=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 10-01-2014 18:00 − Montag 13-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Robert Waldner
*** Factsheet published: Certificates with 1024 bit RSA are being phased-out ***
---------------------------------------------
Does your organisation still use certificates with an RSA key-length of at most 1024 bits? The NCSC recommends to replace them. The factsheet Certificates with 1024 bit RSA are being phased-out provides you with more information and perspectives for action.
---------------------------------------------
https://www.ncsc.nl/english/current-topics/news/factsheet-published-certifi…
*** Symantec Endpoint Protection multiple vulnerabilities ***
---------------------------------------------
Symantec Endpoint Protection authentication privilege escalation
http://xforce.iss.net/xforce/xfdb/90224
Symantec Endpoint Protection search paths privilege escalation
http://xforce.iss.net/xforce/xfdb/90226
Symantec Endpoint Protection custom polocies security bypass
http://xforce.iss.net/xforce/xfdb/90225
*** Juniper Junos multiple vulnerabilities ***
---------------------------------------------
Juniper Junos CLI Commands Let Local Users Gain Elevated Privileges
http://www.securitytracker.com/id/1029585
Juniper Junos Branch SRX Series HTTP Processing Flaw Lets Remote Users Deny Service
http://www.securitytracker.com/id/1029584
Juniper Junos Branch SRX Series IP Processing Flaw Lets Remote Users Deny Service
http://www.securitytracker.com/id/1029583
Juniper Junos BGP Update Processing Flaw Lets Remote Users Deny Service
http://www.securitytracker.com/id/1029582
Juniper Junos XNM Command Processor Lets Remote Users Consume Excessive Memory on the Target System
http://www.securitytracker.com/id/1029586
*** Die tausend gestopften Löcher des FFmpeg ***
---------------------------------------------
Zwei Google-Ingenieure haben vor zwei Jahren damit begonnen, automatisiert nach Fehlern in dem freien Multimedia-Framework FFmpeg zu fahnden, von denen inzwischen über 1120 behoben wurden.
---------------------------------------------
http://www.heise.de/security/meldung/Die-tausend-gestopften-Loecher-des-FFm…
*** Microsoft Twitter accounts, blog hijacked by SEA ***
---------------------------------------------
Another week, ANOTHER security own goal for Redmond Microsoft had two Twitter accounts and an official blog compromised over the weekend in another embarrassing security incident for the Redmond giant.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/01/13/microsoft_t…
*** Trends in Targeted Attacks: 2013 ***
---------------------------------------------
FireEye has been busy over the last year. We have tracked malware-based espionage campaigns and published research papers on numerous advanced threat actors. We chopped through Poison Ivy, documented a cyber arms dealer, and revealed that Operation Ke3chang had targeted
---------------------------------------------
http://www.fireeye.com/blog/technical/malware-research/2014/01/trends-in-ta…
*** Cisco bestätigt Hintertür in mehreren Routern ***
---------------------------------------------
Test-Interface erlaubt Zugriff auf sensible Daten - Update soll noch im Jänner folgen
---------------------------------------------
http://derstandard.at/1388650811096
*** Bericht: Britischer Geheimdienst GCHQ schwächte GSM-Verschlüsselung ***
---------------------------------------------
Bislang wurde kolportiert, die NATO habe in den 1980er-Jahren auf einem schwachen A5/1-Algorithmus bestanden. Nun weist ein norwegischer Wissenschaftler den Briten die Verantwortung dafür zu.
---------------------------------------------
http://www.heise.de/security/meldung/Bericht-Britischer-Geheimdienst-GCHQ-s…
*** Versorgung mit Virensignaturen für Windows-XP-Rechner vorerst gesichert ***
---------------------------------------------
Am 8. April lässt Microsoft den Support für Windows XP fallen, doch die Antiviren-Hersteller beeindruckt das nicht. Die Folge: Um Signatur-Updates muss sich der XP-Anwender vorerst keine Sorgen machen, solange der Virenwächter nicht von Microsoft kommt.
---------------------------------------------
http://www.heise.de/security/meldung/Versorgung-mit-Virensignaturen-fuer-Wi…
*** LKA NRW warnt vor Betrugsversuchen angeblicher Microsoft-Mitarbeiter ***
---------------------------------------------
In den vergangenen Wochen haben sich Fälle gehäuft, in denen angebliche Mitarbeiter des Microsoft-Supports versuchen, PC-Nutzer per Telefon zu schädigen.
---------------------------------------------
http://www.heise.de/security/meldung/LKA-NRW-warnt-vor-Betrugsversuchen-ang…
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 09-01-2014 18:00 − Freitag 10-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** Understanding and mitigating NTP-based DDoS attacks ***
---------------------------------------------
Over the last couple of weeks you may have been hearing about a new tool in the DDoS arsenal: NTP-based attacks. These have become popular recently and caused trouble for some gaming web sites and service providers. Wed long thought that NTP might become a vector for DDoS attacks because, like DNS, it is a simple UDP-based protocol that can be persuaded to return a large reply to a small request. Unfortunately, that prediction has come true.
---------------------------------------------
http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-atta…
*** Advance Notification for January 2014 - Version: 1.0 ***
---------------------------------------------
This is an advance notification of security bulletins that Microsoft is intending to release on January 14, 2014.
This bulletin advance notification will be replaced with the January bulletin summary on January 14, 2014. For more information about the bulletin advance notification service, see...
---------------------------------------------
http://technet.microsoft.com/en-us/security/bulletin/ms14-jan
*** Oracle Critical Patch Update Pre-Release Announcement - January 2014 ***
---------------------------------------------
This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for January 2014, which will be released on Tuesday, January 14, 2014. While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Patch Update Advisory.
---------------------------------------------
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
*** Prenotification Security Advisory for Adobe Reader and Acrobat ***
---------------------------------------------
Adobe is planning to release security updates on Tuesday, January 14, 2014 for Adobe Reader and Acrobat XI (11.0.05) and earlier versions for Windows and Macintosh.
---------------------------------------------
http://helpx.adobe.com/security/products/reader/apsb14-01.html
*** Adobe, Microsoft und Oracle zelebrieren ersten Patchday des Jahres ***
---------------------------------------------
Kommenden Dienstag ist es wieder soweit. Adobe will kritische Lücken in Acrobat und Adobe Reader schließen, Microsoft unter anderem eine Windows-Lücke, die bereits seit November vergangenen Jahres ausgenutzt wird.
---------------------------------------------
http://www.heise.de/security/meldung/Adobe-Microsoft-und-Oracle-zelebrieren…
*** Tackling the Sefnit botnet Tor hazard ***
---------------------------------------------
Sefnit, a prevailing malware known for using infected computers for click fraud and bitcoin mining, has left millions of machines potentially vulnerable to future attacks. We recently blogged about Sefnit performing click fraud and how we added detection on the upstream Sefnit installer. In this blog we explain how the Tor client service, added by Sefnit, is posing a risk to millions of machines, and how we are working to address the problem. Win32/Sefnit made headlines last August as it took...
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2014/01/09/tackling-the-sefnit-botn…
*** Schon wieder hunderttausende Kundendaten durch xt:Commerce-Lücke geklaut ***
---------------------------------------------
Eine weitere Sicherheitslücke in xt:Commerce 3 und einigen der Nachfolger wird derzeit ausgenutzt, um die Namen, Mail-Adressen und Passwort-Hashes in Online-Shops zu entwenden. Betroffen sind über 230.000 Kunden vor allem aus Deutschland und Österreich.
---------------------------------------------
http://www.heise.de/security/meldung/Schon-wieder-hunderttausende-Kundendat…
*** Cisco Context Directory Agent Multiple Vulnerabilities ***
---------------------------------------------
Multiple vulnerabilities have been reported in Cisco Context Directory Agent, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to conduct cross-site scripting attacks and manipulate certain data.
---------------------------------------------
https://secunia.com/advisories/56365
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 08-01-2014 18:00 − Donnerstag 09-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** Intercepted Email Attempts to Steal Payments, (Wed, Jan 8th) ***
---------------------------------------------
A reader sent in details of a incident that is currently being investigated in their environment. (Thank you Peter for sharing! ) It appears to be a slick yet elaborate scam to divert a customer payment to the scammers. It occurs when the scammer attempts to slip into an email conversation and go undetected in order to channel an ordinary payment for service or goods into his own coffers. Here is a simple breakdown of the flow: Supplier sends business email to customer, email mentions a...
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17366&rss
*** ZeroAccess Takedown and the TDSS Aftermath ***
---------------------------------------------
Early December last year, Microsoft - in cooperation with certain law enforcement agencies - announced their takedown of the ZeroAccess operations. This development, however, also yielded an unexpected effect on another well-known botnet, in particular TDSS. TDSS and ZeroAccess ZeroAccess is one of the most notable botnets in the world, with its malware known for rootkit...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/v07x5pzmpj4/
*** Malvertising attacks via Yahoo ads may precede broader iframe attacks ***
---------------------------------------------
A New Years malvertisement attack on Yahoo.com that is believed to have infected the systems and devices of thousands of website visitors could signal an uptick in the use of highly effective iframe Web attacks on larger online communities.
---------------------------------------------
http://searchsecurity.techtarget.com/news/2240212218/Malvertising-attacks-v…
*** Personal banking apps leak info through phone ***
---------------------------------------------
For several years I have been reading about flaws in home banking apps, but I was skeptical. To be honest, when I started this research I was not expecting to find any significant results.
---------------------------------------------
http://blog.ioactive.com/2014/01/personal-banking-apps-leak-info-through.ht…
*** Falscher Alarm: Avast für Android hält alle Apps für Viren ***
---------------------------------------------
Ein fehlerhaftes Signaturupdate hat dazu geführt, dass Avast Android-Virenscanner am heutigen Donnerstag zahlreich fündig wurde.
---------------------------------------------
http://www.heise.de/security/meldung/Falscher-Alarm-Avast-fuer-Android-hael…
*** WordPress-Angreifer lieben TimThumb ***
---------------------------------------------
Akamai hat Attacken auf WordPress-Erweiterungen untersucht und festgestellt, dass sich die Angreifer vor allem auf ein Plug-in eingeschossen haben.
---------------------------------------------
http://www.heise.de/security/meldung/WordPress-Angreifer-lieben-TimThumb-20…
*** Critics Cut Deep on Yahoo Mail Encryption Rollout ***
---------------------------------------------
Yahoo has turned on HTTPS by default for its web-based email service, but the deployment is inconsistent across the board and experts are critical of its use of weak standards and the lack of Perfect Forward Secrecy and HSTS.
---------------------------------------------
http://threatpost.com/critics-cut-deep-on-yahoo-mail-encryption-rollout/103…
*** Drupal Media 7.x Access Bypass ***
---------------------------------------------
Topic: Drupal Media 7.x Access Bypass Risk: High Text:View online: https://drupal.org/node/2169767 * Advisory ID: PSA-2014-001 * Project: Media [1] (third-party module) ...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014010051
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 07-01-2014 18:00 − Mittwoch 08-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** 64-bit ZBOT Leverages Tor, Improves Evasion Techniques ***
---------------------------------------------
Reports have surfaced that ZeuS/ZBOT, the notorious online banking malware, is now targeting 64-bit systems. During our own investigation, we have confirmed that several ZBOT 32-bit samples (detected as TSPY_ZBOT.AAMV) do have an embedded 64-bit version (detected as TSPY64_ZBOT.AANP). However, our investigation also lead us to confirm other noteworthy routines of the malware, including its...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/RjjdkzMleq4/
*** Malicious Ads on DailyMotion Redirect to Fake AV Attack ***
---------------------------------------------
Popular video-sharing site DailyMotion is serving malicious ads that redirect site visitors to domains hosting Fake AV malware, security firm Invincea reports.
---------------------------------------------
http://threatpost.com/malicious-ads-on-dailymotion-redirect-to-fake-av-atta…
*** Einbruch in die Opensuse-Foren ***
---------------------------------------------
Die öffentlichen Opensuse-Foren sind Opfer eines Angriffs geworden und derzeit abgeschaltet.
---------------------------------------------
http://www.heise.de/security/meldung/Einbruch-in-die-Opensuse-Foren-2078128…
*** Yahoo Mail: Verschlüsselung wird endlich Default ***
---------------------------------------------
Alle Kommunikation mit Webmail-Service nun per HTTPS abgesichert - Aber kein Perfect Forward Secrecy
---------------------------------------------
http://derstandard.at/1388650341295
*** Satellite Links for Remote Networks May Pose Soft Target for Attackers ***
---------------------------------------------
Land-based terminals that send data to satellites may pose a soft target for hackers, an analysis from a computer security firm shows. VSATs, an abbreviation for "very small aperture terminals," supply Internet access to remote locations, enabling companies to transmit data from an isolated network to an organizations main one. The devices are used in a variety of industries, including energy, financial services and defense.
---------------------------------------------
http://www.cio.com/article/745580/Satellite_Links_for_Remote_Networks_May_P…
*** Linux Kernel, Font Bugs Fixed in Ubuntu ***
---------------------------------------------
A huge number of security vulnerabilities have been fixed in Ubuntu, including a remotely exploitable font flaw that an attacker could use to run arbitrary code on vulnerable machines. A number of Linux kernel flaws also were patched in some versions of the operating system. The font vulnerability affects five different versions of Ubuntu, including...
---------------------------------------------
http://threatpost.com/linux-kernel-font-bugs-fixed-in-ubuntu/103500
*** VU#487078: QNAP QTS path traversal vulnerability ***
---------------------------------------------
Vulnerability Note VU#487078 QNAP QTS path traversal vulnerability Original Release date: 08 Jan 2014 | Last revised: 08 Jan 2014 Overview QNAP QTS 4.0.3 and possibly earlier versions contain a path traversal vulnerability. Description CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) - CVE-2013-7174QNAP QTS is a Network-Attached Storage (NAS) system accessible via a web interface. QNAP QTS 4.0.3 and possibly earlier versions contain a path traversal...
---------------------------------------------
http://www.kb.cert.org/vuls/id/487078
*** Vuln: Cisco Unified Communications Manager Unauthorized Access Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/64690
*** HP 2620 Switch Series Cross-Site Request Forgery Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/56290
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 03-01-2014 18:00 − Dienstag 07-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Matthias Fraidl
*** Router auf Backdoor testen ***
---------------------------------------------
Die Netzwerkausrüster hüllen sich nach wie vor über den Zweck des kürzlich entdeckten, undokumentierten Router-Dienstes in Schweigen. So finden Sie heraus, ob Ihr Router ebenfalls auf Befehle wartet.
---------------------------------------------
http://www.heise.de/security/meldung/Router-auf-Backdoor-testen-2074844.html
*** Backdoor in Routern: Hersteller rätseln und analysieren ***
---------------------------------------------
Noch immer können die Router-Hersteller keine plausible Erklärung dafür liefern, dass auf auf ihren Geräten ein undokumentierter Konfigurationsdienst läuft. Sie sind nach eigenen Angaben selbst noch mit der Analyse beschäftigt.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Backdoor-in-Routern-Hersteller-raets…
*** Distributionen patchen Drupal -- außer Ubuntu ***
---------------------------------------------
Debian und Fedora liefern Sicherheitsupdates für kürzlich gemeldete Sicherheitsprobleme in Drupal. Wer Ubuntu nutzt, muss sich jedoch selber kümmern.
---------------------------------------------
http://www.heise.de/security/meldung/Distributionen-patchen-Drupal-ausser-U…
*** Recent Windows Zero-Day Targeted Embassies, Used Syria-related Email ***
---------------------------------------------
In late November, Microsoft revealed that a zero-day vulnerability was in use in targeted attacks against Windows XP and Server 2003 systems. From samples of the exploit examined, it has a backdoor payload that possesses sophisticated anti-analysis techniques. Further research of this earlier attack - discussed in the blog posts above - has revealed that the exploit was deployed via...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/xqgSESnrQns/
*** A Year of Spam: The Notable Trends of 2013 ***
---------------------------------------------
2013 was a year of change inthe spam landscape. The volume of spam increased from 2012. We witnessed the decline of a previously-successful exploit kit. The old became new again, thanks to different techniques used by spammers. While we still saw traditional types of spam, we also saw several "improvements" which allowed spammers to avoid...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/uZ0knuU7r3A/
*** Malware Deployed by Fake Digital Certificates Bypassing Endpoint Security ***
---------------------------------------------
Enterprises that place unwavering faith in the sanctity of digital certificates may want to re-think that belief, now that the latest chapter in the Win32/Winwebsec malware saga has revealed a troubling new development: the use of stolen authentication credentials. Win32/Winwebsec is the catch-all term used by Microsoft to reference a group of fake anti-virus programs [...]
---------------------------------------------
http://www.seculert.com/blog/2014/01/malware-deployed-by-fake-digital-certi…
*** Ransomware: Powerlocker wird für 100 US-Dollar angeboten ***
---------------------------------------------
Die Gruppe Malware Crusaders warnt vor einer neuen Ransomware, die nicht nur besser verschlüsselt, sondern mit zusätzlichen Funktionen ausgestattet ist. In einschlägigen Foren wird Powerlocker bereits für 100 US-Dollar angeboten. (Virus, Malware)
---------------------------------------------
http://www.golem.de/news/ransomware-powerlocker-wird-fuer-100-us-dollar-ang…
*** Malicious Advertisements served via Yahoo ***
---------------------------------------------
Fox-IT operates the shared Security Operations Center service ProtACT. This service monitors the networks of our clients for malicious activity. On January 3 we detected and investigated the infection of clients after they visited yahoo.com.
---------------------------------------------
http://blog.fox-it.com/2014/01/03/malicious-advertisements-served-via-yahoo/
*** WordPress Connect plugin for WordPress unspecified cross-site scripting ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/90106
*** Debian devscripts uscan.pl code execution ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/90107
*** [2013-12-27] XPath Injection in IBM Web Content Manager ***
---------------------------------------------
By exploiting the identified XPath Injection vulnerability, an unauthenticated user is able to extract sensitive application configuration data from vulnerable installations of IBM Web Content Manager.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2013…
*** HP Data Protector code execution ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/90001http://xforce.iss.net/xforce/xfdb/90002http://xforce.iss.net/xforce/xfdb/90003
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 02-01-2014 18:00 − Freitag 03-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: L. Aaron Kaplan
*** Greyhats expose 4.5 million Snapchat phone numbers using 'theoretical' hack ***
---------------------------------------------
Snapchat largely discounted weakness that partially exposed user numbers.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/8aPSkYeU_SA/
*** Target's Use of 3DES Encryption Invites Scrutiny, Worry ***
---------------------------------------------
Targets admission that encrypted PIN data was stolen and secured with 3DES encryption has experts concerned because of the age of the algorithm and the availability of stronger options.
---------------------------------------------
http://threatpost.com/targets-use-of-3des-encryption-invites-scrutiny-worry…
*** Mysterioese Backdoor in diversen Router-Modellen ***
---------------------------------------------
Auf Routern von Linksys und Netgear lauscht ein undokumentierter Dienst, der auf Befehle wartet. Bislang gibt es lediglich ein Indiz dafuer, was es damit auf sich haben koennte.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Mysterioese-Backdoor-in-diversen-Rou…
*** Scans Increase for New Linksys Backdoor (32764/TCP), (Thu, Jan 2nd) ***
---------------------------------------------
We do see a lot of probes for port 32764/TCP . According to a post to github from 2 days ago, some Linksys devices may be listening on this port enabling full unauthenticated admin access. [1] At this point, I urge everybody to scan their networks for devices listening on port 32764/TCP. If you use a Linksys router, try to scan its public IP address from outside your network. Our data shows almost no scans to the port prior to today, but a large number from 3 source IPs today. The by far
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17336&rss
*** NSA Exploit of the Day: DEITYBOUNCE ***
---------------------------------------------
Todays item from the NSAs Tailored Access Operations (TAO) group implant catalog is DEITYBOUNCE: DEITYBOUNCE (TS//SI//REL) DEITYBOUNCE provides software application persistence on Dell PowerEdge servers by exploiting the motherboard BIOS and utilizing System Management Mode (SMM) to gain periodic execution while the Operating System loads. (TS//SI//REL) This technique supports multi-processor systems with RAID hardware and Microsoft Windows 2000, 2003, and...
---------------------------------------------
https://www.schneier.com/blog/archives/2014/01/nsa_exploit_of.html
*** Advanced Dewplayer plugin for WordPress download-file.php directory traversal ***
---------------------------------------------
Advanced Dewplayer plugin for WordPress download-file.php directory traversal
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89978
*** "Penetrating Hard Targets": NSA arbeitet an Quantencomputern zur Kryptoanlayse ***
---------------------------------------------
Dokumente des NSA-Whistleblowers Edward Snowden legen nahe, dass die NSA bei der Entwicklung von Quantencomputern keinen Vorsprung hat. Mit derartiger Technik koennte bestehende Public-Key-Kryptographie geknackt werden.
---------------------------------------------
http://www.heise.de/security/meldung/Penetrating-Hard-Targets-NSA-arbeitet-…
*** HPSBMU02895 SSRT101253 rev.1 - HP Data Protector, Remote Increase of Privilege, Denial of Service (DoS), Execution of Arbitrary Code ***
---------------------------------------------
Potential security vulnerabilities have been identified with HP Data Protector. These vulnerabilities could be remotely exploited to allow an increase of privilege, create a Denial of Service (DoS), or execute arbitrary code.
---------------------------------------------
http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDispl…
*** Bundesnetzagentur praesentiert Entwurf des IT-Sicherheitskatalogs ***
---------------------------------------------
Eine Liste von Sicherheitsanforderungen soll die IT-Infrastruktur unserer Stromnetze absichern. Bis Februar kann man diesen Entwurf noch kommentieren.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Bundesnetzagentur-praesentiert-Entwu…
*** Cost/Benefit Analysis of NSAs 215 Metadata Collection Program ***
---------------------------------------------
It has amazed me that the NSA doesnt seem to do any cost/benefit analyses on any of its surveillance programs. This seems particularly important for bulk surveillance programs, as they have significant costs aside from the obvious monetary costs. In this paper, John Mueller and Mark G. Stewart have done the analysis on one of these programs. Worth reading....
---------------------------------------------
https://www.schneier.com/blog/archives/2014/01/costbenefit_ana_1.html
*** UPDATED X1 : OpenSSL.org Defaced by Attackers Gaining Access to Hypervisor, (Thu, Jan 2nd) ***
---------------------------------------------
By now, most of you have heard that the openssl.org website was defaced. While the source code and repositories were not tampered with, this obviously concerned people. What is more interesting is that the attack was made possible by gaining access to the hypervisor that hosts the VM responsible for the website. Attacks of this sort are likely to be more common as time goes on as it provides easy ability to take over a host without having to go through the effort of actually rooting a box.
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17333&rss
*** Bankautomaten per USB-Stick uebernommen ***
---------------------------------------------
Sicherheitsforscher haben Schadcode entdeckt, der per USB-Stick auf Geldautomaten geladen wird und Ganoven dann beliebig Geld auszahlt. Die Malware enthaelt ausserdem raffinierte Funktionen, die den Hintermaennern Kontrolle ueber die Auszahlungen gibt
---------------------------------------------
http://www.heise.de/security/meldung/Bankautomaten-per-USB-Stick-uebernomme…
*** Ubuntu bessert TLSv1.2-Unterstuetzung nach ***
---------------------------------------------
In aktuellen Ubuntu-Versionen kann die zentrale Crypto-Bibliothek OpenSSL kein TLSv1.2; das soll sich erst mit Ubuntu 14.04 LTS aendern.
---------------------------------------------
http://www.heise.de/security/meldung/Ubuntu-bessert-TLSv1-2-Unterstuetzung-…
*** Ueberwachung: BND fischt deutlich weniger Kommunikation ab ***
---------------------------------------------
Der Bundesnachrichtendienst hat seine Filtermethoden offenbar verbessert. Im Jahr 2012 sind viel weniger verdaechtige Kommunikationsinhalte als in den Vorjahren in den Netzen haengengeblieben. (Datenschutz, DE-CIX)
---------------------------------------------
http://www.golem.de/news/ueberwachung-bnd-fischt-deutlich-weniger-kommunika…
*** Slovenian jailed for creating code behind 12 MILLION strong Mariposa botnet army ***
---------------------------------------------
A Slovenian virus writer who created an infamous strain of malware used to infect an estimated 12 million computers worldwide has been jailed for almost five years.
---------------------------------------------
http://www.theregister.co.uk/2014/01/03/mariposa_botnet_mastermind_jailed/
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 30-12-2013 18:00 − Donnerstag 02-01-2014 18:00
Handler: L. Aaron Kaplan
Co-Handler: Stephan Richter
*** Joseph Stiglitz on Trust ***
---------------------------------------------
Joseph Stiglitz has an excellent essay on the value of trust, and the lack of it in todays society. Trust is what makes contracts, plans and everyday transactions possible; it facilitates the democratic process, from voting to law creation, and is necessary for social stability. It is essential for our lives. It is trust, more than money, that makes the...
---------------------------------------------
https://www.schneier.com/blog/archives/2013/12/joseph_stiglitz.html
*** Sqlmap Tricks for Advanced SQL Injection ***
---------------------------------------------
Sqlmap is an awesome tool that automates SQL Injection discovery and exploitation processes. I normally use it for exploitation only because I prefer manual detection in order to avoid stressing the web server or being blocked by IPS/WAF devices. Below I provide a basic overview of sqlmap and some configuration tweaks for finding trickier injection points. Basics Using sqlmap for classic SQLi is very straightforward: ./sqlmap.py -u http://mywebsite.com/page.php?vulnparam=hello The target URL...
---------------------------------------------
http://blog.spiderlabs.com/2013/12/sqlmap-tricks-for-advanced-sql-injection…
*** NSA Surveillance Has No Boundaries, Expert Says ***
---------------------------------------------
Expert Jacob Appelbaums keynote at CCC describes the deep catalog of hacks and backdoors at the NSAs disposal.
---------------------------------------------
http://threatpost.com/nsa-surveillance-has-no-boundaries-expert-says/103355
*** Protecting the data about data ***
---------------------------------------------
It has been said that encryption simply trades one secret (the data) for another (the key). In the same way, encrypting data naturally shifts attention to that which is not protected: the metadata.
---------------------------------------------
http://www.scmagazine.com//protecting-the-data-about-data/article/327122/
*** Yes, the BBC still uses FTP. And yes, a Russian crook hacked the server ***
---------------------------------------------
Convenient file-store a convenient target for crook touting access A BBC FTP server ftp.bbc.co.uk was compromised by a Russian hacker and access to it touted online, say computer security researchers.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2013/12/30/bbc_ftp_ser…
*** Why NSA spied on inexplicably unencrypted Windows crash reports ***
---------------------------------------------
Windows reports what hardware you have and what software doesnt work.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/CCjtHJ8WSwY/
*** 30C3: Sicherheitsalbträume des Jahres 2014 ***
---------------------------------------------
Unmodulierte Basisbandsysteme stellen nach Ansicht von Sicherheitsexperten des CCC lohnende Angriffsziele dar. Im Biometrie-Segment habe Apple mit Touch ID "die Büchse der Pandora" geöffnet.
---------------------------------------------
http://www.heise.de/newsticker/meldung/30C3-Sicherheitsalbtraeume-des-Jahre…
*** Juniper SSL VPN and UAC Host Checker Issue, (Tue, Dec 31st) ***
---------------------------------------------
A few readers have written asking about odd denials when trying to use Juniper VPNs. Turns out they released a Product Support Notification (subscription required) about their host check feature which fails on endpoints that have a local date set 12/31/2013 or later. There are working on a fix but as a workaround, you can change the local date on the PC, disable host checker verification all together or create a manual host checker process that disables checking firewall, anti-virus and/or
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17321&rss
*** X11/X.Org Security In Bad Shape ***
---------------------------------------------
An anonymous reader writes "A presentation at the Chaos Communication Congress explains how X11 Server security with being worse than it looks. The presenter found more than 120 bugs in a few months of security research and is not close to being done in his work. Upstream X.Org developers have begun to call most of his claims valid. The presentation by Ilja van Sprunde is available for streaming." Read more of this story at Slashdot.
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/W_cx3sKOALE/story01.htm
*** Administratoren! Machet Krypto, aber besser... ***
---------------------------------------------
Bettercrypto hilft Systemadmins, Verschlüsselung einzurichten und zu verbessern. Copy&Paste ist gewünscht, Verbesserungsvorschläge ebenso.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Administratoren-Machet-Krypto-aber-b…
*** Dual_EC_DRBG Backdoor: a Proof of Concept ***
---------------------------------------------
New submitter Reliable Windmill sends this followup to the report that RSA took money from the NSA to use backdoored tech for random number generation in encryption software. From the article: "Dual_EC_DRBG is an pseudo-random number generator promoted by NIST in NIST SP 800-90A and created by NSA. This algorithm is problematic because it has been made mandatory by the FIPS norm (and should be implemented in every FIPS approved software) and some vendors even promoted this algorithm as...
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/_PXJ0M1qmQI/story01.htm
*** Hacker finden Hintertüren in Netgear- und Linksys-Routern ***
---------------------------------------------
Ein findiger Hacker hat in den vergagnenen Tagen einen seltsamen Hintergrunddienst auf seinem Router entdeckt. Darüber kann sich jeder Zugang zu seinem Netzwerk verschaffen.
---------------------------------------------
http://futurezone.at/netzpolitik/hacker-finden-hintertueren-in-netgear-und-…
*** Österreichische Begeh: Kopierbarkeit von RFID-Schlüssel bekannt ***
---------------------------------------------
Unternehmen hat nach 30C3-Vortrag von Adrian Dabrowski Stellung bezogen
---------------------------------------------
http://derstandard.at/1388649760468
*** Manipulierte Speicherkarten als Malware-Versteck ***
---------------------------------------------
Hacker zeigen Angriff gegen eingebetteten Mikrokontroller - Daten können vor dem Betriebssystem versteckt werden
---------------------------------------------
http://derstandard.at/1388649791611
*** Snapchat schweigt nach Datenleck ***
---------------------------------------------
Der Anbieter der Foto-App Snapchat äußert sich bisher nicht zu dem Vorfall, bei dem Unbekannte die Daten von 4,6 Millionen Kunden erbeutet haben. Zuvor hatte das Unternehmen Warnungen von Sicherheitsexperten in den Wind geschlagen.
---------------------------------------------
http://www.heise.de/security/meldung/Snapchat-schweigt-nach-Datenleck-20742…
*** memcached mit löchriger Authentifizierung ***
---------------------------------------------
Die SASL-Authentifizierung des Cache-Servers ist zu gutmütig. Auch mit ungültigen Zugangsdaten kommt man beim zweiten Versuch rein.
---------------------------------------------
http://www.heise.de/security/meldung/memcached-mit-loechriger-Authentifizie…
*** OpenSSL.org Defaced by Attackers Gaining Access to Hypervisor, (Thu, Jan 2nd) ***
---------------------------------------------
By now, most of you have heard that the openssl.org website was defaced. While the source code and repositories were not tampered with, this obviously concerned people. What is more interesting is that the attack was made possible by gaining access to the hypervisor that hosts the VM responsible for the website. Attacks of this sort are likely to be more common as time goes on as it provides easy ability to take over a host without having to go through the effort of actually rooting a box.
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17333&rss
*** Der Spiegel Article on Networking Equipment Infiltration ***
---------------------------------------------
On December 29, 2013, the German news publication Der Spiegel published an article referencing leaked documents from the U.S. National Security Agency (NSA) that mentioned "software implants" for networking devices. Cisco is one of a number of technology companies mentioned in the article...
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-…
*** Security Notice-Statement About the Networking Equipment Infiltration Article in Der Spiegel ***
---------------------------------------------
On December 29, 2013, German news agency Der Spiegel published a report titled "Shopping for Spy Gear: Catalog Advertises NSA Toolbox" and described Huawei as one of the vendors that might be impacted.
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-notices…
*** Security Advisory-A DoS Vulnerability in the SSH Module on Huawei AR Router ***
---------------------------------------------
On Some Huawei AR routers that receive a large number of SSH authentication attack packets with malformed data, legitimate users fail to log in through SSH. Attackers can construct massive attack packets to cause the AR routers to deny SSH login from legitimate users. (HWPSIRT-2013-1255).
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor…
*** Vuln: mod_nss Module NSSVerifyClient CVE-2013-4566 Authentication Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/64114
*** Vuln: libgadu SSL Certificate Validation CVE-2013-4488 Security Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63473
*** Debian update for ruby-i18n ***
---------------------------------------------
https://secunia.com/advisories/56212
*** DSA-2833 openssl ***
---------------------------------------------
several vulnerabilities
---------------------------------------------
http://www.debian.org/security/2014/dsa-2833
*** DSA-2832 memcached ***
---------------------------------------------
several vulnerabilities
---------------------------------------------
http://www.debian.org/security/2014/dsa-2832
*** DSA-2831 puppet ***
---------------------------------------------
insecure temporary files
---------------------------------------------
http://www.debian.org/security/2013/dsa-2831
*** Debian update for typo3-src ***
---------------------------------------------
https://secunia.com/advisories/56266
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 27-12-2013 18:00 − Montag 30-12-2013 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** eBay Vulnerable to Account Hijacking Via XSRF ***
---------------------------------------------
A researcher reported a cross-site request forgery vulnerability to eBay in August, and despite repeated communication from the online auction that the code has been repaired, the site remains vulnerable to exploit.
---------------------------------------------
http://threatpost.com/ebay-vulnerable-to-account-hijacking-via-xsrf/103311
*** 12 Days of HaXmas: Meterpreter, Reloaded ***
---------------------------------------------
Over the last quarter of 2013, we here in the Democratic Freehold of Metasploit found that we needed to modernize our flagship remote access toolkit (RAT), Meterpreter. That started with cleaving Meterpreter out of the main Metasploit repository and setting it up with its own repository, and then bringing in a dedicated Meterpreter hacker, the indomitable OJ TheColonial Reeves. We couldn't be happier with the results so far.
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2013/12/27/meterpret…
*** 12 Days of HaXmas: Exploiting (and Fixing) RJS Rails Info Leaks ***
---------------------------------------------
Several weeks ago, Egor Homakov wrote a blog post pointing out a common info leak vulnerability in many Rails apps that utilize Remote JavaScript. The attack vector and implications can be hard to wrap your head around, so in this post I'll explain how the vulnerability occurs and how to exploit it.
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2013/12/29/remote-js…
*** Major flaw discovered in mobile software used by govt agencies ***
---------------------------------------------
The vulnerability discovered by an Israeli security researcher affects Samsungs Galaxy S4 device, which is currently used by government agencies.
---------------------------------------------
http://www.scmagazine.com/major-flaw-discovered-in-mobile-software-used-by-…
*** Who's Still Robbing ATMs with USB Sticks? ***
---------------------------------------------
Here's one quick way to rob a bank, over and over again. Find an ATM running Windows XP. Skeptical? Don't be, they're still installed all around the world. Next, cut a piece from its chassis to expose its USB port. ...
---------------------------------------------
http://www.wired.com/threatlevel/2013/12/whos-robbing-atms-usb-stick/
*** NTP reflection attack, (Fri, Dec 27th) ***
---------------------------------------------
Symantec has notice in the last few weeks that there is a significant NTP reflection attacks. NTP is Network time protocol and it's used to synch the time between client and server, it is a UDP protocol and it's run on port 123. In the NTP reflection attack the attacker send a crafted packet which request a large amount of date send to the host. "In this case, the attackers are taking advantage of the monlist command. Monlist is a remote command in older version of NTP that...
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17300
*** DRG online challenge(s), (Sat, Dec 28th) ***
---------------------------------------------
For the last couple of months DRG (the Dragon Research Group) has posted some interesting security challenges. The last one, for December, is currently online so if you want to test your security skills - and post the solutions for the public benefit, do not miss the current challenge available at http://dragonresearchgroup.org/challenges/201312/ Those of you who like playing CTFs will enjoy this. Other (older) challenges are still online too, so if you have some time off here's...
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17306
*** 30C3: Keine Hintertüren in Tor ***
---------------------------------------------
Roger Dingledine, Vater des Tor-Netzwerks, hat auf dem Hamburger Hackerkongress erklärt, dass eine Vertreterin des US-Justizministeriums auf eine bessere Überwachbarkeit des Anonymisierungsdienstes gedrängt habe.
---------------------------------------------
http://www.heise.de/security/meldung/30C3-Keine-Hintertueren-in-Tor-2072708…
*** The story of a Trojan Dropper I ***
---------------------------------------------
Introduction: Recently, Zscaler ThreatlabZ received a suspicious file from one of our customers, which was named "OrderDetails.zip". After extracting the executable file from the archive I have performed a virustotal scan to get some information about the file. At that time, very few antivirus vendors had definitions in place, which flagged the file as malicious. As such, I decided...
---------------------------------------------
http://research.zscaler.com/2013/12/the-story-of-trojan-dropper-i.html
*** The story of a Trojan dropper II ***
---------------------------------------------
Analysis: Lets analyze the PE file in detail and see what it's up to. Like most malware, this sample was packed and in order to properly analyze it, we must begin by unpacking the binary. Keeping this in mind, I began by debugging the file, hoping to find the reference to the data section in order to determine precisely where the encrypted portion of data was to be found. Fortunately,...
---------------------------------------------
http://research.zscaler.com/2013/12/the-story-of-trojan-dropper-ii.html
*** RFID-Begehcard: Mit dem Skipass in Wiens Wohnhäuser ***
---------------------------------------------
"Österreich ist sicher", heißt es vollmundig auf der Webseite des Begehsystems. Doch Häuser, die ihren Eingang mit der Begehcard sichern, sind leicht zu öffnen. Alles, was man dazu braucht, ist ein neu programmierbarer RFID-Skipass. (RFID, Sicherheitslücke)
---------------------------------------------
http://www.golem.de/news/rfid-begehcard-ohne-sicherheit-mit-dem-skipass-in-…
*** Open-Source Release of MANTIS Cyber-Threat Intelligence Management Framework ***
---------------------------------------------
Today, Siemens CERT is releasing the "MANTIS Cyber-Threat Intelligence Management Framework" as Open Source under GPL2+.
---------------------------------------------
http://making-security-measurable.1364806.n2.nabble.com/Open-Source-Release…
*** The Year in NSA ***
---------------------------------------------
It's that most wonderful time of the year, the time when everyone with access to an email machine puts together a list of the best or worst of whatever happened in the last 12 months. In the computer security world, there is no doubt that such a list would find NSA stories in places one...
---------------------------------------------
http://threatpost.com/the-year-in-nsa/103329
*** PIN Skimmer offers a new side channel attack against mobile devices ***
---------------------------------------------
Researchers with the University of Cambridge revealed just how effective PIN Skimmers can be against mobile devices in a recently released study on the new type of side-channel attack.
---------------------------------------------
http://www.scmagazine.com/pin-skimmer-offers-a-new-side-channel-attack-agai…
*** HP Application Information Optimizer Flaw in Archive Query Server Lets Remote Users Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1029542
*** HP Service Manager Input Validation Hole Permits Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1029541
*** HPSBMU02959 rev.1 - HP Service Manager WebTier and Windows Client, Cross-Site Scripting (XSS), Execution of Arbitrary Code and other Vulnerabilities ***
---------------------------------------------
Potential security vulnerabilities have been identified with HP Service Manager WebTier and Windows Client. The vulnerabilities could be remotely exploited including cross-site scripting (XSS) and execution of arbitrary code.
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…
*** DSA-2828 drupal6 ***
---------------------------------------------
several vulnerabilities
---------------------------------------------
http://www.debian.org/security/2013/dsa-2828
Next End-of-Shift Report on 2014-01-02
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 23-12-2013 18:00 − Freitag 27-12-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
*** Hintergrund: Erfolgreicher Angriff auf Linux-Verschlüsselung ***
---------------------------------------------
Linux Unified Key Setup (LUKS) ist das Standardverfahren für die Komplettverschlüsselung der Festplatte unter Linux; viele Systeme, darunter Ubuntu 12.04 LTS, setzen dabei LUKS im CBC-Modus ein. Jakob Lell demonstriert, dass diese Kombination anfällig für das Einschleusen einer Hinterür ist.
---------------------------------------------
http://www.heise.de/security/artikel/Erfolgreicher-Angriff-auf-Linux-Versch…
*** Protection metrics - November results ***
---------------------------------------------
In our October results, we talked about a trio of families related to Win32/Sefnit. Our November results showed progress against Sefnit and the installers and downloaders of Sefnit (Win32/Rotbrow and Win32/Brantall). In comparison to September, active Sefnit infections have been reduced by 82 percent. As with prior months, our rate of incorrect detections also remained low and performance stayed consistent.
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2013/12/23/protection-metrics-novem…
*** Turkey: Understanding high malware encounter rates in SIRv15 ***
---------------------------------------------
In our most recent version of the Security Intelligence Report, we compared the encounter rates of malware categories for the top 10 countries with computers reporting the most detections in 2Q13. Amongst these countries, Turkey stood out with considerably high encounter rates in multiple categories. Encounter rate is the percentage of computers in a country that reported at least one detection of malware.
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2013/12/23/turkey-understanding-hig…
*** Popular Registrar Namecheap Fixes DNS Hijack Bug ***
---------------------------------------------
The domain registrar and Web-hosting company Namecheap has fixed a cross site request forgery vulnerability in its DNS setup page.
---------------------------------------------
http://threatpost.com/popular-registrar-namecheap-fixes-dns-hijack-bug/1032…
*** What a successful exploit of a Linux server looks like ***
---------------------------------------------
Like most mainstream operating systems these days, fully patched installations of Linux provide a level of security that requires a fair amount of malicious hacking to overcome. Those assurances can be completely undone by a single unpatched application, as Andre' DiMino has demonstrated when he documented an Ubuntu machine in his lab being converted into a Bitcoin-mining, denial-of-service-spewing, vulnerability-exploiting hostage under the control of attackers.
---------------------------------------------
http://arstechnica.com/security/2013/12/anatomy-of-a-hack-what-a-successful…
*** Turkey Tops World in Per Capita Malware Encounters ***
---------------------------------------------
Microsoft claims that Turkish machines encounter more malware than computers in any other country in the world.
---------------------------------------------
http://threatpost.com/turkey-tops-world-in-per-capita-malware-encounters/10…
*** New Trojan.Mods mines bitcoins ***
---------------------------------------------
Russian anti-virus company Doctor Web is warning users about a new Trojan.Mods modification that has been dubbed Trojan.Mods.10. This Trojans authors followed the major trend of December 2013 and added a bitcoin miner to the set of Trojan.Mods.10's features. You may recall that Trojan.Mods programs were found in large numbers in the wild in spring 2013 and were primarily designed to intercept browsers DNS queries and redirect users to malignant sites.
---------------------------------------------
http://news.drweb.com/show/?i=4176&lng=en&c=9
*** New CryptoLocker Spreads Via Removable Drives ***
---------------------------------------------
We recently came across a CryptoLocker variant that had one notable feature - it has propagation routines.
Analysis of the malware, detected as WORM_CRILOCK.A, shows that this malware can spread via removable drives. This update is considered significant because this routine was unheard of in other CRILOCK variants.
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/new-cryptolocker…
*** OpenSSL mit kaputter Hintertür ***
---------------------------------------------
Die von der NSA als Hintertür entworfene Zufallszahlenfunktion Dual EC findet sich auch in der offenen Krypto-Bibliothek OpenSSL. Allerdings war sie dort funktionsunfähig, ohne dass es jemand bemerkt hätte.
---------------------------------------------
http://www.heise.de/security/meldung/OpenSSL-mit-kaputter-Hintertuer-207237…
*** Big Data and security analytics collide ***
---------------------------------------------
Big Data will become "The next big thing" - a critical re-evaluation and re-tooling of our analytical abilities. This is not about being able to query more data, but being able to query all data.
---------------------------------------------
http://www.scmagazine.com/big-data-and-security-analytics-collide/article/3…
*** Infection found on "feedburner.com" ***
---------------------------------------------
Recently we have seen the websites of MySQL and PHP.net being compromised. We have also blogged about Google Code being used as a drop site for holding malicious code. These instances clearly suggest that attackers are targeting popular websites and using them in their attacks as they are less likely to be blocked by URL filters. This time we found that Google acquired "FeedBurner", which provides custom RSS feeds and management tools to users is hosting an infected page.
---------------------------------------------
http://research.zscaler.com/2013/12/infection-found-on-feedburnercom.html
*** Hackers who breached php.net exposed visitors to highly unusual malware ***
---------------------------------------------
Eight weeks after hackers compromised the official PHP website and laced it with attack code, outside security researchers have uncovered evidence that some visitors were exposed to malware that's highly unusual, if not unique.
---------------------------------------------
http://arstechnica.com/security/2013/12/hackers-who-breached-php-net-expose…
*** Python Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/56234
*** Puppet Enterprise Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/56251
*** Novell Client Bug Lets Local Users Crash the System ***
---------------------------------------------
http://www.securitytracker.com/id/1029533
*** Cisco IOS XE VTY Authentication security bypass ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89901
*** cPanel WHM XML and JSON APIs Arbitrary File Disclosure Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/56207
*** VMware Patches Privilege Vulnerability in ESX, ESXi ***
---------------------------------------------
http://threatpost.com/vmware-patches-privilege-vulnerability-in-esx-esxi/10…
*** Zimbra 8.0.2 and 7.2.2 Collaboration Server LFI Exploit ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120155
*** Synology DiskStation Manager SLICEUPLOAD Remote Command Execution ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120156
*** RT: Request Tracker 4.0.10 SQL Injection ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013040083
*** Bugtraq: Song Exporter v2.1.1 RS iOS - File Include Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/530489
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 20-12-2013 18:00 − Montag 23-12-2013 18:00
Handler: L. Aaron Kaplan
Co-Handler: Stephan Richter
*** What to Expect in Surveillance Politics in 2014 (Hint: It's Not Reform) ***
---------------------------------------------
You would think that a federal district judge calling the NSA program almost Orwellian would be a good sign for surveillance and privacy in 2014. If you're holding out hope for an act of political courage to end bulk surveillance ...
---------------------------------------------
http://www.wired.com/opinion/2013/12/dont-get-too-excited-about-recent-ruli…
*** DHS Turns To Unpaid Interns For Nations Cyber Security ***
---------------------------------------------
theodp writes "A week after President Obama stressed the importance of computer science to America, the Department of Homeland Security put out a call for 100+ of the nations best-and-brightest college students to work for nothing on the nations cyber security. The unpaid internship program, DHS notes, is the realization of recommendations (PDF) from the Homeland Security Advisory Councils Task Force on CyberSkills, which included execs from Facebook, Lockheed Martin, and Sony, and was...
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/leJ5tNqGbgU/story01.htm
*** Microsoft Security Essentials Misses 39% of Malware ***
---------------------------------------------
Barence writes "The latest tests from Dennis Publishings security labs saw Microsoft Security Essentials fail to detect 39% of the real-world malware thrown at it. Dennis Technology Labs (DTL) tested nine home security products on a Windows 7 PC, including Security Essentials, which is distributed free to Windows users and built into Windows 8 in the form of Windows Defender. While the other eight packages all achieved protection scores of 87% or higher - with five scoring 98% or 99%..
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/8Vg-UHP2dqo/story01.htm
*** Kritische Sicherheitslücken in Write-Blocker entdeckt ***
---------------------------------------------
Gleich mehrere Sicherheitslücken entdeckte ein IT-Forensik-Experte in dem neuen Write-Blocker Ditto. Die Folge: Statt seine eigentliche Arbeit zu verrichten, kann das Gerät selbst als Angriffswerkzeug missbraucht werden und Untersuchungen torpedieren.
---------------------------------------------
http://www.heise.de/security/meldung/Kritische-Sicherheitsluecken-in-Write-…
*** Strange DNS Queries - Request for Packets, (Sat, Dec 21st) ***
---------------------------------------------
We have received a pcap sample of DNS queries that display a strange behavior. The queries are type ANY for domains ghmn.ru and fkfkfkfa.com. When doing a nslookup, both domains have 100 IPs listed under their domain names with each of them resolving exactly the same last octets (i.e. .1, .10, .100, etc). Queries with the same transaction ID are often repeated several times. The traffic samples we have received indicate the queries are sent by either a host or a server. If anyone else is...
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17264&rss
*** evasiOn7: Jailbreak für iOS 7 - mit umstrittenen Funktionen ***
---------------------------------------------
Ein erster Jailbreak für iOS 7, mit dem sich Apps jenseits von Apples App Store installieren lassen, ist verfügbar. Er geriet allerdings wegen Integration eines chinesischen App Stores mit Raubkopien und wegen Verschleierung des Codes gleich in Verruf.
---------------------------------------------
http://www.heise.de/security/meldung/evasiOn7-Jailbreak-fuer-iOS-7-mit-umst…
*** Backdoor in Krypto-Software: RSA Security dementiert NSA-Zahlungen ***
---------------------------------------------
Man habe "niemals einen geheimen Vertrag mit der NSA geschlossen, um einen bekannt anfälligen Zufallszahlengenerator in die Verschlüsselungsbibliotheken von BSAFE zu integrieren", betont RSA Security - leugnet aber keineswegs Zusammenarbeit mit der NSA.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Backdoor-in-Krypto-Software-RSA-Secu…
*** Anti-Bruteforce-Tool DenyHosts sperrt Admins aus ***
---------------------------------------------
Admins, die ihre Server mit DenyHosts vor Brute-Force-Angriffen schützen, müssen handeln - andernfalls stehen sie möglicherweise bald vor verschlossenen Türen.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Anti-Bruteforce-Tool-DenyHosts-sperr…
*** How I hacked a journalist ***
---------------------------------------------
It started off as a follow-up to a story a journalist had written several years ago. The story was about data protection, and had showed that a simple subject access request could provide you with enough information to steal someone's identity. Now, Claudia Joseph wanted to see if anything had changed and to update the world on the new dangers. What would happen if somebody was able to infiltrate your online life? Claudia contacted us and started the conversation with "Can you hack...
---------------------------------------------
http://www.nccgroup.com/en/blog/2013/12/how-i-hacked-a-journalist/
*** Practical malleability attack against CBC-Encrypted LUKS partitions ***
---------------------------------------------
Topic: Practical malleability attack against CBC-Encrypted LUKS partitions Risk: Medium Text:Article location: http://www.jakoblell.com/blog/2013/12/22/practical-malleability-attack-agai…...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120153
*** Alert: Adobe License Key Email Scam ***
---------------------------------------------
Adobe is aware of reports that a phishing campaign is underway involving malicious email purporting to deliver license keys for a variety of Adobe offerings. Customers who receive one of these emails should delete it immediately without downloading attachments or...
---------------------------------------------
http://blogs.adobe.com/psirt/2013/12/20/alert-adobe-license-key-email-scam/
*** [webapps] - Jenkins 1.523 - Inject Persistent HTML Code ***
---------------------------------------------
http://www.exploit-db.com/exploits/30408
*** Security Bulletin: Multiple vulnerabilities in current IBM SDK for Java for WebSphere Application Server Community 3.0.0.4 October 2013 CPU (CVE-2013-5802,CVE-2013-5825) ***
---------------------------------------------
Multiple security vulnerabilities exist in the IBM SDK for Java that is shipped with IBM WebSphere Application Server Community 3.0.0.4. CVE(s): CVE-2013-5802, and CVE-2013-5825 Affected product(s) and affected version(s): WebSphere Application Server Community Edition 3.0.0.4 Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin: http://www.ibm.com/support/docview.wss?uid=swg21660594 X-Force Database:...
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul…
*** Security Bulletin: Fix available for Unauthorized Information Retrieval Security Vulnerability in IBM WebSphere Portal (CVE-2013-6735) ***
---------------------------------------------
A fix that blocks unauthorized information retrieval is available for a security vulnerability in IBM WebSphere Portal.
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21660289
*** Wordpress information leakage and backdoor in writing settings ***
---------------------------------------------
Topic: Wordpress information leakage and backdoor in writing settings Risk: High Text:Hello list! As Ive announced earlier (http://seclists.org/fulldisclosure/2013/Nov/219), I conducted a Day of bugs in WordPr...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120152
*** Synology DiskStation Manager (DSM) multiple scripts directory traversal ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89892
*** Avant Browser Rendering Engines Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/56242
*** Nagios "process_cgivars()" Off-By-One Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55976
Next End-of-Shift Report on 2013-12-27
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 19-12-2013 18:00 − Freitag 20-12-2013 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Do You Hear What I Hear? ***
---------------------------------------------
This article, recently published in the Journal of Communications, adds another log to the BadBIOS fire. It has been stated that devices in the BadBIOS case are communicating across an air-gap with commodity PC audio hardware. This paper clearly spells out one workable way to communicate in this way. Even if this doesn't end up...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/XrnMZDjVZpk/
*** NSA's broken Dual_EC random number generator has a "fatal bug" in OpenSSL ***
---------------------------------------------
No plans to fix a bug in "toxic" algorithm that no one seems to use.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/DAvvFpw-R04/story01…
*** Microsoft warnt vor signierter Malware ***
---------------------------------------------
Immer mehr Schädlinge tragen eine gültige digitale Signatur. Die Unterschriften werden typischerweise mit gestohlenen Entwicklerzertifikaten erstellt.
---------------------------------------------
http://www.heise.de/security/meldung/Microsoft-warnt-vor-signierter-Malware…
*** Exploiting Password Recovery Functionalities ***
---------------------------------------------
Password recovery functionalities can result in vulnerabilities in the same application they are intended to protect. Vulnerabilities such as username enumeration (showing different error messages when the user exists or not in the database), sensitive information disclosure (sending the password in clear-text by e-mail to user) and recover password message hijack (involving an attacker receiving a copy of the recover password message) are some common vulnerabilities that may be found in a...
---------------------------------------------
http://blog.spiderlabs.com/2013/12/exploiting-password-recovery-functionali…
*** Quick Joomla Refresher ***
---------------------------------------------
I havent come into contact with Joomla for a while, but I had the opportunity recently in a penetration test of a web site that was running the popular Content Management System (CMS). In this blog post I mention some of the tools I used to check the security of a particular Joomla installation and comment upon their effectiveness. Depending on your source, Joomla is within the top five contenders for the most popular CMS. Alternatives include WordPress, Drupal and others. CMS frameworks have...
---------------------------------------------
http://blog.spiderlabs.com/2013/12/quick-joomla-refresher.html
*** Not quite the average exploit kit: Zuponcic ***
---------------------------------------------
This post connects three recent developments in the realm of malware infections: .htaccess server compromise, the Zuponcic exploit kit and the Ponmocup botnet. It seems that the defacto standard of exploit kits is getting competition. Understanding how this exploit kit works will give you a better chance of defending against it and for identifying the .htaccess compromise on your server.
---------------------------------------------
http://blog.fox-it.com/2013/12/19/not-quite-the-average-exploit-kit-zuponci…
*** Nach BKA-Einsatz: ZeroAccess-Botnetz streicht die Segel ***
---------------------------------------------
Die Drahtzieher hinter dem ZeroAccess-Botnetz schwenken die virtuelle weiße Fahne. Nach weiteren Aktionen der Strafverfolgungsbehörden haben sie das Bot hüten anscheinend vorerst aufgegeben.
---------------------------------------------
http://www.heise.de/security/meldung/Nach-BKA-Einsatz-ZeroAccess-Botnetz-st…
*** Digitale Forensik: Ungelöste Probleme bei Beweissicherung digitaler Artefakte ***
---------------------------------------------
Etliche Probleme der Beweissicherung digitaler Artefakte sind noch längst nicht gelöst, zeigte sich auf dem Workshop Forensik und Internetkriminalität. Dazu lieferte das BSI ein Lagebild, das von einem ungebrochenen Anstieg der Netzkriminalität ausgeht.
---------------------------------------------
http://www.heise.de/security/meldung/Digitale-Forensik-Ungeloeste-Probleme-…
*** BitTorrent stellt Peer-to-Peer-Chat-System vor ***
---------------------------------------------
Als Antwort auf die flächendeckende NSA-Schnüffelei hat BitTorrent ein Chat-System entwickelt, das ohne zentralen Server auskommt und anonyme, verschlüsselte Kommunikation ermöglicht.
---------------------------------------------
http://www.heise.de/security/meldung/BitTorrent-stellt-Peer-to-Peer-Chat-Sy…
*** Erneute Lücke in OpenX wird aktiv ausgenutzt ***
---------------------------------------------
Kritische Sicherheitslücken in der aktuellen Version der Anzeigen-Server-Software OpenX und in dessen Fork Revive werden genutzt, um Schad-Software zu verteilen. Das CERT-Bund benachrichtigt täglich mehrere betroffene Server-Betreiber.
---------------------------------------------
http://www.heise.de/security/meldung/Erneute-Luecke-in-OpenX-wird-aktiv-aus…
*** Viren-Statistiken: Rückblick finster, Ausblick noch finsterer ***
---------------------------------------------
Das Jahr 2014 hält für Smartphone-Benutzer besonders viele digitale Angriffe bereit, sagen Antivirenhersteller nach Auswertung ihrer Statistiken.
---------------------------------------------
http://www.heise.de/security/meldung/Viren-Statistiken-Rueckblick-finster-A…
*** RSA Archer eGRC Input Validation Flaws Permit Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1029523
*** WordPress URL Redirector Abuse and XSS vulnerabilities ***
---------------------------------------------
Topic: WordPress URL Redirector Abuse and XSS vulnerabilities Risk: Low Text:Hello list! As Ive announced earlier (http://seclists.org/fulldisclosure/2013/Nov/219), I conducted a Day of bugs in WordP...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120142
*** Google Picasa RAW Image Parsing Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/55555
*** cPanel Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/56146
*** Hitachi Cosminexus Products XML External Entities Information Disclosure Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/56142
*** IBM Security Access Manager for Enterprise Single Sign-On Security Issue and Two Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/56176
*** Revive Adserver "what" SQL Injection Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55963
*** Apache Santuario DTD Processing Flaw Lets Remote Users Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1029524
*** Apple Motion Memory Access Error Lets Remote Users Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1029521
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 18-12-2013 18:00 − Donnerstag 19-12-2013 18:00
Handler: Stephan Richter
Co-Handler: Robert Waldner
*** IBM HTTP Server GSKit SSLv2 Session Resuming Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability has been reported in IBM HTTP Server, which can be exploited by malicious people to cause a DoS (Denial of Service).
---------------------------------------------
https://secunia.com/advisories/56058
*** Tor use best practices ***
---------------------------------------------
To date the NSA's and FBI's primary attacks on Tor users have been MITM attacks (NSA) and hidden service web server compromises (FBI) which either sent tracking data to the Tor user's computer, compromised it, or both. Thus you need a reasonably secure system from which you can use Tor and reduce your risk of being tracked or compromised.
---------------------------------------------
http://digital-era.net/tor-use-best-practices/
*** New DDoS Bot Has a Fancy For Ferrets ***
---------------------------------------------
Researchers at Arbor Networks have discovered a new denial of service botnet called Trojan.Ferret.
---------------------------------------------
http://threatpost.com/new-ddos-bot-has-a-fancy-for-ferrets/103226
*** WordPress S3 Video Plugin "base" Cross-Site Scripting Vulnerability ***
---------------------------------------------
Input passed to the "base" GET parameter in wp-content/plugins/s3-video/views/video-management/preview_video.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The vulnerability is confirmed in version 0.96 and reported in versions prior to 0.983.
---------------------------------------------
https://secunia.com/advisories/56167
*** IrfanView GIF buffer overflow ***
---------------------------------------------
IrfanView is vulnerable to a heap-based buffer overflow, caused by improper bounds checking when processing the LZW code stream within GIF files. By persuading a victim to open a specially-crafted GIF file containing an overly long LZW code stream, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89820
*** NovaTech Orion DNP3 Improper Input Validation Vulnerability ***
---------------------------------------------
Adam Crain of Automatak and independent researcher Chris Sistrunk have identified an improper input validation vulnerability in the NovaTech Orion Substation Automation Platform. NovaTech has produced a firmware update that mitigates this vulnerability. The researchers have tested the firmware update to validate that it resolves the vulnerability.This vulnerability could be exploited remotely.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-352-01
*** IBM iNotes email message active content cross-site scripting ***
---------------------------------------------
IBM iNotes is vulnerable to cross-site scripting, caused by improper validation of active content within an email message. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials or other sensitive information.
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/86594
*** IBM iNotes ultra-light mode persistent cross-site scripting ***
---------------------------------------------
IBM iNotes is vulnerable to cross-site scripting in the ultra-light mode, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject and execute malicious script in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials or other sensitive information.
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/86595
*** SSA-742938 (Last Update 2013-12-17): Open Ports in SINAMICS S/G Firmware ***
---------------------------------------------
SSA-742938 (Last Update 2013-12-17): Open Ports in SINAMICS S/G Firmware
---------------------------------------------
https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit…
*** SA-CONTRIB-2013-098 - Ubercart - Session Fixation Vulnerability ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2013-098Project: Ubercart (third-party module)Version: 6.x, 7.xDate: 2013-12-18Security risk: Less criticalExploitable from: RemoteVulnerability: Session FixationDescriptionThe Ubercart module for Drupal provides a shopping cart and e-commerce features for Drupal.The module doesnt sufficiently protect against session fixation attacks when a user is automatically logged in to a newly created account during checkout.This vulnerability is mitigated by the fact that
---------------------------------------------
https://drupal.org/node/2158651
*** Researchers propose international vulnerability purchase plan ***
---------------------------------------------
In a bid to cut down on costs and eliminate potential misuse, NSS Labs has put forth an initiative imploring vendors to purchase vulnerabilities.
---------------------------------------------
http://feedproxy.google.com/~r/SCMagazineHome/~3/I9nD_zWQzsI/
*** cURL Certificate Validation Flaw Lets Remote Users Spoof SSL Servers ***
---------------------------------------------
A vulnerability was reported in cURL. A remote user that can conduct a man-in-the-middle attack can spoof SSL servers.
The software does not properly verify the certificate CN or SAN name field in certain cases. A remote user that can conduct a man-in-the-middle attack can spoof SSL servers.
Systems that use GnuTLS as the TLS backend are affected.
Systems with digital signature verification (CURLOPT_SSL_VERIFYPEER) disabled are affected.
---------------------------------------------
http://www.securitytracker.com/id/1029517
*** OpenJPEG Heap Overflows Let Remote Users Execute Arbitrary Code ***
---------------------------------------------
Several vulnerabilities were reported in OpenJPEG. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can cause denial of service conditions.
A remote user can create a specially crafted image file that, when loaded by the target user, will trigger a heap overflow and execute arbitrary code on the target system [CVE-2013-6045, CVE-2013-6054]. The code will run with the privileges of the target user.
A remote user can create a specially crafted image file that, when loaded by the target user, will cause the application that uses openJPEG to crash [CVE-2013-1447, CVE-2013-6052].
---------------------------------------------
http://www.securitytracker.com/id/1029514
*** Splunk Enterprise Data Processing Flaw Lets Remote Users Deny Service ***
---------------------------------------------
A vulnerability was reported in Splunk Enterprise. A remote user can cause denial of service conditions.
A remote user can send specially crafted data to cause the target server to become unavailable.
Systems configured as data 'receivers' on the listening or receiving port(s) are affected, including instances configured as indexers and forwarders configured as intermediate forwarders.
---------------------------------------------
http://www.securitytracker.com/id/1029519
*** Blog: Malware in metadata ***
---------------------------------------------
One of the systems I have been running collects all our web malware detections for .ES domains. I usually check it out every morning, just in case I see something especially interesting or relevant. And when I find something, I like to create some statistics to have a global overview.There are some things that I find every time I check my stats, like URLs that have been infected for more than 200 days, even being notified. That speaks of the lack of security awareness on some companies, and how
---------------------------------------------
http://www.securelist.com/en/blog/208214192/Malware_in_metadata
*** Factsheet Stop using Windows XP ***
---------------------------------------------
Microsoft will stop issuing Windows XP updates as of 8 April 2014. The operating system will receive the end-of-life status. The NCSC advises, together with DefCERT, Microsoft and Team High Tech Crime, to no longer use Windows XP, but to switch to another operating system.
---------------------------------------------
http://www.ncsc.nl/english/services/expertise-advice/knowledge-sharing/fact…
*** Cisco Unified Communications Manager Sensitive Information Disclosure Vulnerability ***
---------------------------------------------
A vulnerability in the disaster recovery system (DRS) of Cisco Unified Communications Manager (UCM) could allow an authenticated, remote attacker to acquire sensitive information about DRS-related devices.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013…
*** [Announce] [security fix] GnuPG 1.4.16 released ***
---------------------------------------------
Along with the publication of an interesting new side channel attack by Daniel Genkin, Adi Shamir, and Eran Tromer we announce the availability of a new stable GnuPG release to relieve this bug: Version 1.4.16. [...] Whats New =========== * Fixed the RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis attack as described by Genkin, Shamir, and Tromer. See . [CVE-2013-4576]
---------------------------------------------
http://lists.gnupg.org/pipermail/gnupg-devel/2013-December/028102.html
*** Acoustic Cryptanalysis ***
---------------------------------------------
This is neat: Here, we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPGs current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be...
---------------------------------------------
https://www.schneier.com/blog/archives/2013/12/acoustic_crypta.html
*** Apache XML Security Transforms Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability has been reported in Apache XML Security, which can be exploited by malicious people to cause a DoS (Denial of Service) in an application using the library.
The vulnerability is caused due to an error when applying Transforms and can be exploited to exhaust memory resources and cause a crash.
The vulnerability is reported in versions prior to 1.5.6.
---------------------------------------------
https://secunia.com/advisories/55639
*** TRENDnet Multiple Products Telnet Security Bypass Vulnerability ***
---------------------------------------------
A vulnerability has been reported in multiple TRENDnet products, which can be exploited by malicious people to bypass certain security restrictions.
The vulnerability is caused due to a certain undocumented functionality, which can be exploited to enable telnet management and subsequently manipulate device configuration.
---------------------------------------------
https://secunia.com/advisories/55890
*** Icinga Off-By-One and Buffer Overflow Vulnerabilities ***
---------------------------------------------
Some vulnerabilities have been reported in Icinga, which can be exploited by malicious users to potentially cause a DoS (Denial of Service) and compromise a vulnerable system.
1) Some boundary errors within the web interface when processing CGI parameters can be exploited to cause stack-based buffer overflows.
Successful exploitation of this vulnerability may allow execution of arbitrary code.
2) An off-by-one error within the "process_cgivars()" function can be exploited to cause an out of bounds read memory access.
The vulnerabilities are reported in versions prior to 1.10.2, 1.9.4, and 1.8.5.
---------------------------------------------
https://secunia.com/advisories/55987
*** Icinga Cross-Site Request Forgery Vulnerability ***
---------------------------------------------
A vulnerability has been reported in Icinga, which can be exploited by malicious people to conduct cross-site request forgery attacks.
The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions if a logged-in administrator visits a malicious web site.
The vulnerability is reported in version 1.10.2. Other versions may also be affected.
---------------------------------------------
https://secunia.com/advisories/55990
*** A peek inside the booming underground market for stealth Bitcoin/Litecoin mining tools ***
---------------------------------------------
The over-hyped market valuation of the buzzing P2P E-currency, Bitcoin, quickly gained the attention of cybercriminals internationally who promptly adapted to its sky rocketing valuation by releasing commercially available stealth Bitcoin miners, Bitcoin wallet stealing malware, as well as actually starting to offer the source code for their releases in an attempt to monetize their know-how and expertise in this area. Throughout 2013, we profiled several subscription based stealth Bitcoin
---------------------------------------------
http://feedproxy.google.com/~r/WebrootThreatBlog/~3/nKXPdGwlKk4/
*** IBM Domino / iNotes Script Insertion and Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
Multiple vulnerabilities have been reported in IBM Domino and IBM iNotes, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to conduct cross-site scripting attacks.
---------------------------------------------
https://secunia.com/advisories/56164
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 17-12-2013 18:00 − Mittwoch 18-12-2013 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Cybercriminals offer fellow cybercriminals training in Operational Security (OPSEC) ***
---------------------------------------------
In need of a fresh example that malicious and fraudulent adversaries continue professionalizing, and standardizing demanded cybercrime-friendly products and services, all for the sake of monetizing their experience and expertise in the profitable world of cybercrime? Publicly launched around the middle of 2013, a product/training course targeting novice cybercriminals is offering them a manual, recommendations for open source/free software, as well as access to a private forum set up for...
---------------------------------------------
http://www.webroot.com/blog/2013/12/17/cybercriminals-offer-fellow-cybercri…
*** Apple stopft Lücken in WebKit und Safari ***
---------------------------------------------
Mit den Safari-Versionen 6.1.1 und 7.0.1 behebt Apple einige Speicherverwaltungsfehler in WebKit, die zur Ausführung von Schadcode über das Internet missbraucht werden können.
---------------------------------------------
http://www.heise.de/security/meldung/Apple-stopft-Luecken-in-WebKit-und-Saf…
*** DGA Changer Malware Able to Modify Domain-Generation Seed on the Fly ***
---------------------------------------------
Malware authors have been using domain-generation algorithms for a few years now, often in botnet-related malware that needs to stay one step ahead of takedown attempts and law enforcement agencies. Now, researchers have discovered that a strain of malware that may have been part of the attack in October on PHP.net is employing a DGA...
---------------------------------------------
http://threatpost.com/dga-changer-malware-able-to-modify-domain-generation-…
*** The Biggest Skimmers of All: Fake ATMs ***
---------------------------------------------
This blog has spotlighted some incredibly elaborate and minaturized ATM skimmers, fraud devices that thieves attach to ATMs in a bid to steal card data and PINs. But a skimmer discovered in Brazil last month takes this sort of fraud to another level, using a completely fake ATM designed to be stacked directly on top...
---------------------------------------------
http://krebsonsecurity.com/2013/12/the-biggest-skimmers-of-all-fake-atms/
*** A quick look at a (new?) cross-platform DDoS botnet ***
---------------------------------------------
At the beginning of December we started to observe a new botnet spreading on both Linux and Windows machines. In case of the Linux operating systems, the bot was installed through an SSH dictionary attack. The attacker logged in to compromised server and simply downloaded and executed a bot file. The malware...
---------------------------------------------
https://www.cert.pl/news/7849/langswitch_lang/en
*** [SECURITY] [DSA 2821-1] gnupg security update ***
---------------------------------------------
http://lists.debian.org/debian-security-announce/2013/msg00235.html
*** Cisco ONS 15454 Transport Node Controller Denial of Service Vulnerability ***
---------------------------------------------
An issue in the tNetTaskLimit process of the Cisco ONS 15454 Transport Node Controller (TNC) could allow an unauthenticated, remote attacker to cause the TNC to reload due to a watchdog timeout.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013…
*** Security Bulletin: Multiple vulnerabilities in IBM SPSS Collaboration and Deployment Services ***
---------------------------------------------
Multiple vulnerabilities exist in IBM SPSS Collaboration and Deployment Services. See the individual descriptions for details.
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21660191
*** IBM Scale Out Network Attached Storage (SONAS) Multiple Vulnerabilities ***
---------------------------------------------
Multiple vulnerabilities have been reported in IBM Scale Out Network Attached Storage, which can be exploited by malicious people to conduct spoofing attacks, disclose potentially sensitive information, bypass certain security restrictions, and compromise a user's system.
---------------------------------------------
https://secunia.com/advisories/56095
*** Security Bulletin: GSKit SSL negotiation vulnerability in Tivoli Access Manager for e-business (CVE-2013-6329) ***
---------------------------------------------
A vulnerability has been identified in the GSKit component utilized by Tivoli Access Manager for e-business (TAM). A specially crafted SSL message can cause the TAM server component using GSKit to crash CVE(s): CVE-2013-6329 Affected product(s) and affected version(s): All supported Tivoli Access Manager for e-business versions are affected.
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_gsk…
*** RealOne RMP File Heap Overflow Lets Remote Users Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1029511
*** Vuln: Juvia Ruby on Rails secret_token.rb Default Secret Key Security Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/64368
*** Vuln: ownCloud Admin Page Unspecified Security Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63926
*** Zimbra Collaboration Server Unspecified Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/56138
*** Python Hash Collision Denial of Service Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55955
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 16-12-2013 18:00 − Dienstag 17-12-2013 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Rapid7 Webcasts: A Great Week to Learn About Pentesting SAP Infrastructures ***
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2013/12/16/rapid7-we…
*** Three Books You Too Should Read This Year (Or Early 2014) ***
---------------------------------------------
For the holiday season, The Grumpy Reader fishes out a selecton of recent books you should read even if you think youre too busy.Im sure youve had that feeling too: There are times when theres too much coming your way when youre already busy, so some things just fall by the wayside for too long. In my case the victims of my unpredictable schedule were books that publishers sent me for review in one form or the other, and those reviews just never got written as I wanted to in between other...
---------------------------------------------
http://bsdly.blogspot.com/2013/12/three-books-you-too-should-read-this.html
*** How hackers made minced meat of Department of Engergy networks ***
---------------------------------------------
Hint: Some critical security patches not installed for years.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/HKg_RoYby0g/story01…
*** Predictions for 2014 and the December 2013 Security Bulletin Webcast, Q&A, and Slide Deck ***
---------------------------------------------
Today we're publishing the December 2013 Security Bulletin Webcast Questions & Answers page. We answered 17 questions in total, with the majority of questions focusing on the Graphics Component bulletin (MS13-096), Security Advisory 2915720 and Security Advisory 2905247. We also wanted to note a new blog on the Microsoft Security Blog site on the top cyber threat predications for 2014. Topics from ransomware to regulation are covered by seven of Trustworthy Computing's top...
---------------------------------------------
http://blogs.technet.com/b/msrc/archive/2013/12/16/predictions-for-2014-and…
*** Dissection of Zertsecurity - Banking Trojan. ***
---------------------------------------------
Zertsecurity is a well known banking Trojan based on phishing schemes targeting German Android users. Lets see how it works. After installing the application, it prompts the user for account and PIN numbers. The application takes the values of the account and PIN numbers via input boxes and saves them to the cfg.txt file. It then sends this file to a remote command and control (C&C)...
---------------------------------------------
http://research.zscaler.com/2013/12/dissection-of-zertsecurity-banking.html
*** The Case for a Compulsory Bug Bounty ***
---------------------------------------------
Security experts have long opined that one way to make software more secure is to hold software makers liable for vulnerabilities in their products. This idea is often dismissed as unrealistic and one that would stifle innovation in an industry that has been a major driver of commercial growth and productivity over the years. But a new study released this week presents perhaps the clearest economic case yet for compelling companies to pay for information about security vulnerabilities in their...
---------------------------------------------
http://krebsonsecurity.com/2013/12/the-case-for-a-compulsory-bug-bounty/
*** Big Data in Security ***
---------------------------------------------
Cisco's TRAC team about Big Data security challenges, tools and methodologies.
---------------------------------------------
http://blogs.cisco.com/security/big-data-in-security-part-i-trac-tools/http://blogs.cisco.com/security/big-data-in-security-part-ii-the-amplab-sta…http://blogs.cisco.com/security/big-data-in-security-part-iii-graph-analyti…http://blogs.cisco.com/security/big-data-in-security-part-iv-email-auto-rul…http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-i…
*** Hintergrund: iOS-Verschlüsselung durchleuchtet ***
---------------------------------------------
Neben der Hardware-Verschlüsselung bietet iOS noch eine optionale Datei-Verschlüsselung. Bei iOS 7 hat Apple deren Einsatz für Apps automatisiert. Allerdings genehmigt sich Apple selbst großzügige Ausnahmen für eigene Anwendungen.
---------------------------------------------
http://www.heise.de/security/artikel/iOS-Verschluesselung-durchleuchtet-206…
*** Android anti-virus apps CANT kill nasties on sight like normal AV - and thats Googles fault ***
---------------------------------------------
Bad news if youre not a tech-savvy fandroid Android users expecting Windows levels of performance from Android-specific anti-virus packages are likely to be disappointed because only Google can automatically delete dodgy apps on Android devices, say malware experts.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2013/12/17/android_ant…
*** Apple security updates Mac OS X and Safari, (Tue, Dec 17th) ***
---------------------------------------------
Apple have released the following security advisories and updates for Mac OS X and Safari. OS X Mavericks v10.9.1 and APPLE-SA-2013-12-16-1 Safari 6.1.1 and Safari 7.0.1. More information will be available from their web site: http://support.apple.com/kb/HT1222
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17234
*** Blog: ChewBacca - a new episode of Tor-based Malware ***
---------------------------------------------
We have discovered a new Tor-based malware, named "ChewBacca" and detected as "Trojan.Win32.Fsysna.fej". Adding Tor to malware is not unique to this sample, but it's still a rare feature. Lately Tor has become more attractive as a service to ensure users' anonymity. Also criminals use it for their activities, but they are only slowly adopting this to host their malicious infrastructure.
---------------------------------------------
http://www.securelist.com/en/blog/208214185/ChewBacca_a_new_episode_of_Tor_…
*** Trojan.Skimer.18 infects ATMs ***
---------------------------------------------
December 16, 2013 Russian anti-virus company Doctor Web is warning users about the Trojan program Trojan.Skimer.18. The criminals behind this malware are targeting ATMs of one of the worlds largest manufacturers. The Trojan can intercept and transmit bank card information processed by ATMs as well as data stored on the card and its PIN code. Trojan.Skimer.18 is by no means the first backdoor to infect ATM software, but it is the first to target devices so common throughout the world. The
---------------------------------------------
http://news.drweb.com/show/?i=4167&lng=en&c=9
*** Cisco EPC3925 cross-site request forgery ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89713
*** Bugtraq: [security bulletin] HPSBHF02953 rev.1 - HP B-series SAN Network Advisor, Remote Code Execution ***
---------------------------------------------
http://www.securityfocus.com/archive/1/530357
*** Asterisk Dialplan Functions Let Remote Authenticated Users Gain Elevated Privileges ***
---------------------------------------------
http://www.securitytracker.com/id/1029500
*** Asterisk SMS Message Buffer Overflow Lets Remote Users Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1029499
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 13-12-2013 18:00 − Montag 16-12-2013 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Bitcoin Mining Operation Seen Across Numerous Malware Families ***
---------------------------------------------
The talent over at Malwarebytes broke a story this week regarding Fake Flash Player phishing attempts dropping malicious content onto victim machines for the purpose of mining Bitcoins. The threat tricks users into thinking that they are downloading a new version of Flash Player. In actuality, the threat drops a few malicious executables (stored in "[username]/AppData/Roaming/Data"), called...
---------------------------------------------
http://research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.ht…
*** IETF To Change TLS Implementation In Applications ***
---------------------------------------------
Trailrunner7 writes "The NSA surveillance scandal has created ripples all across the Internet, and the latest one is a new effort from the IETF to change the way that encryption is used in a variety of critical application protocols, including HTTP and SMTP. The new TLS application working group was formed to help developers and the people who deploy their applications incorporate the encryption protocol correctly. TLS is the successor to SSL and is used to encrypt information in a variety...
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/5p7fpD5WwtY/story01.htm
*** Predictions for 2014 ***
---------------------------------------------
2014 is less than one month away, what better time to ask ourselves about the top security trends to watch for in the coming year. Malware Creation: OK, this won't sound too original but it is a safe bet to say that malware creation will hit a new record high in 2014. Actually, such was...
---------------------------------------------
http://pandalabs.pandasecurity.com/predictions-for-2014/
*** Botnet Enlists Firefox Users to Hack Web Sites ***
---------------------------------------------
An unusual botnet that has ensnared more than 12,500 systems disguises itself as a legitimate add-on for Mozilla Firefox and forces infected PCs to scour Web sites for vulnerabilities that can be used to install malware, an investigation by KrebsOnSecurity has discovered.
---------------------------------------------
http://krebsonsecurity.com/2013/12/botnet-enlists-firefox-users-to-hack-web…
*** Cybercriminals Using Targeted Attack Methodologies (Part 1) ***
---------------------------------------------
One of our 2014 security predictions is that cyber criminals will more frequently leverage targeted attack methodologies. Some of these tactics include using spear phishing attacks, as well as well-known vulnerabilities that have been used successfully in targeted attacks. Let's see why cybercriminals are taking a closer look at these techniques, and how this can...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/CY7n7WI2qUY/
*** Attacking Online Poker Players ***
---------------------------------------------
This story is about how at least two professional online poker players had their hotel rooms broken into and their computers infected with malware. I agree with the conclusion: So, whats the moral of the story? If you have a laptop that is used to move large amounts of money, take good care of it. Lock the keyboard when you...
---------------------------------------------
https://www.schneier.com/blog/archives/2013/12/attacking_onlin.html
*** P2P-Botnetz ZeroAccess kaum tot zu kriegen ***
---------------------------------------------
Die gemeinsame Aktion von Microsoft, dem FBI und Europol, die zum Ziel hatte, das Klickbetrug-Botnetz ZeroAccess lahmzulegen schoss wohl größtenteils am Ziel vorbei. Das Botnetz scheint nach wie vor quicklebendig.
---------------------------------------------
http://www.heise.de/security/meldung/P2P-Botnetz-ZeroAccess-kaum-tot-zu-kri…
*** Bogus Antivirus Program Uses a Dozen Stolen Signing Certificates ***
---------------------------------------------
A fake antivirus program in circulation uses at least a dozen stolen digital code-signing certificates, indicating cybercriminals are increasingly breaching the networks of software developers, Microsoft wrote on Sunday. The application, branded as "Antivirus Security Pro," was first detected in 2009 and has gone by a handful of other names over the years, according to a Microsoft advisory, which calls it by a single name, "Win32/Winwebsec."
---------------------------------------------
http://www.cio.com/article/744689/Bogus_Antivirus_Program_Uses_a_Dozen_Stol…
*** Old Apple Safaris leave IDs and passwords for scavengers to peck ***
---------------------------------------------
... the problem derives from Safaris retention of browser history as applied in the "Reopen All Windows from Last Session" feature that enables users to quickly revisit the sites they opened during a previous Safari session. Sadly, however, Kaspersky has found that the document Safari creates to allow such restoration is in plaintext and contains user IDs and passwords. The file is hidden, but isnt hard to find once you know what you are looking for.
---------------------------------------------
http://www.theregister.co.uk/2013/12/16/kaspersky_says_old_apple_safaris_ex…
*** Newly launched 'HTTP-based botnet setup as a service' empowers novice cybercriminals with bulletproof hosting capabilities - part three ***
---------------------------------------------
In a series of blog posts throughout 2013, we emphasized on the lowering of the entry barriers into the world of cybercrime, largely made possible by the rise of managed services, the re-emergence of the DIY (do-it-yourself) trend, and the development of niche market segments, like the practice of setting up and offering bulletproof hosting for a novice cybercriminal's botnet generating platform. The proliferation of these easy to use, once only found in the arsenal of tools of the
---------------------------------------------
http://www.webroot.com/blog/blog/2013/12/16/newly-launched-http-based-botne…
*** Siemens COMOS Privilege Escalation ***
---------------------------------------------
Siemens notified NCCIC/ICS-CERT of a privilege escalation vulnerability in the Siemens COMOS database application. An update has been produced by Siemens and is available to resolve the vulnerability.The client application used for accessing the database system might allow authenticated Windows users to elevate their rights in regard to the database access over the COMOS graphical user interface
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-347-01
*** Cisco WebEx Training Center open redirect ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89686
*** WordPress Broken Link Checker Plugin Two Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/56053
*** IBM Rational Focal Point Webservice Axis Gateway information disclosure 1 ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/87293
*** IBM Rational Focal Point Webservice Axis Gateway information disclosure 2 ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/87294
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 12-12-2013 18:00 − Freitag 13-12-2013 18:00
Handler: Matthias Fraidl
Co-Handler: Robert Waldner
*** Android 4.4.2 Update Fixes Flash SMS DoS Vulnerability ***
---------------------------------------------
Google has patched a previously disclosed issue in its Nexus line of phones that could have opened a user up to a nasty series of SMS-based denial of service attacks.
---------------------------------------------
http://threatpost.com/android-4-4-2-update-fixes-flash-sms-dos-vulnerabilit…
*** Tumblr under fire from DIY CAPTCHA-solving, proxies-supporting automatic account registration tools ***
---------------------------------------------
Next to the ubiquitous for the cybercrime ecosystem, traffic acquisition tactics such as, blackhat SEO (search engine optimization), malvertising, embedded/injected redirectors/doorways on legitimate Web sites, establishing purely malicious infrastructure, and social engineering driven spam campaigns, cybercriminals are also masters of utilizing social media for the purpose of attracting traffic to their fraudulent/malicious campaigns.
---------------------------------------------
http://www.webroot.com/blog/blog/2013/12/12/tumblr-fire-diy-captcha-solving…
*** Bitcoin-Related Malware Continues to Flourish ***
---------------------------------------------
One good way to measure the popularity of an emerging technology or trend is to see how much attention attackers and malware authors are paying it. Using that as a yardstick, Bitcoin is moving its way up the charts in a hurry. The latest indication is some malware that researchers at Arbor Networks identified that ...
---------------------------------------------
http://threatpost.com/bitcoin-related-malware-continues-to-flourish/103177
*** WordPress OptimizePress Theme - File Upload Vulnerability ***
---------------------------------------------
We´re a few days short on this, but it´s still worth releasing as the number of attacks against this vulnerability are increasing ten-fold.
The folks at OSIRT were the first to report this in late November, 2013. In our cases we´re seeing mostly defacement attacks, and although not devastating, they can be a big nuisance for an unsuspecting website owner.
---------------------------------------------
http://blog.sucuri.net/2013/12/wordpress-optimizepress-theme-file-upload-vu…
*** Weekly Metasploit Update: New Meterpreter Extended API, Learning About HttpServer, HttpClient, and SAP ***
---------------------------------------------
Weekly Metasploit Update: New Meterpreter Extended API, Learning About HttpServer, HttpClient, and SAP
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2013/12/12/weekly-me…
*** VU#586958: SketchUp Viewer buffer overflow vulnerability ***
---------------------------------------------
Vulnerability Note VU#586958 SketchUp Viewer buffer overflow vulnerability Original Release date: 12 Dec 2013 | Last revised: 12 Dec 2013 Overview SketchUp Viewer version 13.0.4124 is vulnerable to a buffer overflow when opening a malformed .SKP file. Description CWE-121: Stack-based Buffer Overflow - CVE-2013-6038SketchUp Viewer version 13.0.4124 is vulnerable to a stack buffer overflow when parsing a specially crafted .SKP file. When executed, it may allow a remote unauthenticated attacker
---------------------------------------------
http://www.kb.cert.org/vuls/id/586958
*** Cooper Power Systems Improper Input Validation Vulnerability ***
---------------------------------------------
Adam Crain of Automatak and independent researcher Chris Sistrunk have identified an improper input validation vulnerability in the Cooper Power Systems SMP Gateway DNP3 protocol components. Cooper Power Systems has produced a new firmware version that mitigates this vulnerability. The researchers have tested the new firmware version to validate that it resolves the vulnerability.This vulnerability could be exploited remotely.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-346-01
*** Dear Gmailer: I know what you read last summer (and last night and today) ***
---------------------------------------------
How Gmails image tweak is a boon to marketers, stalkers, and debt collectors.
---------------------------------------------
http://arstechnica.com/security/2013/12/dear-gmailer-i-know-what-you-read-l…
*** Report: Bot traffic is up to 61.5% of all website traffic ***
---------------------------------------------
Last March we published a study that showed the majority of website traffic (51%) was generated by non-human entities, 60% of which were clearly malicious. As we soon learned, these facts came as a surprise to many Internet users, for whom they served as a rare glimpse of 'in between the lines' of Google Analytics.
---------------------------------------------
http://www.incapsula.com/the-incapsula-blog/item/820-bot-traffic-report-2013
*** Five Deadly Security Venoms - Youre Still Doing it Wrong ***
---------------------------------------------
With all the hype and hooplah surrounding the US governments tapping of everything under the sun, I have seen an influx of articles related to security. "This is how you encrypt!", "this is how you secure!", "this is how... Youre doing it wrong."
---------------------------------------------
http://infiltrated.net/index.php?option=com_content&view=article&id=61
*** Tech Pick of the Week: Log anomaly detection tools ***
---------------------------------------------
An important part of creating successful digital services is the ability to monitor system´s health and to respond to exceptional situations in a timely fashion. Log files contain information that a maintainer needs in figuring out causes for application failures or unexpected behavior.
---------------------------------------------
http://blog.futurice.com/tech-pick-of-the-week-log-anomaly-detection-tools
*** New Gmail image server proxies raise security risks ***
---------------------------------------------
A new Gmail policy that allows e-mailed image attachments to load automatically comes at a price, say two security researchers. Google announced on Thursday that Gmail would once again load attached images by default. The feature had been disabled years ago, as a way of clamping down on malware and phishing attacks.
---------------------------------------------
http://news.cnet.com/8301-1009_3-57615502-83/new-gmail-image-server-proxies…
*** Top 8 breaches in 2013 ***
---------------------------------------------
>From the headline-grabbing Adobe breach to LivingSocials password debacle, here are the top 8 breaches that have occurred this year and created even more security awareness.
---------------------------------------------
http://www.scmagazine.com/top-8-breaches-in-2013/slideshow/1673/
*** Hacked Via RDP: Really Dumb Passwords ***
---------------------------------------------
Businesses spend billions of dollars annually on software and hardware to block external cyberattacks, but a shocking number of these same organizations shoot themselves in the foot by poking gaping holes in their digital defenses and then advertising those vulnerabilities to attackers. Todays post examines an underground service which rents access to hacked PCs at organizations that make this all-too-common mistake.
---------------------------------------------
http://krebsonsecurity.com/2013/12/hacked-via-rdp-really-dumb-passwords/
*** Safari Stores Previous Secure Browsing Session Data Unencrypted ***
---------------------------------------------
The Safari browser stores data from previous sessions in an unencrypted format on a hidden folder that leaves users vulnerable to information loss.
---------------------------------------------
http://threatpost.com/safari-stores-previous-secure-browsing-session-data-u…
*** Debian update for php5 ***
---------------------------------------------
https://secunia.com/advisories/55918
*** Cisco Unified Communications Manager - TFTP Service ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120093
*** libvirt Bugs Let Remote and Local Users Deny Service and Let Local Users Gain Elevated Privileges ***
---------------------------------------------
http://www.securitytracker.com/id/1029444
*** Ruby Gem Webbynode 1.0.5.3 Command injection ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120095
*** Vuln: Monitorix HTTP Server handle_request() Remote Command Execution Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/64178
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 11-12-2013 18:00 − Donnerstag 12-12-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
*** How cybercriminals efficiently violate YouTube, Facebook, Twitter, Instagram, SoundCloud and Google+'s ToS ***
---------------------------------------------
With social media, now an inseparable part of the marketing expenditures for every modern organization, cybercriminals quickly adapted to the ongoing buzz, and over the last couple of years, have been persistently supplying the market segment with social media metrics performance boosts, in the the form of bogus likes, dislikes, comments, favorites, subscribers, and video/music plays.
---------------------------------------------
http://www.webroot.com/blog/2013/12/11/cybercriminals-efficiently-violate-m…
*** Inside the TextSecure, CyanogenMod Integration ***
---------------------------------------------
Moxie Marlinspike explains how Open WhisperSystems plans to bring end-to-end encrypted secure communications to major platforms such as Android, iOS and popular Web browsers.
---------------------------------------------
http://threatpost.com/inside-the-textsecure-cyanogenmod-integration/103164
*** The Kernel is calling a zero(day) pointer - CVE-2013-5065 - Ring Ring ***
---------------------------------------------
SpiderLabs investigates a number of suspicious binary files on a daily basis. A week ago we came across a PDF file which had two different vulnerabilities, a remote-code-execution vulnerability in Adobe Reader and a new escalation-of-privileges vulnerability in Windows Kernel.
---------------------------------------------
http://blog.spiderlabs.com/2013/12/the-kernel-is-calling-a-zeroday-pointer-…
*** Software defense: mitigating common exploitation techniques ***
---------------------------------------------
In our previous posts in this series, we described various mitigation improvements that attempt to prevent the exploitation of specific classes of memory safety vulnerabilities such as those that involve stack corruption, heap corruption, and unsafe list management and reference count mismanagement. These mitigations are typically associated with a specific developer mistake such as writing beyond the bounds of a stack or heap buffer, failing to correctly track reference counts, and so on.
---------------------------------------------
http://blogs.technet.com/b/srd/archive/2013/12/11/software-defense-mitigati…
*** Operation Ke3chang: Targeted Attacks Against Ministries of Foreign Affairs ***
---------------------------------------------
This week, FireEye released a report detailing how Chinese-speaking advanced persistent threat (APT) actors systematically attacked European ministries of foreign affairs (MFAs). Within 24 hours, the Chinese government officially responded.
---------------------------------------------
http://www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke…
*** Blog: Forecasts for 2014 - expert opinion ***
---------------------------------------------
In 2014 we expect significant growth in the number of threats related to economic and domestic cyber-espionage, with cyber-mercenaries/cyber-detectives playing an active role in such attacks.
---------------------------------------------
http://www.securelist.com/en/blog/8167/Forecasts_for_2014_expert_opinion
Tausende Online-Shops auf Basis von xt:Commerce akut bedroht
---------------------------------------------
Die Shop-Software xt:Commerce 3 und deren Ableger wie Gambio und Modified enthalten zwei Fehler, die es in Kombination erlauben, Shops komplett zu übernehmen. Ersten groben Schätzungen zufolge wird die Software ungefähr 50.000 Shops eingesetzt. Zum Glück gibt es Workarounds und Patches, um sich zu schützen.
---------------------------------------------
http://www.heise.de/security/meldung/Tausende-Online-Shops-auf-Basis-von-xt…
*** D-Link DSL-6740U Cross-Site Request Forgery Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55999
*** InstantCMS "orderby" SQL Injection Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/56041
*** PHP OpenSSL Extension X.509 Certificate Parsing Memory Corruption Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/56055
*** Adobe ColdFusion 9/10 Administrative Login Bypass ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120084
*** Vtiger 5.4.0 Cross Site Scripting ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120088
*** Plone Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/56015
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 10-12-2013 18:00 − Mittwoch 11-12-2013 18:00
Handler: Matthias Fraidl
Co-Handler: Robert Waldner
*** Summary for December 2013 - Version: 1.0 ***
---------------------------------------------
This bulletin summary lists security bulletins released for December 2013.
With the release of the security bulletins for December 2013, this bulletin summary replaces the bulletin advance notification originally issued December 5, 2013.
For information about how to receive automatic notifications whenever Microsoft security bulletins are issued, visit Microsoft Technical Security Notifications.
---------------------------------------------
http://technet.microsoft.com/en-us/security/bulletin/ms13-dec
*** Rotbrow: the Sefnit distributor ***
---------------------------------------------
This months addition to the Microsoft Malicious Software Removal Tool is a family that is both old and new. Win32/Rotbrow existed as far back as 2011, but the first time we saw it used for malicious purposes was only in the past few months. In September, Geoff blogged about the dramatic resurgence of Win32/Sefnit (aka Mevade). At the time, we knew of several ways in which Sefnit was distributed, but we continued investigating how it was able to get on so many machines. When we concentrated on
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2013/12/10/rotbrow-the-sefnit-distr…
*** Firefox 26 Makes Java Plugins Click-to-Play, Fixes 14 Security Flaws ***
---------------------------------------------
Mozilla has released a major new version of Firefox, which includes fixes for more than a dozen security vulnerabilities as well as an important change that makes all Java plugins click-to-play be default. This feature prevents those plugins from running automatically on Web pages, which helps protect users against some Web-based attacks. The modification to […]
---------------------------------------------
http://threatpost.com/firefox-26-makes-java-plugins-click-to-play-fixes-14-…
*** DSA-2815 munin ***
---------------------------------------------
Christoph Biedl discovered two denial of service vulnerabilities in munin, a network-wide graphing framework.
---------------------------------------------
http://www.debian.org/security/2013/dsa-2815
*** Zero-Day Fixes From Adobe, Microsoft ***
---------------------------------------------
Adobe and Microsoft today each separately released security updates to remedy zero-day bugs and other critical vulnerabilities in their software. Adobe issued fixes for its Flash and Shockwave players, while Microsoft pushed out 11 updates addressing addressing at least two dozen flaws in Windows and other software.
---------------------------------------------
http://feedproxy.google.com/~r/KrebsOnSecurity/~3/gWnv_MqLeM4/
*** WordPress 3.7.1 Maintenance Release ***
---------------------------------------------
WordPress 3.7.1 is now available! This maintenance release addresses 11 bugs in WordPress 3.7
---------------------------------------------
http://wordpress.org/news/2013/10/wordpress-3-7-1/
*** Adobe Shockwave Player Two Memory Corruption Vulnerabilities ***
---------------------------------------------
Two vulnerabilities have been reported in Adobe Shockwave Player, which can be exploited by malicious people to compromise a user's system.
1) An unspecified error can be exploited to cause memory corruption.
2) Another unspecified error can be exploited to cause memory corruption.
Successful exploitation of the vulnerabilities may allow execution of arbitrary code.
---------------------------------------------
https://secunia.com/advisories/55952
*** Thought your Android phone was locked? THINK AGAIN ***
---------------------------------------------
Another day, another vulnerability Android has taken another step to cement its place behind Java in the world of repeatedly-vulnerable software, with German group Curesec discovering that an attacker can get past users PINs to unlock the phone.…
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2013/12/10/android_has…
*** ENISA lists top cyber-threats in this year’s Threat Landscape Report. ***
---------------------------------------------
The EU’s cyber security Agency ENISA has issued its annual Threat Landscape 2013 report, where over 200 publicly available reports and articles have been analysed. Questions addressed are: What are the top cyber-threats of 2013? Who are the adversaries? What are the important cyber-threat trends in the digital ecosystem?
---------------------------------------------
http://www.enisa.europa.eu/media/press-releases/enisa-lists-top-cyber-threa…
*** HP Officejet Pro 8500 Printer Input Validation Flaw Permits Cross-Site Scripting Attacks ***
---------------------------------------------
A vulnerability was reported in the HP Officejet Pro 8500 Printer. A remote user can conduct cross-site scripting attacks.
The printer interface does not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the HP Printer interface and will run in the security context of that site...
---------------------------------------------
http://www.securitytracker.com/id/1029466
*** A New Vulnerability in the Android Framework: Fragment Injection ***
---------------------------------------------
We have recently disclosed a new vulnerability to the Android Security Team. The vulnerability affected many apps, including Settings (the one that is found on every Android device), Gmail, Google Now, DropBox and Evernote. To be more accurate, any App which extended the PreferenceActivity class using an exported activity was automatically vulnerable.
---------------------------------------------
http://securityintelligence.com/new-vulnerability-android-framework-fragmen…
*** TYPO3-FLOW-SA-2013-001: Cross-Site Scripting in TYPO3 Flow ***
---------------------------------------------
Problem Description: The errorAction method in the ActionController base class of Flow returns error messages without properly encoding them. Because these error messages can contain user input, this could lead to a Cross-Site Scripting vulnerability in Flow driven applications.
---------------------------------------------
http://typo3.org/teams/security/security-bulletins/typo3-flow/typo3-flow-sa…
*** Creepware - Who’s Watching You? ***
---------------------------------------------
Some people stick a piece of tape over the webcam on their laptop, maybe you even do it yourself. Are they over cautious, paranoid, a little strange? Are you? Or is there reason behind this madness? Many of us have heard the stories about people being spied on using their own computer or people being blackmailed using embarrassing or incriminating video footage unknowingly recorded from compromised webcams...
---------------------------------------------
http://www.symantec.com/connect/blogs/creepware-who-s-watching-you
*** Blog: The inevitable move - 64-bit ZeuS has come enhanced with Tor ***
---------------------------------------------
The more people switch to 64-bit platforms, the more 64-bit malware appears. We have been following this process for several years now. The more people work on 64-bit platforms, the more 64-bit applications that are developed as well. Sometimes these include some very specific applications, for example, banking applications.... If someone wants to hack into an application like this and steal information, the best tool for that would also be a 64-bit agent. And what’s the most notorious
---------------------------------------------
http://www.securelist.com/en/blog/208214171/The_inevitable_move_64_bit_ZeuS…
*** TYPO3 Multiple Vulnerabilities ***
---------------------------------------------
A weakness and multiple vulnerabilities have been reported in TYPO3, which can be exploited by malicious users to disclose sensitive information, conduct script insertion attacks, manipulate certain data, and bypass certain security restrictions and by malicious people to conduct cross-site scripting and spoofing attacks.
---------------------------------------------
https://secunia.com/advisories/55958
*** SAProuter Authentication Bypass Security Bypass Vulnerability ***
---------------------------------------------
ERPScan has reported a vulnerability in SAProuter, which can be exploited by malicious people to bypass certain security restrictions.
The vulnerability is caused due to the application not properly restricting access to certain functionalities, which can be exploited to e.g. manipulate the configuration.
---------------------------------------------
https://secunia.com/advisories/56060
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 09-12-2013 18:00 − Dienstag 10-12-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
*** French Government Spoofs Google Certificate ***
---------------------------------------------
Google revoked digital certificates for some of its domains that had been fraudulently signed by an intermediate certificate authority with links to ANSSI, Frances cyber-defense agency.
---------------------------------------------
http://threatpost.com/french-government-spoofs-google-certificate/103128
*** How We Decoded Some Nasty Multi-Level Encoded Malware ***
---------------------------------------------
>From time to time, we come up with interesting bits of malware that are just calling us to decode and learn more about them. This is one of those cases. Recently, I crossed pathes with this little gem: That snippet is encoded malicious content.
---------------------------------------------
http://blog.sucuri.net/2013/12/how-we-decoded-some-nasty-multi-level-encode…
*** Microsoft Security Advisory (2916652): Improperly Issued Digital Certificates Could Allow Spoofing - Version: 1.0 ***
---------------------------------------------
Microsoft is aware of an improperly issued subordinate CA certificate that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. The subordinate CA certificate was improperly issued by the Directorate General of the Treasury (DG Trésor), subordinate to the Government of France CA (ANSSI), which is a CA present in the Trusted Root Certification Authorities Store. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue.
---------------------------------------------
http://technet.microsoft.com/en-us/security/advisory/2916652
*** Untouched P2P Communication Infrastructure Keeps ZeroAccess Up and Running ***
---------------------------------------------
Microsofts takedown of the ZeroAccess botnet wasnt a complete success. Experts point out that Microsoft targeted only the money-making aspects of the botnet, and that its communication protocol was untouched.
---------------------------------------------
http://threatpost.com/untouched-p2p-communication-infrastructure-keeps-zero…
*** The Curious Case of the Malicious IIS Module ***
---------------------------------------------
Recently, we´ve seen a few instances of a malicious DLL that is installed as an IIS module making its rounds in forensic cases. This module is of particular concern as it is currently undetectable by almost all anti-virus products. The malware is used by attackers to target sensitive information in POST requests, and has mechanisms in place for data exfiltration.
---------------------------------------------
http://blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-mo…
*** CyanogenMod to have built in text message encryption system ***
---------------------------------------------
People are now more concerned regarding their privacy after discovering about efforts made by governments to spy on their communications. The most practical solution to keep messages, emails and calls secure is to use a cryptographic encryption mechanism. However, just like the name of the method, the installation process is complex for most users. To solve this, CyanogenMod will come equipped with built in encryption system for text messages.
---------------------------------------------
http://www.muktware.com/2013/12/cyanogenmod-built-text-message-encryption-s…
*** Phantom menace? A guide to APTs - and why most of us have little to fear from these 'cyberweapons' ***
---------------------------------------------
APTs - or Advanced Persistent Threats - are the most menacing cyber attack there is, some say. Orchestrated by teams of hundreds of experts, they penetrate systems so deeply that they can remain for years, stealing secrets by the terabyte.
---------------------------------------------
http://www.welivesecurity.com/2013/12/09/phantom-menace-a-guide-to-apts-and…
*** New security features added to Microsoft accounts ***
---------------------------------------------
We´re excited to announce that over the next couple of days we´re rolling out a few new capabilities - based on your ongoing feedback - that give you more visibility and control of your Microsoft account.
---------------------------------------------
http://blogs.technet.com/b/microsoft_blog/archive/2013/12/09/new-security-f…
*** Analysis: Kaspersky Security Bulletin 2013. Overall statistics for 2013 ***
---------------------------------------------
This section of the report forms part of the Kaspersky Security Bulletin 2013 and is based on data obtained and processed using Kaspersky Security Network. KSN integrates cloud-based technologies into personal and corporate products, and is one of Kaspersky Lab´s most important innovations.
---------------------------------------------
http://www.securelist.com/en/analysis/204792318/Kaspersky_Security_Bulletin…
*** November 2013 virus activity review from Doctor Web ***
---------------------------------------------
December 2, 2013 Virus analysts at the Russian anti-virus company Doctor Web discovered and examined quite a variety of information security threats in November 2013. In particular, a Trojan targeting SAP business software and malware that generates fake search results on Windows machines were added to the Dr.Web virus database at the beginning of the month.
---------------------------------------------
http://news.drweb.com/show/?i=4122&lng=en&c=9
*** DSA-2812 samba ***
---------------------------------------------
http://www.debian.org/security/2013/dsa-2812
*** RSA Security Analytics Core Can Be Accessed By Remote Users ***
---------------------------------------------
http://www.securitytracker.com/id/1029446
*** pam_userdb password hashes arent compared case-sensitive ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120069
*** TYPO3-CORE-SA-2013-004: Multiple Vulnerabilities in TYPO3 CMS ***
---------------------------------------------
http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa…
*** McAfee Email Gateway 7.6 multiple vulnerabilities ***
---------------------------------------------
http://seclists.org/fulldisclosure/2013/Dec/18
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 06-12-2013 18:00 − Montag 09-12-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
*** RuggedCom ROS Multiple Vulnerabilities ***
---------------------------------------------
Siemens has reported to NCCIC/ICS-CERT multiple vulnerabilities in the RuggedCom Rugged OS (ROS). Siemens has produced a firmware update that mitigates these vulnerabilities. Exploitation of these vulnerabilities could allow an attacker to hijack an active Web session and access administrative functions on the devices without proper authorization. These vulnerabilities could be exploited remotely.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-340-01
*** The Biggest Security Stories of 2013 ***
---------------------------------------------
As 2013 comes to a close, security experts are looking back at the major stories and developments of the year, including the Edward Snowden NSA leaks and major malware attacks. In this video, Vitaly Kamluk of Kaspersky Lab examines the biggest security news of 2013 and talks about the lasting effects they may have.
---------------------------------------------
http://threatpost.com/the-biggest-security-stories-of-2013/103125
*** Microsoft teams up with Feds, Europol in ZeroAccess botnet zombie hunt ***
---------------------------------------------
Just dont bork our crim-busting honeypots again Microsoft has teamed up with the FBI to launch a renewed attempt to disrupt the operations of the infamous ZeroAccess botnet.
---------------------------------------------
http://www.theregister.co.uk/2013/12/06/zeroaccess_zombienet_takedown/
*** FAQ: Pony Malware Payload Discovery ***
---------------------------------------------
Our team´s discovery of the spoils of yet another instance of Pony 1.9 has kept us busy the past couple of days. We´ve enjoyed explaining our discovery to journalists and trying our best to answer the questions that arise over social networks and email with each publication of a story. A lot of those questions tend to be similar.
---------------------------------------------
http://blog.spiderlabs.com/2013/12/faq-pony-malware-payload-discovery.html
*** 2014 Predictions: Blurring Boundaries ***
---------------------------------------------
The past year has been an interesting one in the world of cyber security. Mobile malware has become a large-scale threat, government surveillance has users asking "does privacy still exist?", cybercrime continues to steal money from individuals and businesses, and new targets for hackers like AIS and SCADA have been identified. 2013 was many things, but boring was not one of them.
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/2014-predictions…
*** The state of targeted attacks ***
---------------------------------------------
Trusteer announced the results of a recent study on the State of Targeted Attacks, which took into consideration the feedback from over 750 IT and IT security practitioners who have involvement in defensive efforts against APTs launched at their organisations.
---------------------------------------------
http://www.net-security.org/secworld.php?id=16059
*** Android-Apps: Sicherheitslücke durch fehlerhafte SSL-Prüfung ***
---------------------------------------------
Das Fraunhofer-Institut für Sichere Informationstechnologie hat mehrere Android-Apps ausfindig gemacht, bei denen die fehlerhafte Prüfung des SSL-Zertifikats den Zugriff auf Zugangsdaten möglich macht. Nur etwa die Hälfte aller kontaktierten Hersteller hat die Sicherheitslücke bisher geschlossen.
---------------------------------------------
http://www.golem.de/news/android-apps-sicherheitsluecke-durch-fehlerhafte-s…
*** The world´s most dangerous mobile phone spying app just moved into the tablet and iPad market ***
---------------------------------------------
The evolution of GPS and the smart-phone market has spawned a macabre industry of surveillance apps designed to be covertly installed onto the cellphones of vulnerable employees, business associates, partners and children.
---------------------------------------------
http://www.privacysurgeon.org/blog/incision/the-worlds-most-dangerous-mobil…
*** Bypassing Windows AppLocker using a Time of Check Time of Use vulnerability ***
---------------------------------------------
Windows AppLocker is Microsoft´s replacement to Software Restriction Policies in Windows 7, Windows 8, Server 2008 and Server 2012. Windows AppLocker has been promoted by several government agencies such as the National Security Agency and the New Zealand National Cyber Security Center as an effective mechanism to combat the execution of unauthorized code on modern Microsoft Windows based systems.
---------------------------------------------
http://www.nccgroup.com/media/495634/2013-12-04_-_ncc_-_technical_paper_-_b…
*** Automater - IP URL and MD5 OSINT Analysis ***
---------------------------------------------
Automater is a URL/Domain, IP Address, and Md5 Hash OSINT tool aimed at making the analysis process easier for intrusion Analysts. Given a target (URL, IP, or HASH) or a file full of targets Automater will return relevant results from sources like the following: IPvoid.com, Robtex.com, Fortiguard.com, unshorten.me, Urlvoid.com, Labs.alienvault.com, ThreatExpert, VxVault, and VirusTotal.
---------------------------------------------
http://www.tekdefense.com/automater/
*** Drei GIMP-Lücken auf einen Streich ***
---------------------------------------------
Das Sicherheits-Team von Red Hat hat drei Speicherverwaltungsprobleme in der Bildverarbeitungssoftware GIMP gefunden und beseitigt, die dazu ausgenutzt werden könnten, dem Benutzer Schadcode unterzuschieben.
---------------------------------------------
http://www.heise.de/security/meldung/Drei-GIMP-Luecken-auf-einen-Streich-20…
*** Malicious multi-hop iframe campaign affects thousands of Web sites, leads to a cocktail of client-side exploits - part two ***
---------------------------------------------
Ever since we exposed and profiled the evasive, multi-hop, mass iframe campaign that affected thousands of Web sites in November, we continued to monitor it, believing that the cybercriminal(s) behind it, would continue operating it, basically switching to new infrastructure once the one exposed in the post got logically blacklisted, thereby undermining the impact of the campaign internationally.
---------------------------------------------
http://www.webroot.com/blog/2013/12/09/malicious-multi-hop-iframe-campaign-…
*** Putting malware in the picture ***
---------------------------------------------
Spammers actively spread malware using fake notifications on behalf of various financial and banking institutions, booking and delivery services and other companies. The arsenal of tricks used by cybercriminals is constantly being updated. In particular, in recent years we have registered a number of English- and German-language mass mailings in which the attackers try to hide malware under photos and pictures.
---------------------------------------------
https://www.securelist.com/en/blog/8159/Putting_malware_in_the_picture
*** [webapps] - Zimbra 0day exploit / Privilegie escalation via LFI ***
---------------------------------------------
http://www.exploit-db.com/exploits/30085
*** D-Link DSR Router Remote Root Shell Exploit ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120055
*** WordPress DZS Video Gallery 3.1.3 Remote File Disclosure ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120050
*** cURL Certificate Validation Flaw Lets Remote Users Spoof SSL Servers ***
---------------------------------------------
http://www.securitytracker.com/id/1029434
*** Security Bulletin: Multiple Security vulnerability fix for IBM Tivoli Storage Manager Administration Center (CVE-2012-5081, CVE-2013-0169, CVE-2013-0443). ***
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul…
*** Steinberg MyMp3PRO SEH buffer overflow ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89468
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 05-12-2013 18:00 − Freitag 06-12-2013 18:00
Handler: Stephan Richter
Co-Handler: Robert Waldner
*** Advance Notification Service for December 2013 Security Bulletin Release ***
---------------------------------------------
Today we're providing advance notification for the release of 11 bulletins, five Critical and six Important, for December 2013. The Critical updates address vulnerabilities in Internet Explorer, Windows, Microsoft Exchange and GDI+. The Critical update for GDI+ fully addresses the publicly disclosed issue described in Security Advisory 2896666. This release won't include an update for the issue described in Security Advisory 2914486. We're still working to develop a security...
---------------------------------------------
http://blogs.technet.com/b/msrc/archive/2013/12/05/advance-notification-ser…
*** Google Docs Scam Stealing Passwords ***
---------------------------------------------
Scammers are up to mischief again by tricking users into clicking false webmail widgets. The core goal of any phishing attempt is to compromise the victims access to a particular service. Usually this is done by posing as the service the attacker wants to hijack from the victim, and sending the username and password information back to the attacker. Ive seen plenty phishing schemes in the
---------------------------------------------
http://research.zscaler.com/2013/12/google-docs-scam-stealing-passwords-in.…
*** Study finds zero-day vulnerabilities abound in popular software ***
---------------------------------------------
Organizations selling exploits for vulnerabilities in software from major companies including Microsoft, Apple, Oracle, and Adobe
---------------------------------------------
http://www.csoonline.com/article/744307/study-finds-zero-day-vulnerabilitie…
*** EU cyber security Agency ENISA argues that better protection of SCADA Systems is needed ***
---------------------------------------------
How long can we afford having critical infrastructures that use unpatched SCADA systems, the EU's cyber security Agency ENISA asks? ENISA argues that the EU Member States could proactively deploy patch management to enhance the security of SCADA systems.
---------------------------------------------
http://www.enisa.europa.eu/media/press-releases/eu-cyber-security-agency-en…
*** Hacking a Reporter: Sleepless Nights Outside a Brooklyn Brownstone (Part 3 of 3) ***
---------------------------------------------
This post is the conclusion of a three-part series that goes into more depth about our experience hacking journalist Adam Penenberg, which resulted in an article on PandoDaily in October. Parts one and two detail the malware aspects of our hack with contributions from Josh Grunzweig, Matt Jakubowski and Daniel Chechik. I, Garret Picchioni (voted to be the bald hacker with a heart tattoo in the original article artwork), will discuss the details of the...
---------------------------------------------
http://blog.spiderlabs.com/2013/12/hacking-a-reporter-sleepless-nights-outs…
*** Weekly Metasploit Update: SAP and Silverlight ***
---------------------------------------------
We've been all SAP all the time here in the Independent Nations of Metasploit, and expect to be for the rest of the week. You might recall that Metasploit exploit dev, Juan Vazquez published his SAP survey paper a little while back; on Tuesday, we did a moderated twitter chat on the hashtag #pwnSAP with the major SAP-focused Metasploit contributors Bruno Morrison, Chris John Riley, and Dave Hartley; and today (Thursday, December 5), Juan and I will be hosting a webcast on the various and sundry SAP exposures that Metasploit covers, and There Will Be Demos and Q&A, so it should be fun.
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2013/12/05/weekly-me…
*** CVE-2013-3346/5065 Technical Analysis ***
---------------------------------------------
In our last post, we warned of a new Windows local privilege escalation vulnerability being used in the wild. We noted that the Windows bug (CVE-2013-5065) was exploited in conjunction with a patched Adobe Reader bug (CVE-2013-3346) to evade the...
---------------------------------------------
http://www.fireeye.com/blog/technical/cyber-exploits/2013/12/cve-2013-33465…
*** Security Bulletin: Multiple Security Vulnerabilities in IBM Sterling Control Center ***
---------------------------------------------
A number of security vulnerabilities have been discovered in the Java Runtime Environment and the Cognos Business Intelligence components included in IBM SCC.CVE(s): CVE-2013-1557, CVE-2013-1478, CVE-2013-1571, CVE-2013-1500, CVE-2013-2988, CVE-2013-2978 and CVE-2013-0586 Affected product(s) and affected version(s): IBM InfoSphere Information Server Versions 8.0, 8.1, 8.5, 8.7, and 9.1 running on all platforms Refer to the following reference URLs for remediation and additional vulnerability...
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul…
*** Security Bulletin: Multiple security vulnerabilities exist in IBM InfoSphere Information Server (CVE-2013-4066 and CVE-2013-4067) ***
---------------------------------------------
Multiple security vulnerabilities exist in the IBM JRE that is shipped with the Rational Reporting for Development Intelligence (RRDI). The same security vulnerabilities also exist in the IBM Java SDK that is shipped with the IBM WebSphere Application Server (WAS). CVE(s): CVE-2013-4066 and CVE-2013-4067 Affected product(s) and affected version(s): IBM InfoSphere Information Server Versions 8.0, 8.1, 8.5, 8.7, and 9.1 running on all platforms Refer to the following reference URLs for...
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul…
*** Sonicwall GMS 7.x Filter Bypass ***
---------------------------------------------
Topic: Sonicwall GMS 7.x Filter Bypass Risk: Low Text:Document Title: Sonicwall GMS v7.x - Filter Bypass & Persistent Vulnerability References (Source): == http...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120048
*** VMware ESX Server Service Console Two Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/55917
*** SSA-568732 (Last Update 2013-12-06): Privilege Escalation in COMOS ***
---------------------------------------------
https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit…
*** WordPress JS Hotel Plugin "roomid" Cross-Site Scripting Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55919
*** NVIDIA Graphics Drivers GPU Access Privilege Escalation Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55904
*** HP-UX update for Java ***
---------------------------------------------
https://secunia.com/advisories/55978
*** IBM Forms Viewer XFDL buffer overflow ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/87911
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 04-12-2013 18:00 − Donnerstag 05-12-2013 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Phishing-Mail ködert WordPress-Admins ***
---------------------------------------------
Mit einer kostenlosen Version eines beliebten SEO-Plugins für WordPress versuchen Spammer, Administratoren zu ködern. Das Plugin entpuppt sich als Malware, dass eine Hintertür im Server öffnet und Besucher der Seite infiziert.
---------------------------------------------
http://www.heise.de/security/meldung/Phishing-Mail-koedert-WordPress-Admins…
*** In new campaign, Dexter point-of-sale malware strikes U.S. and abroad ***
---------------------------------------------
After recently impacting banks in South Africa, the malware is now infecting point-of-sale systems throughout the globe, including those in the U.S., a security firm found.
---------------------------------------------
http://www.scmagazine.com/in-new-campaign-dexter-point-of-sale-malware-stri…
*** Bugtraq: [PT-2013-63] Hash Length Extension in HTMLPurifier ***
---------------------------------------------
http://www.securityfocus.com/archive/1/530142
*** SA-CONTRIB-2013-097 - OG Features - Access bypass ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2013-097
Project: OG Features (third-party module)Version: 6.x
Date: 2013-December-04Security risk: Not Critical
Exploitable from: Remote
Vulnerability: Access bypass
---------------------------------------------
https://drupal.org/node/2149791
*** Siemens SINAMICS S/G Authentication Bypass Vulnerability ***
---------------------------------------------
Siemens has identified an authentication bypass vulnerability in the SINAMICS S/G product family. Siemens has produced a firmware update that mitigates this vulnerability and has tested the update to validate that it resolves the vulnerability. Exploitation of this vulnerability could allow an attacker to access administrative functions on the device without authentication. This vulnerability could be exploited remotely.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-338-01
*** Security Bulletins: Rational Insight and Rational Reporting for Development Intelligence - Oracle CPU June 2013 (CVE-2013-2407, CVE-2013-2450) ***
---------------------------------------------
Multiple security vulnerabilities exist in the IBM JRE that is shipped with Rational Insight and Rational Reporting for Development Intelligence.
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_rat…https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_rat…
*** IBM QRadar SIEM Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/55895https://secunia.com/advisories/55891
*** Imagam iFiles 1.16.0 File Inclusion / Shell Upload / Command Injection ***
---------------------------------------------
Topic: Imagam iFiles 1.16.0 File Inclusion / Shell Upload / Command Injection Risk: High Text:Document Title: Imagam iFiles v1.16.0 iOS - Multiple Web Vulnerabilities References (Source): == http://ww...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120038
*** bugs in IJG jpeg6b & libjpeg-turbo ***
---------------------------------------------
jpeg6b and some of its optimized clones (e.g., libjpeg-turbo) will use uninitialized memory when decoding images with missing SOS data for the luminance component (Y) in presence of valid chroma data (Cr, Cb).
---------------------------------------------
http://www.securityfocus.com/archive/1/530137
*** IQ3 Series Trend LAN Controllers "ovrideStart" Multiple Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/55827
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 03-12-2013 18:00 − Mittwoch 04-12-2013 18:00
Handler: Stephan Richter
Co-Handler: Robert Waldner
*** Mitigating attacks on Industrial Control Systems (ICS); the new Guide from EU Agency ENISA ***
---------------------------------------------
The EU's cyber security agency ENISA has provided a new manual for better mitigating attacks on Industrial Control Systems (ICS), supporting vital industrial processes primarily in the area of critical information infrastructure (such as the energy and chemical transportation industries) where sufficient knowledge is often lacking. As ICS are now often connected to Internet platforms, extra security preparations have to be taken. This new guide provides the necessary key considerations...
---------------------------------------------
http://www.enisa.europa.eu/media/press-releases/mitigating-attacks-on-indus…
*** Elecsys Director Gateway Improper Input Validation Vulnerability ***
---------------------------------------------
Adam Crain of Automatak and independent researchers Chris Sistrunk and Adam Todorski have identified an improper input validation in the Elecsys Director Gateway application. Elecsys has produced a patch that mitigates this vulnerability. Adam Todorski has tested the patch to validate that it resolves the vulnerability.This vulnerability could be exploited remotely.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-337-01
*** Ruby on Rails Multiple Bugs Let Remote Users Deny Service, Conduct Cross-Site Scripting Attacks, and Generate Unsafe Queries ***
---------------------------------------------
Ruby on Rails Multiple Bugs Let Remote Users Deny Service, Conduct Cross-Site Scripting Attacks, and Generate Unsafe Queries
---------------------------------------------
http://www.securitytracker.com/id/1029420
*** Cisco ONS 15454 Controller Cards Can Be Reset By Remote Users ***
---------------------------------------------
http://www.securitytracker.com/id/1029421
*** D-Link DIR Series Routers __show_info.php information disclosure ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89343
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 02-12-2013 18:00 − Dienstag 03-12-2013 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** A Pentester's Introduction to SAP & ABAP ***
---------------------------------------------
If you’re conducting security assessments on enterprise networks, chances are that you’ve run into SAP systems. In this blog post, I’d like to give you an introduction to SAP and ABAP to help you with your security audit.
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2013/12/02/a-pentest…
*** Analysis: Kaspersky Security Bulletin 2013. Malware Evolution ***
---------------------------------------------
Once again, it’s time for us to deliver our customary retrospective of the key events that have defined the threat landscape in 2013. Let’s start by looking back at the things we thought would shape the year ahead, based on the trends we observed in the previous year.
---------------------------------------------
http://www.securelist.com/en/analysis/204792316/Kaspersky_Security_Bulletin…
*** How does the NSA break SSL? ***
---------------------------------------------
A few weeks ago I wrote a long post about the NSAs BULLRUN project to subvert modern encryption standards. I had intended to come back to this at some point, since I didnt have time to discuss the issues in detail.
---------------------------------------------
http://blog.cryptographyengineering.com/2013/12/how-does-nsa-break-ssl.html
*** On Covert Acoustical Mesh Networks in Air ***
---------------------------------------------
Fraunhofer FKIE, Wachtberg, Germany
Abstract: Covert channels can be used to circumvent system and network policies by establishing communications that have not been considered in the design of the computing system. We construct a covert channel between different computing systems that utilizes audio modulation/demodulation to exchange data between the computing systems over the air medium. The underlying network stack is based on a...
---------------------------------------------
http://www.jocm.us/index.php?m=content&c=index&a=show&catid=124&id=600
*** Cisco ASA Malformed DNS Reply Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the DNS code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause the reload of an affected system.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013…
*** phpThumb 1.7.12 Server Side Request Forgery ***
---------------------------------------------
Topic: phpThumb 1.7.12 Server Side Request Forgery Risk: Low Text:#phpThumb phpThumbDebug Server Side Request Forgery #Google Dork: inurl:phpThumb.php #Author: Rafay Baloch And Deepanker Ar...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120020
*** Folo theme for WordPress jplayer.swf cross-site scripting ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89318
*** Orange Themes for WordPress upload-handler.php file upload ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89325
*** Zend Framework application.ini information disclosure ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89328
*** TP-Link TD-8840t change administrator password cross-site request forgery ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89329
*** JMultimedia component for Joomla! phpThumb.php file upload ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89333
*** Bugtraq: Multiple issues in OpenSSL - BN (multiprecision integer arithmetics). ***
---------------------------------------------
http://www.securityfocus.com/archive/1/530120
*** Bugtraq: D-Link DIR-XXX remote root access exploit. ***
---------------------------------------------
http://www.securityfocus.com/archive/1/530119
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 29-11-2013 18:00 − Montag 02-12-2013 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** SMS-Angriff zwingt Nexus-Smartphones in die Knie ***
---------------------------------------------
Der Empfang vieler Flash-SMS-Nachrichten soll Google-Nexus-Geräte rebooten. Davon betroffen sind auch Nexus-Smartphones mit aktuellem Android 4.4 (Kitkat).
---------------------------------------------
http://www.heise.de/security/meldung/SMS-Angriff-zwingt-Nexus-Smartphones-i…
*** Windows TIFF-Lücke bereits seit Juli ausgenutzt - Patch Fehlanzeige ***
---------------------------------------------
Bereits im Sommer wurden E-Mails verschickt, die mit TIFF-Bildern eine kürzlich bekannt gewordene Windows-Lücke ausnutzten. Und während die Zahl dieser Schädlinge weiter wächst, gibt es immer noch keinen Patch vom Microsoft.
---------------------------------------------
http://www.heise.de/security/meldung/Windows-TIFF-Luecke-bereits-seit-Juli-…
*** Nachholbedarf beim Schutz von industriellen Kontrollsystemen ***
---------------------------------------------
Sicherheitsprobleme mit industriellen Kontrollsystemen machen immer wieder Schlagzeilen. Das BSI gibt Betreibern nun mit einem 124-seitigen Leitfaden bewährte Methoden an die Hand, um ihre Systeme abzusichern.
---------------------------------------------
http://www.heise.de/security/meldung/Nachholbedarf-beim-Schutz-von-industri…
*** Important Security Update for D-Link Routers ***
---------------------------------------------
D-Link has released an important security update for some of its older Internet routers. The patch closes a backdoor in the devices that could let attackers seize remote control over vulnerable routers.
---------------------------------------------
krebsonsecurity.com/2013/12/important-security-update-for-d-link-routers/
*** File Sharing Apps Expose iOS To Security Risks - Trustwave ***
---------------------------------------------
File sharing apps for Apple iOS mobile devices can potentially represent a security risk to users, according to a Trustwave security researcher.
---------------------------------------------
http://www.techweekeurope.co.uk/news/researcher-file-sharing-apps-expose-io…
*** Manipulation of hard drive firmware to conceal entire partitions ***
---------------------------------------------
Tools created by the computer hacking community to circumvent security protection on hard drives can have unintentional consequences for digital forensics. Tools originally developed to circumvent Microsoft's Xbox 360 hard drive protection can be used, independently of the Xbox 360 system, to change the reported size/model of a hard drive enabling criminals to hide data from digital forensic software and hardware.
---------------------------------------------
https://www.comp.glam.ac.uk/staff/kxynos/papers/read13-DI-HDD-manipulation.…
*** Description of Cumulative Update 3 for Exchange Server 2013 ***
---------------------------------------------
This article describes Cumulative Update 3 for Microsoft Exchange Server 2013 that provides the latest fixes for Exchange Server 2013 and contains stability and performance improvements.
---------------------------------------------
http://support.microsoft.com/kb/2892464
*** Uptime Agent 5.0.1 Stack Overflow Vulnerability ***
---------------------------------------------
Topic: Uptime Agent 5.0.1 Stack Overflow Vulnerability Risk: Medium Text:# Exploit Title: Up.Time Agent 5.0.1 Stack Overflow # Date: 28/11/2013 # Exploit Author: Denis Andzakovic # Vendor Homepage:...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120009
*** Vuln: ABB MicroSCADA wserver.exe Remote Code Execution Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63901
*** Vuln: Jenkins Exclusion Plugin CVE-2013-6373 Unspecified Security Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63876
*** Google Nexus SMS Processing Flaw Lets Remote Users Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1029414