT (no encryption), leaving the information completely exposed. This redirection can take place while leaving the --------------------------------------------- http://cyber.bgu.ac.il/blog/vpn-related-vulnerability-discovered-android-de… *** Looking Forward Into 2014: What 2013′s Mobile Threats Mean Moving Forward *** --------------------------------------------- 2013 was the year that the Android malware not just grew, but matured into a full-fledged threat landscape. Not only did the number of threats grow, the sophistication and capabilities associated with these threats grew as well. As we noted earlier, the number of mobile malware threats has crossed the one million mark, and as of ... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/mF1EIjR8duU/ *** Open-Xchange Server Multiple Vulnerabilities *** --------------------------------------------- Multiple vulnerabilities have been reported in Open-Xchange, which can be exploited by malicious users to disclose potentially sensitive information and by malicious people to conduct cross-site scripting and script insertion attacks. --------------------------------------------- https://secunia.com/advisories/56390 *** F5 ARX Series Cyrus SASL NULL Pointer Dereference Vulnerability *** --------------------------------------------- F5 has acknowledged a vulnerability in F5 ARX Series, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to a bundled vulnerable version of Cyrus SASL in relation to the ARX Manager Configuration utility. --------------------------------------------- http://secunia.com/advisories/56077/ *** Moodle Security Bypass Security Issue and Cross-Site Request Forgery Vulnerability *** --------------------------------------------- A security issue and a vulnerability have been reported in Moodle, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to conduct cross-site request forgery attacks. --------------------------------------------- https://secunia.com/advisories/56556

1 0

Tageszusammenfassung - Freitag 17-01-2014
by Daily end-of-shift report 17 Jan '14

17 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 16-01-2014 18:00 − Freitag 17-01-2014 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** JS-Binding-Over-HTTP Vulnerability and JavaScript Sidedoor: Security Risks Affecting Billions of Android App Downloads *** --------------------------------------------- Third-party libraries, especially ad libraries, are widely used in Android apps. Unfortunately, many of them have security and privacy issues. In this blog, we summarize our findings related to the insecure usage of JavaScript binding in ad libraries. --------------------------------------------- http://www.fireeye.com/blog/technical/2014/01/js-binding-over-http-vulnerab… *** ECAVA INTEGRAXOR BUFFER OVERFLOW VULNERABILITY *** --------------------------------------------- Overview: This advisory is a follow-up to the alert titled ICS-ALERT-14-015-01 Ecava IntegraXor Buffer Overflow Vulnerability that was published January 15, 2014, on the NCCIC/ICS-CERT Web site. Independent researcher Luigi Auriemma identified a buffer overflow vulnerability in the Ecava IntegraXor application without coordination with NCCIC/ICS-CERT, the vendor, or any other coordinating entity known to NCCIC/ICS-CERT. Ecava has produced a patch version that mitigates this vulnerability. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-016-01 *** A Closer Look at the Target Malware, Part II *** --------------------------------------------- Yesterdays story about the point-of-sale malware used in the Target attack has prompted a flood of reporting from antivirus and security vendors. Buried within those reports are some interesting details that speak to possible actors involved and to the timing and discovery of this breach. --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/V1LusjgMQk8/ *** HPSBUX02961 SSRT101420 rev.1 - HP-UX Running BIND, Remote Denial of Service (DoS) *** --------------------------------------------- A potential security vulnerability has been identified with HP-UX running BIND. This vulnerability could be exploited remotely to create a Denial of Service (DoS). --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** Thingbot: Botnetz infiziert Kühlschrank *** --------------------------------------------- Ein US-Sicherheitsunternehmen hat ein Botnetz enttarnt. Das Besondere daran ist, dass etwa ein Viertel der infizierten Geräte keine Computer sind, sondern andere Internet-fähige Geräte - darunter ein Kühlschrank. (Spam, Malware) --------------------------------------------- http://www.golem.de/news/thingbot-botnetz-infiziert-kuehlschrank-1401-10397… *** Microsoft löscht Tor-Software nach Trojaner-Befall *** --------------------------------------------- Von mehreren hunderttausend Windows-PCs hat Microsoft veraltete Tor-Software gelöscht, die ein Trojaner installiert hatte. Auf bis zu zwei Millionen Rechnern soll der heimlich eingerichtete Dienst immer noch aktiv sein. --------------------------------------------- http://www.heise.de/security/meldung/Microsoft-loescht-Tor-Software-nach-Tr… *** Oldboot: the first bootkit on Android *** --------------------------------------------- A few days ago, we found an Android Trojan using brand new method to modify devices boot partition and booting script file to launch system service and extract malicious application during the early stage of systems booting. Due to the special RAM disk feature of Android devices boot partition, all current mobile antivirus product in the world can't completely remove this Trojan or effectively repair the system. We named this Android Trojan family as Oldboot. As far as we --------------------------------------------- http://blogs.360.cn/360mobile/2014/01/17/oldboot-the-first-bootkit-on-andro…

1 0

Tageszusammenfassung - Donnerstag 16-01-2014
by Daily end-of-shift report 16 Jan '14

16 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 15-01-2014 18:00 − Donnerstag 16-01-2014 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** Compromised Sites Pull Fake Flash Player From SkyDrive *** --------------------------------------------- On most days, our WorldMap shows more of the same thing. Today is an exception.One infection is topping so high in the charts that it pretty much captured our attention.Checking the recent history of this threat, we saw that these past few days, it has been increasing in infection hits.So we dug deeper It wasnt long before we saw that a lot of scripts hosted in various websites got compromised. Our telemetry actually showed that almost 40% of the infected websites were hosted in Germany. In --------------------------------------------- http://www.f-secure.com/weblog/archives/00002659.html *** Microsoft antimalware support for Windows XP *** --------------------------------------------- Microsoft has announced the Windows XP end of support date of April 8, 2014. After this date, Windows XP will no longer be a supported operating system. To help organizations complete their migrations, Microsoft will continue to provide updates to our antimalware signatures and engine for Windows XP users through July 14, 2015. This does not affect the end-of-support date of Windows XP, or the supportability of Windows XP for other Microsoft products, which deliver and apply those signatures. --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2014/01/15/microsoft-antimalware-su… *** SA-CORE-2014-001 - Drupal core - Multiple vulnerabilities *** --------------------------------------------- Advisory ID: DRUPAL-SA-CORE-2014-001Project: Drupal coreVersion: 6.x, 7.xDate: 2014-January-15Security risk: Highly criticalExploitable from: RemoteVulnerability: Multiple vulnerabilitiesDescriptionMultiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.Impersonation (OpenID module - Drupal 6 and 7 - Highly critical)A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack --------------------------------------------- https://drupal.org/SA-CORE-2014-001 *** A First Look at the Target Intrusion, Malware *** --------------------------------------------- Last weekend, Target finally disclosed at least one cause of the massive data breach that exposed personal and financial information on more than 110 million customers: Malicious software that infected point-of-sale systems at Target checkout counters. Todays post includes new information about the malware apparently used in the attack, according to two sources with knowledge of the matter. --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/OVODHvnhoQs/ *** Amazons public cloud fingered as USs biggest MALWARE LAIR *** --------------------------------------------- Cyber-crooks lurve Bezos & Cos servers and their whitelisted IP addresses Amazons public cloud is the largest haven of malware spreaders in the US, according to security company Solutionary.… --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/01/16/amazon_clou… *** Ecava IntegraXor Buffer Overflow Vulnerability *** --------------------------------------------- NCCIC/ICS-CERT is aware of a public report of a buffer overflow vulnerability with proof-of-concept (PoC) exploit code affecting Ecava IntegraXor, a supervisory control and data acquisition/human-machine interface (SCADA/HMI) product. According to this report, the vulnerability is exploitable by using a command to load an arbitrary resource from an arbitrary DLL located in the program’s main folder. --------------------------------------------- http://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-015-01 *** Advisory (ICSA-13-344-01) WellinTech Multiple Vulnerabilities *** --------------------------------------------- NCCIC/ICS-CERT received reports from the Zero Day Initiative (ZDI) regarding a remote code execution vulnerability and an information disclosure vulnerability in WellinTech KingSCADA, KingAlarm&Event, and KingGraphic applications. These vulnerabilities were reported to ZDI by security researcher Andrea Micalizzi. WellinTech has produced a new version that mitigates these vulnerabilities. These vulnerabilities could be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-344-01 *** Google verstärkt Anti-Spam-Team mit Zukauf *** --------------------------------------------- Das Team des Startups Impermium, das ein System gegen E-Mail-Account-Missbrauch entwickelt, wechselt zum Internet-Giganten. --------------------------------------------- http://www.heise.de/security/meldung/Google-verstaerkt-Anti-Spam-Team-mit-Z… *** Telekom reagiert mit Blog-Eintrag auf gefälschte Rechnungen *** --------------------------------------------- Erneut versenden Kriminelle gefälschte Online-Rechnungen der Telekom als Lockmittel, um Schadsoftware zu verbreiten. Dieses Mal reagiert der Konzern mit Warn-Mails und einem Blog-Eintrag, der Unterscheidungsmerkmale zu echten Rechnungen erklärt. --------------------------------------------- http://www.heise.de/security/meldung/Telekom-reagiert-mit-Blog-Eintrag-auf-… *** The Hidden Backdoors to the City of Cron *** --------------------------------------------- An attackers key to creating a profitable malware campaign is its persistency. Malicious code that is easily detected and removed will not generate enough value for their creators. This is the reason why we are seeing more and more malware using creative backdoor techniques, different obfuscation methods, and using unique approaches to increase the lifespanRead More --------------------------------------------- http://feedproxy.google.com/~r/sucuri/blog/~3/MCeUaRyYi88/the-hidden-backdo… *** DynDNS-Dienst knickt unter DDoS-Attacke ein *** --------------------------------------------- Dyn, Betreiber eines der bekanntesten DynDNS-Dienstes, ist Ziel eines DDoS-Angriffs geworden. Es ist zwar nur ein Teil der DNS-Infrastruktur des Anbieters betroffen, aber die Störung schlägt dennoch bis zu den Nutzern durch. --------------------------------------------- http://www.heise.de/newsticker/meldung/DynDNS-Dienst-knickt-unter-DDoS-Atta… *** Niederländische Behörden warnen vor Webcams *** --------------------------------------------- Die niederländischen Justizbehörden warnen, dass die in Tablets und Latops eingebauten Webcams eine Sicherheitslücke darstellen, über die Hacker eindringen können. Abkleben wird empfohlen. --------------------------------------------- http://www.heise.de/security/meldung/Niederlaendische-Behoerden-warnen-vor-…

1 0

Tageszusammenfassung - Mittwoch 15-01-2014
by Daily end-of-shift report 15 Jan '14

15 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 14-01-2014 18:00 − Mittwoch 15-01-2014 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Verfassungsschutz: Gefahr der Online-Wirtschaftsspionage noch immer unterschätzt *** --------------------------------------------- Viele kleine und mittelständische Unternehmen sähen Ausgaben für IT-Sicherheit immer noch nicht als gut investiertes Geld an, meinte der Präsident des Bundesamts für Verfassungsschutz. --------------------------------------------- http://www.heise.de/security/meldung/Verfassungsschutz-Gefahr-der-Online-Wi… *** NSA zapft auch Computer ohne Internetverbindung an *** --------------------------------------------- Die NSA hat weltweit auf rund 100.000 Computern Spionagesoftware installiert. Auch zu Computern ohne Internetverbindung hat sich der US-Geheimdienst Zutritt verschafft. --------------------------------------------- http://futurezone.at/netzpolitik/nsa-zapft-auch-computer-ohne-internetverbi… *** A Look Into the Future and the January 2014 Bulletin Release *** --------------------------------------------- In January, there are those who like to make predictions about the upcoming year. I am not one of those people. Instead, I like to quote Niels Bohr who said, "Prediction is very difficult, especially if it's about the future." However, I can say without a doubt that change is afoot in 2014. In February, usage of the MD5 hash algorithm in certificates will be restricted, as first discussed in Security Advisory 2862973, and the update goes out through Microsoft Update on the... --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2014/01/14/a-look-into-the-future-a… *** Kritische und wichtige Patches von Adobe und Microsoft *** --------------------------------------------- Was lange währt wird endlich gut: Microsoft hat an seinem Patchday unter anderem die Rechteausweitungslücke in Windows geschlossen, die mindestens seit November für Angriffe missbraucht wird. Von Adobe gibt es dringende Updates für Acrobat und Reader. --------------------------------------------- http://www.heise.de/security/meldung/Kritische-und-wichtige-Patches-von-Ado… *** Oracle schließt 144 Sicherheitslücken *** --------------------------------------------- Update betrifft auch Java 7 und Java 5 --------------------------------------------- http://derstandard.at/1388651059299 *** Adobe Security Bulletins Posted *** --------------------------------------------- Today, we released the following Security Bulletins: APSB14-01 – Security updates available for Adobe Reader and Acrobat APSB14-02 – Security updates available for Adobe Flash Player Customers of the affected products should consult the relevant Security Bulletin(s) for details. --------------------------------------------- http://blogs.adobe.com/psirt/?p=1041 *** Oracle Critical Patch Update Advisory - January 2014 *** --------------------------------------------- Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 144 new security fixes across the product families listed below. --------------------------------------------- http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html *** Summary for January 2014 - Version: 1.0 *** --------------------------------------------- This bulletin summary lists security bulletins released for January 2014. With the release of the security bulletins for January 2014, this bulletin summary replaces the bulletin advance notification originally issued January 9, 2014. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification. --------------------------------------------- http://technet.microsoft.com/en-ca/security/bulletin/ms14-jan

1 0

Tageszusammenfassung - Dienstag 14-01-2014
by Daily end-of-shift report 14 Jan '14

14 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 13-01-2014 18:00 − Dienstag 14-01-2014 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** HPSBUX02960 SSRT101419 rev.1 - HP-UX Running NTP, Remote Denial of Service (DoS) *** --------------------------------------------- A potential security vulnerability has been identified with HP-UX running NTP. The vulnerability could be exploited remotely to create a Denial of Service (DoS). --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** Security: Mathematische Formel für den Cyberwar *** --------------------------------------------- Zwei Wissenschaftler aus den USA haben eine Formel entwickelt, mit sie ausrechnen können, wann der beste Zeitpunkt ist, um einen Cyberangriff auf ein bestimmtes Ziel mit bestimmten Mitteln durchzuführen. (Cyberwar, Security) --------------------------------------------- http://www.golem.de/news/security-mathematische-formel-fuer-den-cyberwar-14… *** Router-Backdoor: Cisco, Netgear und Linksys versprechen Schutz *** --------------------------------------------- Erst Ende Januar will Cisco ein Update liefern, das die in einigen Geraten gefundene Hintertür beseitigt; Netgear und Linksys nennen noch keinen Termin. Support-Anfragen zeigen, dass die Hintertür seit mindestens 10 Jahren aktiv ist. --------------------------------------------- http://www.heise.de/security/meldung/Router-Backdoor-Cisco-Netgear-und-Link… *** Spamming and scanning botnets - is there something I can do to block them from my site?, (Tue, Jan 14th) *** --------------------------------------------- Spamming and scanning botnets - is there something I can do to block them from my site? This question keeps popping up on forums and all places popular with those beleaguer souls despondent of the random spamming and over filled logs from scanning. Although this isnt a Magic ball question answer does come out a: Maybe, Maybe not. The reason behind the ambiguity is logical, to a degree; it's easy trying to hinder, frustrate and reduce the effectiveness of automated botnet processes, --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17426&rss *** ISC BIND NSEC3-Signed Zones Queries Handling Denial of Service Vulnerability *** --------------------------------------------- A vulnerability has been reported in ISC BIND, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error when handling queries for NSEC3-signed zones and can be exploited to cause a crash with an "INSIST" failure by sending a specially crafted query. Successful exploitation requires an authoritative nameservers serving at least one NSEC3-signed zone. --------------------------------------------- https://secunia.com/advisories/56427

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily