=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 29-01-2014 18:00 − Donnerstag 30-01-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** New Clues in the Target Breach ***
---------------------------------------------
An examination of the malware used in the Target breach suggests that the attackers may have taken advantage of a poorly secured feature built into a widely-used IT management software product that was running on the retailers internal network.
---------------------------------------------
http://krebsonsecurity.com/2014/01/new-clues-in-the-target-breach/
*** How to Debug DKIM, (Wed, Jan 29th) ***
---------------------------------------------
DKIM is one way to make it easier for other servers to figure out if an e-mail sent on behalf of your domain is spoofed. Your mail server will add a digital signature to each email authenticating the source. This isnt as good a signing the entire e-mail, but it is a useful tool to at least validate the domain used as part of the "From" header. The problem is that DKIM can be tricky to debug. If you have mail rejected, it is useful to be able to manually verify what went wrong. For
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17528
*** Honey Encryption Tricks Hackers with Decryption Deception ***
---------------------------------------------
Honey Encryption is an encryption tool in the works that fools an attacker with bogus decrypted data that looks like it could be a plausible guess at an encryption key or password.
---------------------------------------------
http://threatpost.com/honey-encryption-tricks-hackers-with-decryption-decep…
*** Attacker extorts coveted Twitter username in elaborate social engineering scheme ***
---------------------------------------------
Naoki Hiroshima recently relinquished to an attacker a prized possession that he owned since 2007: a very rare Twitter username so coveted that not only have people tried to steal it, but one person offered $50,000 for it.
---------------------------------------------
http://www.scmagazine.com//attacker-extorts-coveted-twitter-username-in-ela…
*** Security 101 fail: 3G/4G modems expose control panels to hackers ***
---------------------------------------------
Embedded kit depressingly riddled with cross-site request forgery vulns, says researcher Vulnerabilities in a number of 3G and 4G USB modems can be exploited to steal login credentials - or rack up victims mobile bills by sending text messages to premium-rate numbers - a security researcher warns.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/01/30/3gmodem_sec…
*** Energy: cyber security is crucial for protection against threats for smart grids which are key for energy availability claims EU cyber security Agency in new report ***
---------------------------------------------
The EU's cyber security agency ENISA signals that assessing the threats for smart grids is crucial for their protection and is therefore a key element in ensuring energy availability.
---------------------------------------------
http://www.enisa.europa.eu/media/press-releases/energy-cyber-security-is-cr…
*** Code-Einschleusung durch MediaWiki-Lücke ***
---------------------------------------------
In der beliebten Wiki-Software klafft eine kritische Lücke, durch die Angreifer den Server kompromittieren können. Gepatchte Versionen sorgen für Abhilfe.
---------------------------------------------
http://www.heise.de/security/meldung/Code-Einschleusung-durch-MediaWiki-Lue…
*** Windows-Taskmanager Process Explorer 16 mit Einbindung von VirusTotal ***
---------------------------------------------
Die nun erschienene Version 16 des Process Explorer befragt auf Wunsch den web-basierten Multi-Scanner VirusTotal. Dort prüfen rund 50 Virenscanner, ob eine Datei gefährlich ist.
---------------------------------------------
http://www.heise.de/security/meldung/Windows-Taskmanager-Process-Explorer-1…
*** Critical infrastructure hack data found in public domain ***
---------------------------------------------
Data available from mainstream online media - such as blogs, social networking websites, and specialist online publications - could be used by malevolent agents to mount a cyber-attack on UK critical national infrastructure (CNI), the findings of an investigative assessment to be presented next week will warn.
---------------------------------------------
http://eandt.theiet.org/news/2014/jan/ics-security.cfm
*** Pidgin Multiple Vulnerabilities ***
---------------------------------------------
Multiple vulnerabilities have been reported in Pidgin, which can be exploited by malicious people to compromise a user's system.
---------------------------------------------
https://secunia.com/advisories/56693
*** Bugtraq: SimplyShare v1.4 iOS - Multiple Web Vulnerabilities ***
---------------------------------------------
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official SimplyShare v1.4 iOS mobile application.
---------------------------------------------
http://www.securityfocus.com/archive/1/530906
*** OTRS Security Advisory 2014-01 - CSRF issue in customer web interface ***
---------------------------------------------
An attacker that managed to take over the session of a logged in customer could create tickets and/or send follow-ups to existing tickets due to missing challenge token checks.
---------------------------------------------
https://www.otrs.com/security-advisory-2014-01-csrf-issue-customer-web-inte…
*** OTRS Security Advisory 2014-02 - SQL injection issue ***
---------------------------------------------
Affected by this vulnerability are all releases of OTRS 3.1.x up to and including 3.1.18, 3.2.x up to and including 3.2.13 and 3.3.x up to and including 3.3.3.
---------------------------------------------
https://www.otrs.com/security-advisory-2014-02-sql-injection-issue/
*** VLC Media Player RTSP Processing "parseRTSPRequestString()" Buffer Overflow Vulnerability ***
---------------------------------------------
A vulnerability has been discovered in VLC Media Player, which can be exploited by malicious people to compromise a user's system.
---------------------------------------------
https://secunia.com/advisories/56676
*** SA-CONTRIB-2014-007 - Services - Multiple access bypass vulnerabilities ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2014-007
Project: Services (third-party module)
Version: 7.xDate: 2014-January-29
Security risk: Highly critical
Exploitable from: Remote
Vulnerability: Multiple access bypass vulnerabilitiesDescriptionThis module enables you to expose an API to third party systems using REST, XML-RPC or other protocols.The form API provides a method for developers to submit forms programmatically using the function drupal_form_submit(). During programmatic form submissions, all access...
---------------------------------------------
https://drupal.org/node/2184843
*** SA-CONTRIB-2014-008 - Tribune - Cross Site Scripting (XSS) ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2014-008
Project: Tribune (third-party module)Version: 6.x, 7.xDate: 2014-January-29
Security risk: Moderately critical
Exploitable from: Remote
Vulnerability: Cross Site Scripting
DescriptionA tribune is a type of chatroom.The module doesnt sufficiently filter user provided text from Tribune node titles.This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create a Tribune node.
---------------------------------------------
https://drupal.org/node/2184845
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 28-01-2014 18:00 − Mittwoch 29-01-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Introducing ModSecurity Status Reporting ***
---------------------------------------------
The Trustwave SpiderLabs Research team is committed to making ModSecurity the best open source WAF possible. To this end, we have deployed Buildbot platforms and revamped regression tests for our different ports to ensure code quality and reliability. But we want to take it even further. The question is, how else can we improve ModSecurity development and support? To best answer that question, we need some basic insight into the ModSecurity user community: How many ModSecurity deployments are...
---------------------------------------------
http://blog.spiderlabs.com/2014/01/introducing-modsecurity-status-reporting…
*** Defending Against Tor-Using Malware, Part 1 ***
---------------------------------------------
In the past few months, the Tor anonymity service as been in the news for various reasons. Perhaps most infamously, it was used by the now-shuttered Silk Road underground marketplace. We delved into the topic of the Deep Web in a white paper titled Deepweb and Cybercrime. In our 2014 predictions, we noted that cybercriminals would go deeper...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/F4F76IP9KP8/
*** Eyeing SpyEye ***
---------------------------------------------
Earlier this week, it was announced by the United States Department of Justice that the creator of the notorious SpyEye banking malware, Aleksandr Andreevich Panin (also known as Gribodemon or Harderman), had pleaded guilty before a federal court to charges related to creating and distributing SpyEye. Trend Micro was a key part of this investigation...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/4eIEz-KJvXo/
*** This tool demands access to YOUR ENTIRE DIGITAL LIFE. Is it from GCHQ? No - its by IKEA ***
---------------------------------------------
Order a flat-pack kitchen, surrender your HDDs contents If the Target hack - along with all its predecessors - taught us anything, its that the database isnt the vulnerability. Its the data thats the problem.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/01/29/ikea_demand…
*** Botnetz nutzt Lücke in alten Java-Versionen ***
---------------------------------------------
Sicherheitsexperten haben Schadsoftware entdeckt, die eine vor Monaten geschlossene Java-Lücke ausnutzt, um ein Botnetz aufzubauen. Das Programm läuft auf Windows, Linux und Mac OSX; Abhilfe ist einfach möglich.
---------------------------------------------
http://www.heise.de/security/meldung/Botnetz-nutzt-Luecke-in-alten-Java-Ver…
*** Cisco Network Time Protocol Distributed Reflective Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the Network Time Protocol (NTP) package of several Cisco products could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013…
*** Cisco Identity Services Engine Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** WordPress WebEngage Plugin Multiple Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
Multiple vulnerabilities have been discovered in the WebEngage plugin for WordPress, which can be exploited by malicious people to conduct cross-site scripting attacks.
---------------------------------------------
https://secunia.com/advisories/56700
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 27-01-2014 18:00 − Dienstag 28-01-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Making Your Printer Say "Feed Me a Kitten" and Also Exfiltrate Sensitive Data ***
---------------------------------------------
As of this last release, PJL (HP's Printer Job Language) is now a grown-up Rex::Proto protocol! Since extending a protocol in Metasploit is beyond the scope of this post, we'll just be covering how to use the PoC modules included with the new protocol. Feel free to dig around in lib/rex/proto/pjl*, though!
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2014/01/23/hacking-p…
*** Coordinated malware eradication ***
---------------------------------------------
Today, as an industry, we are very effective at disrupting malware families, but those disruptions rarely eradicate them. Instead, the malware families linger on, rearing up again and again to wreak havoc on our customers. To change the game, we need to change the way we work. It is counterproductive when you think about it. The antimalware ecosystem encompasses many strong groups: security vendors, service providers, CERTs, anti-fraud departments, and law enforcement. Each group uses their...
---------------------------------------------
https://blogs.technet.com/b/mmpc/archive/2014/01/27/industry-needs-to-work-…
*** Trustworthy electronic signatures, secure e-Government and trust: the way forward for improving EU citizens' trust in web services, outlined by EU Agency ENISA ***
---------------------------------------------
The EU's cyber security Agency, ENISA, is publishing a series of new studies about the current security practices of Trust Service Providers (TSPs) and recommendations for improving cross-border trustworthiness and interoperability for the new regulated TSPs and for e-Government services using them.
---------------------------------------------
http://www.enisa.europa.eu/media/press-releases/trustworthy-electronic-sign…
*** Android VPN redirect vuln now spotted lurking in Kitkat 4.4 ***
---------------------------------------------
Now may be a good time to check this out, says securo-bod Israeli researchers who specialise in ferreting out Android vulns have discovered a new flaw in KitKat 4.4 that allows an attacker to redirect secure VPN traffic to a third-party server.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/01/28/android_vpn…
*** File Infectors and ZBOT Team Up, Again ***
---------------------------------------------
File infectors and ZBOT don't usually go together, but we recently saw a case where these two kinds of threats did. This particular file infector - PE_PATNOTE.A - appends its code to all executable files on the infected system,...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/n_0oP1-kYzo/
*** Login-Diebstahl: Warnung vor manipuliertem Filezilla-Client ***
---------------------------------------------
Avast warnt vor manipulierten Programmversionen des beliebten Filezilla-Clients. Wer die falsche Version des FTP-Programms nutzt, gibt Kriminellen die Zugangsdaten für die verwendeten FTP-Server. Betroffen sind nur Anwender, die Filezilla von der falschen Quelle heruntergeladen haben.
---------------------------------------------
http://www.golem.de/news/login-diebstahl-warnung-vor-manipuliertem-filezill…
*** Blog: A cross-platform java-bot ***
---------------------------------------------
Early this year, we received a malicious Java application for analysis, which turned out to be a multi-platform bot capable of running on Windows, Mac OS and Linux. The bot was written entirely in Java. The attackers used vulnerability CVE-2013-2465 to infect users with the malware.
---------------------------------------------
http://www.securelist.com/en/blog/8174/A_cross_platform_java_bot
*** DDoS attacks become smarter, faster and more severe ***
---------------------------------------------
DDoS attacks will continue to be a serious issue in 2014 - as attackers become more agile and their tools become more sophisticated, according to Radware. Their report was compiled using data from over 300 cases and the Executive Survey consisting of personal interviews with 15 high-ranking security executives.
---------------------------------------------
http://www.net-security.org/secworld.php?id=16268
*** Worldwide Infrastructure Security Report ***
---------------------------------------------
Arbor's annual Worldwide Infrastructure Security Report offers unique insight from network operators on the front lines in the global battle against network threats.
---------------------------------------------
http://www.arbornetworks.com/resources/infrastructure-security-report
*** SI6 Networks IPv6 Toolkit ***
---------------------------------------------
A security assessment and troubleshooting tool for the IPv6 protocols
---------------------------------------------
http://www.si6networks.com/tools/ipv6toolkit/
*** Security Bulletin: Multiple vulnerabilities in IBM QRadar SIEM (CVE-2014-0838, CVE-2014-0835, CVE-2014-0836, CVE-2014-0837) ***
---------------------------------------------
Multiple vulnerabilities exist in the AutoUpdate settings page and the AutoUpdate process within the IBM QRadar SIEM that when used together could result in remote code execution.
---------------------------------------------
https://www-304.ibm.com/support/docview.wss?uid=swg21663066
*** VU#686662: Fail2ban postfix and cyrus-imap filters contain denial-of-service vulnerabilities ***
---------------------------------------------
Fail2ban versions prior to 0.8.11 are susceptible to a denial-of-service attack when a maliciously crafted email address is parsed by the postfix or cyrus-imap filters. If users have not deployed either of these filters then they are not affected.
---------------------------------------------
http://www.kb.cert.org/vuls/id/686662
*** VU#863369: Mozilla Thunderbird does not adequately restrict HTML elements in email message content ***
---------------------------------------------
Mozilla Thunderbird does not adequately restrict HTML elements in email content, which could allow an attacker to execute arbitrary script when a specially-crafted email message is forwarded or replied to. ---------------------------------------------
http://www.kb.cert.org/vuls/id/863369
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 24-01-2014 18:00 − Montag 27-01-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** ModSecurity Advanced Topic of the Week: HMAC Token Protection ***
---------------------------------------------
This blog post presents a powerful feature of ModSecurity v2.7 that has been highly under-utilized by most users: HMAC Token Protection. There was a previous blog post written that outlined some usage examples here, however we did not properly demonstrate the protection coverage gained by its usage. Specifically, by using the HMAC Token Protection capabilities of ModSecurity, you can reduce the attack surface of the following attacks/vulnerabilities: Forceful Browsing of Website Content
---------------------------------------------
http://feedproxy.google.com/~r/SpiderlabsAnterior/~3/4JiUhR_1fSQ/modsecurit…
*** Mitigation of NTP amplification attacks involving Junos ***
---------------------------------------------
When an NTP client or server is enabled within the [edit system ntp] hierarchy level of the Junos configuration, REQ_MON_GETLIST and REQ_MON_GETLIST_1 control messages supported by the monlist feature within NTP may allow remote attackers to cause a denial of service. NTP is not enabled in Junos by default. Once NTP is enabled, an attacker can exploit these control messages in two different ways:...
---------------------------------------------
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10613
*** Sicherheitslücke in Pages: Update angeraten ***
---------------------------------------------
Nutzer der Mac- und iOS-Version von Pages sollten die neueste Version installieren - eine Sicherheitslücke in älteren Versionen erlaubt unter Umständen das Ausführen von Schadcode.
---------------------------------------------
http://www.heise.de/security/meldung/Sicherheitsluecke-in-Pages-Update-ange…
*** First Android bootkit has infected 350,000 devices ***
---------------------------------------------
January 24, 2014 Russian anti-virus company Doctor Web is warning users about a dangerous Trojan for Android that resides in the memory of infected devices and launches itself early on in the OS loading stage, acting as a bootkit. This allows the Trojan to minimize the possibility that it will be deleted, without tampering with the devices file system. Currently, this malignant program is operating on more than 350,000 mobile devices belonging to users in various countries,...
---------------------------------------------
http://news.drweb.com/show/?i=4206&lng=en&c=9
*** Security Advisory-DoS Vulnerability in Eudemon8000E ***
---------------------------------------------
Huawei Eudemon8000E firewall allows users to log in to the device using Telnet or SSH. When an attacker sends to the device a mass of TCP packets with special structure, the logging process become slowly and users may be unable to log in to the device (HWNSIRT-2014-0101).
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor…
*** Security Bulletin: GSKit certificate chain vulnerability in IBM Security Directory Server and Tivoli Directory Server (CVE-2013-6747) ***
---------------------------------------------
A vulnerability has been identified in the GSKit component utilized by IBM Security Directory Server (ISDS) and IBM Tivoli Directory Server (TDS). A malformed certificate chain can cause the ISDS or TDS client application or server process using GSKit to hang or crash.
---------------------------------------------
https://www-304.ibm.com/support/docview.wss?uid=swg21662902
*** Security Bulletin: IBM Security SiteProtector System can be affected by a vulnerability in the IBM Java JRE (CVE-2013-5809) ***
---------------------------------------------
IBM Security SiteProtector System can be affected by vulnerability in the IBM Java JRE. This vulnerability could allow a remote attacker to affect confidentiality, integrity, and availability by means of unknown vectors related to the Java 2D component.
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21662685
*** Security Bulletin eDiscovery Manager (CVE-2013-5791 and CVE-2013-5763) ***
---------------------------------------------
CVE-2013-5791 - CVSS Score: 10 An unspecified vulnerability in Oracle Outside In Technology related to the Outside In Filters component could allow a local attacker to cause a denial of service. CVE-2013-5763 - CVSS Score: 6.8 Oracle Outside In technology is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the OS/2 Metafile parser. By causing a vulnerable application to process a malicious file, a remote attacker...
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21659481
*** Vulnerability Note VU#168751 - Emerson Network Power Avocent MergePoint Unity 2016 KVM switches contain a directory traversal vulnerability ***
---------------------------------------------
Emerson Network Power Avocent MergePoint Unity 2016 (MPU2016) KVM switches running firmware version 1.9.16473 and possibly previous versions contain a directory traversal vulnerability. An attacker can use directory traversal to download critical files such as /etc/passwd to obtain the credentials for the device.
---------------------------------------------
http://www.kb.cert.org/vuls/id/168751
*** Vulnerability Note VU#105686 - Thecus NAS Server N8800 contains multiple vulnerabilities ***
---------------------------------------------
CVE-2013-5667 - Thecus NAS Server N8800 Firmware 5.03.01 get_userid OS Command Injection CVE-2013-5668 - Thecus NAS Server N8800 Firmware 5.03.01 CVE-2013-5669 - Thecus NAS Server N8800 Firmware 5.03.01 plain text administrative password
---------------------------------------------
http://www.kb.cert.org/vuls/id/105686
*** Cisco Video Surveillance Operations Manager MySQL Database Insufficient Authentication Controls ***
---------------------------------------------
A vulnerability in the configuration of the MySQL database as installed by Cisco Video Surveillance Operations Manager (VSOM) could allow an unauthenticated, remote attacker to access the MySQL database.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** Security update available for Adobe Digital Editions ***
---------------------------------------------
Adobe has released a security update for Adobe Digital Editions for Windows and Macintosh. This update addresses a vulnerability in the software that could cause the application to crash and potentially allow an attacker to take control of the affected system.
---------------------------------------------
http://helpx.adobe.com/security/products/Digital-Editions/apsb14-03.html
*** Hitachi Cosminexus Products Multiple Java Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/56545
*** Drupal Doubleclick for Publishers Module Slot Names Script Insertion Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/56521
*** WordPress SS Downloads Plugin Multiple Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/56532
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 23-01-2014 18:00 − Freitag 24-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** Russische Spione im Tor-Netz enttarnt ***
---------------------------------------------
Forscher stießen auf 20 Exit Nodes, welche die HTTPS-Verbindungen von Tor-Nutzern aufzubrechen versuchten. Die meisten davon stammen aus Russland.
---------------------------------------------
http://www.heise.de/security/meldung/Russische-Spione-im-Tor-Netz-enttarnt-…
*** Bug Exposes IP Cameras, Baby Monitors ***
---------------------------------------------
A bug in the software that powers a broad array of Webcams, IP surveillance cameras and baby monitors made by Chinese camera giant Foscam allows anyone with access to the devices Internet address to view live and recorded video footage, KrebsOnSecurity has learned.
---------------------------------------------
http://krebsonsecurity.com/2014/01/bug-exposes-ip-cameras-baby-monitors/
*** "Syrian Electronic Army" attackierten Twitter-Account von CNN ***
---------------------------------------------
Sender: "Ja, es ist auch uns passiert. CNN-Accounts gehackt"
---------------------------------------------
http://derstandard.at/1389858074081
*** 65.000 E-Mail-Konten bei Salzburg AG gehackt ***
---------------------------------------------
Bei der Salzburg AG sind die Zugangsdaten von mehr als 65.000 E-Mail- und Internetkonten gehackt worden. Bankdaten seien nicht betroffen, betonte das Unternehmen. Die Hintergründe der Tat sind unklar. User und Kunden üben Kritik.
---------------------------------------------
http://news.orf.at/stories/2215391/
*** Angebliche Sicherheitslücke in aktuellem Chrome nicht zu finden ***
---------------------------------------------
Ein Fehler in Googles Browser lässt sich mit der aktuellen Version nicht reproduzieren. Google will die Lücke schon vor Längerem geschlossen haben.
---------------------------------------------
http://www.heise.de/security/meldung/Angebliche-Sicherheitsluecke-in-aktuel…
*** Malicious links for iOS users ***
---------------------------------------------
January 23, 2014 Russian anti-virus company Doctor Web is warning iOS device users about a growing number of incidents involving the distribution of links to bogus sites via mobile app advertisements. An iOS user misguided by such fraud can end up subscribed to a pseudo-service and thus lose money from their mobile account. Recently, users of mobile devices running iOS have been encountering advertisements with increasing frequency in the free applications on their smart phones and tablets. Ads
---------------------------------------------
http://news.drweb.com/show/?i=4204&lng=en&c=9
*** GE Proficy Multiple Vulnerabilities ***
---------------------------------------------
Researchers amisto0x07 and Z0mb1E of Zero Day Initiative (ZDI) have identified two vulnerabilities in the General Electric (GE) Proficy human-machine interface/supervisory control and data acquisition (HMI/SCADA) - CIMPLICITY application. GE has released security advisories, GEIP13-05 and GEIP13-06, to inform customers about these vulnerabilities.These vulnerabilities could be exploited remotely.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-14-023-01
*** DSA-2848 mysql-5.5 ***
---------------------------------------------
Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.35. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details.
---------------------------------------------
http://www.debian.org/security/2014/dsa-2848
*** Bugtraq: [CVE-2014-1607.] Cross Site Scripting(XSS) in Drupal Event calendar module ***
---------------------------------------------
Reflected cross-site scripting (XSS) vulnerability in Drupal 7.14 EventCalendar Module, found in eventcalendar/year allows remote attackers to inject arbitrary web scripts or HTML after the inproperly sanitizited Year Parameter.
---------------------------------------------
http://www.securityfocus.com/archive/1/530876
*** Cisco TelePresence Video Communication Server Expressway Default SSL Certificate Vulnerability ***
---------------------------------------------
A vulnerability in the Cisco TelePresence Video Communication Server (VCS) Expressway could allow an unauthenticated, remote attacker to execute a man-in-the-middle (MITM) attack between one or more affected devices.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 22-01-2014 18:00 − Donnerstag 23-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Robert Waldner
*** SA-CONTRIB-2014-005 - Leaflet - Access bypass ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2014-005
Project: Leaflet (third-party module)
Version: 7.xDate: 2014-January-22
Security risk: Critical
Exploitable from: Remote
Vulnerability: Access bypass
Description
The Leaflet module enables you to display an interactive map using the Leaflet library, using entities as map features.The module exposes complete data from entities used as map features to any site visitor with a Javascript inspector (like Firebug).
---------------------------------------------
https://drupal.org/node/2179103
*** New Android Malware Steals SMS Messages, Intercepts Calls ***
---------------------------------------------
A new strain of Android malware has emerged that masquerades as an Android security app but once installed, can steal text messages and intercept phone calls.
---------------------------------------------
http://threatpost.com/new-android-malware-steals-sms-messages-intercepts-ca…
*** Official PERL Blogs hacked, 2,924 Author Credentials Leaked by ICR ***
---------------------------------------------
The breach has seen 2,924 user account credentials published to quickleak.org as well as the blog having a deface page added but was not obtrusive to the actually website.
---------------------------------------------
http://www.cyberwarnews.info/2014/01/22/official-perl-blogs-hacked-2924-aut…
*** CrowdStrike Takes On Chinese, Russian Attack Groups in Threat Report ***
---------------------------------------------
Russian attackers targeted energy sector targets and a Chinese nexus intrusion group infected foreign embassies with malware using watering hole tactics in 2013, CrowdStrike researchers found in its first-ever Global Threat Report.
---------------------------------------------
http://www.securityweek.com/crowdstrike-takes-chinese-russian-attack-groups…
*** Outdated energy, water and transport Industrial Control Systems without sufficient cyber security controls require coordinated testing of capability at EU levels, says the EU's cyber security Agency ENISA ***
---------------------------------------------
Today, the EU's cyber security Agency ENISA published a new report to give advice regarding the next steps towards coordinated testing of capability of the often outdated Industrial Control Systems (ICS) for European industries. Among the key recommendations is the testing of ICS is a concern for all EU Member States and could be dealt with at EU levels according to ENISA.
---------------------------------------------
http://www.enisa.europa.eu/media/press-releases/ics-without-sufficient-cybe…
*** Analysis: Spam in December 2013 ***
---------------------------------------------
In December, spammers continued to honor the traditions of the season and tried to attract potential customers with a variety of original gift and winter vacation offers, taking advantage of the approaching holidays.
---------------------------------------------
http://www.securelist.com/en/analysis/204792323/Spam_in_December_2013
*** Chrome Eavesdropping Exploit Published ***
---------------------------------------------
Exploit code has been published for a Google Chrome bug that allows malicious websites granted permission to use a computers microphone for speech recognition to continue listening after a user leaves the website.
---------------------------------------------
http://threatpost.com/chrome-eavesdropping-exploit-published/103798
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 21-01-2014 18:00 − Mittwoch 22-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Robert Waldner
*** [2014-01-22] Backdoor account & command injection vulnerabilities in Allnet IP-Cam ALL2281 ***
---------------------------------------------
The IP camera Allnet ALL2281 is affected by critical vulnerabilities that allow an attacker to gain access to the webinterface via a backdoor account. Furthermore, executing arbitrary OS commands is possible.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014…
*** Feodo Tracker kämpft gegen Rechnungs-Spam ***
---------------------------------------------
Das Feodo-Botnet beschert Deutschland aktuell massenhaft Viren-Spam – vermeintlich im Namen bekannter Mobilfunkprovider und Banken. Der Feodo-Tracker sammelt Indizien, um das Spam-Netzwerk zu bremsen.
---------------------------------------------
http://www.heise.de/security/meldung/Feodo-Tracker-kaempft-gegen-Rechnungs-…
*** Security Bulletins: Citrix XenServer Multiple Security Updates ***
---------------------------------------------
A number of security vulnerabilities have been identified in Citrix XenServer. These vulnerabilities affect all currently supported versions of Citrix XenServer up to and including Citrix XenServer 6.2 Service Pack 1.
The following vulnerabilities have been addressed: CVE-2013-4494, CVE-2013-4554, CVE-2013-6885
---------------------------------------------
http://support.citrix.com/article/CTX140038
*** Security Bulletins: Citrix XenClient XT Multiple Security Updates ***
---------------------------------------------
A number of security vulnerabilities have been identified in Citrix XenClient XT. These vulnerabilities affect all currently supported versions of Citrix XenClient XT up to and including version 3.2.
The following vulnerabilities have been addressed: CVE-2013-4355, CVE-2013-4370, CVE-2013-4416, CVE-2013-4494, CVE-2013-4554
---------------------------------------------
http://support.citrix.com/article/CTX139624
*** SSL Labs: Stricter security requirements for 2014 ***
---------------------------------------------
Today, were releasing a new version of SSL Rating Guide as well as a new version of SSL Test to go with it. Because the SSL/TLS and PKI ecosystem continues to move at a fast pace, we have to periodically evaluate our rating criteria to keep up.
---------------------------------------------
http://blog.ivanristic.com/2014/01/ssl-labs-stricter-security-requirements-…
*** [2014-01-22] Critical vulnerabilities in T-Mobile HOME NET Router LTE (Huawei B593u-12) ***
---------------------------------------------
Attackers are able to completely compromise the T-Mobile Austria HOME NET router (based on Huawei B593u-12) without prior authentication. Depending on the configuration of the router it is also possible to exploit the flaws directly from the Internet.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014…
*** Digitally signed data-stealing malware targets Mac users in "undelivered courier item" attack ***
---------------------------------------------
Our colleagues at SophosLabs pointed us at a interesting item of malware the other day, namely a data-stealing Trojan aimed at Mac users. In fact, it was somewhat more than that: it was one of those "undelivered courier item" emails linking to a dodgy web server that guessed whether you were running Windows or OS X, and targeted you accordingly.
---------------------------------------------
http://nakedsecurity.sophos.com/2014/01/21/data-stealing-malware-targets-ma…
*** Cisco TelePresence System Software Command Execution Vulnerability ***
---------------------------------------------
Cisco TelePresence System Software contains a vulnerability in the System Status Collection Daemon (SSCD) code that could allow an unauthenticated, adjacent attacker to execute arbitrary commands with the privileges of the root user.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco TelePresence Video Communication Server SIP Denial of Service Vulnerability ***
---------------------------------------------
Cisco TelePresence Video Communication Server (VCS) contains a vulnerability that could allow an unauthenticated, remote attacker to trigger the failure of several critical processes which may cause active call to be dropped and prevent users from making new calls until the affected system is reloaded.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco TelePresence ISDN Gateway D-Channel Denial of Service Vulnerability ***
---------------------------------------------
Cisco TelePresence ISDN Gateway contains a vulnerability that could allow an unauthenticated, remote attacker to trigger the drop of the data channel (D-channel), causing all calls to be terminated and preventing users from making new calls.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 20-01-2014 18:00 − Dienstag 21-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Robert Waldner
*** Sicherheitstest eingerichtet: BSI meldet millionenfachen Identitätsdiebstahl ***
---------------------------------------------
Behörden haben bei der Analyse von Botnetzen rund 16 Millionen betroffene Benutzerkonten entdeckt. Das BSI bietet einen Sicherheitstest an, um E-Mails auf Identitätsdiebstahl zu überprüfen. (Internet, Security)
---------------------------------------------
http://www.golem.de/news/sicherheitstest-eingerichtet-bsi-meldet-millionenf…
*** Android Vulnerability Enables VPN Bypass ***
---------------------------------------------
A hole in Androids VPN feature could expose what should be securely communicated data as clear, unencrypted text.
---------------------------------------------
http://threatpost.com/android-vulnerability-enables-vpn-bypass/103719
*** Details on Patched Microsoft Office 365 XSS Vulnerability Disclosed ***
---------------------------------------------
A cross-site scripting vulnerability in Microsoft Office 365 casts attention on the need to shore up the security of cloud-based enterprise applications.
---------------------------------------------
http://threatpost.com/details-on-patched-microsoft-office-365-xss-vulnerabi…
*** Kampf um die Hintertüren einer vernetzten Welt ***
---------------------------------------------
Adam Philpott vom Netzwerk-Riesen Cisco bestreitet Kooperation mit Geheimdiensten und skizziert neue Bedrohungen im Netz der Zukunft
---------------------------------------------
http://derstandard.at/1389857261752
*** Blog: WhatsApp for PC - a guaranteed Trojan banker ***
---------------------------------------------
WhatsApp for PC - now from Brazil and bringing banker which will steal your money. It hides itself as an mp3 file and has a low VT detection.
---------------------------------------------
http://www.securelist.com/en/blog/208214225/WhatsApp_for_PC_a_guaranteed_Tr…
*** EU cyber security Agency ENISA calls for secure e-banking and e-payments: non-replicable, single-use credentials for e-identities are needed in the financial sector ***
---------------------------------------------
Different tokens, devices, mobile phones, e-signatures, etc. are used to authenticate our e-identities. Yet, some financial institutions are still not considering the risk of inadequate authentication mechanisms according to a new study by the EU Agency ENISA.
---------------------------------------------
http://www.enisa.europa.eu/media/press-releases/enisa-calls-for-secure-e-ba…
*** Spoiled Onions ***
---------------------------------------------
As of January 2014, the Tor anonymity network consists of 5,000 relays of which almost 1,000 are exit relays. As the diagram to the right illustrates, exit relays bridge the gap between the Tor network and the open Internet. As a result, exit relays are able to see anonymised network traffic as it is sent by Tor clients. While most exit relays are innocuous and run by well-meaning volunteers, there are exceptions: In the past, some exit relays were documented to have sniffed and
---------------------------------------------
http://www.cs.kau.se/philwint/spoiled_onions/
*** Merkur-Kundendaten mit Nocard geknackt ***
---------------------------------------------
Studenten der FH Salzburg ist mit dem Kundenkartengenerator Zugriff auf Kundenprofile gelungen
---------------------------------------------
http://derstandard.at/1389857747260
*** WordPress WordFence Plugin "User-Agent" Script Insertion Vulnerability ***
---------------------------------------------
Input passed via the "User-Agent" HTTP header is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a administrator's browser session in context of an affected site when the malicious data is being viewed.
---------------------------------------------
https://secunia.com/advisories/56558
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 17-01-2014 18:00 − Montag 20-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Robert Waldner
*** NCR: Weltweit 95 Prozent aller Geldautomaten mit Windows XP ***
---------------------------------------------
Laut einem hochrangigen Manager des Herstellers NCR laufen fast alle Geldautomaten weltweit noch mit Windows XP. Die Deutsche Kreditwirtschaft will davon nichts wissen, und erklärt, dass die Geldautomaten in Deutschland nicht am Internet hängen. Daher spiele die Art des Betriebssystems keine Rolle.
---------------------------------------------
http://www.golem.de/news/ncr-weltweit-95-prozent-aller-geldautomaten-mit-wi…
*** Adware vendors buy Chrome Extensions to send ad- and malware-filled updates ***
---------------------------------------------
A first-hand account of this, which was first spotted by OMGChrome, was given by Amit Agarwal, developer of the "Add to Feedly" extension. One morning, Agarwal got an e-mail offering "4 figures" for the sale of his Chrome extension. The extension was only about an hours worth of work, so Agarwal agreed to the deal, the money was sent over PayPal, and he transferred ownership of the extension to another Google account..
---------------------------------------------
http://arstechnica.com/security/2014/01/malware-vendors-buy-chrome-extensio…
*** VPN Related Vulnerability Discovered on an Android device - Disclosure Report ***
---------------------------------------------
As part of our ongoing mobile security research we have uncovered a network vulnerability on Android devices which has serious implications for users using VPN. This vulnerability enables malicious apps to bypass active VPN configuration (no ROOT permissions required) and redirect secure data communications to a different network address. These communications are captured in CLEAR TEXT (no encryption), leaving the information completely exposed. This redirection can take place while leaving the
---------------------------------------------
http://cyber.bgu.ac.il/blog/vpn-related-vulnerability-discovered-android-de…
*** Looking Forward Into 2014: What 2013′s Mobile Threats Mean Moving Forward ***
---------------------------------------------
2013 was the year that the Android malware not just grew, but matured into a full-fledged threat landscape. Not only did the number of threats grow, the sophistication and capabilities associated with these threats grew as well. As we noted earlier, the number of mobile malware threats has crossed the one million mark, and as of ...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/mF1EIjR8duU/
*** Open-Xchange Server Multiple Vulnerabilities ***
---------------------------------------------
Multiple vulnerabilities have been reported in Open-Xchange, which can be exploited by malicious users to disclose potentially sensitive information and by malicious people to conduct cross-site scripting and script insertion attacks.
---------------------------------------------
https://secunia.com/advisories/56390
*** F5 ARX Series Cyrus SASL NULL Pointer Dereference Vulnerability ***
---------------------------------------------
F5 has acknowledged a vulnerability in F5 ARX Series, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to a bundled vulnerable version of Cyrus SASL in relation to the ARX Manager Configuration utility.
---------------------------------------------
http://secunia.com/advisories/56077/
*** Moodle Security Bypass Security Issue and Cross-Site Request Forgery Vulnerability ***
---------------------------------------------
A security issue and a vulnerability have been reported in Moodle, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to conduct cross-site request forgery attacks.
---------------------------------------------
https://secunia.com/advisories/56556
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 16-01-2014 18:00 − Freitag 17-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Robert Waldner
*** JS-Binding-Over-HTTP Vulnerability and JavaScript Sidedoor: Security Risks Affecting Billions of Android App Downloads ***
---------------------------------------------
Third-party libraries, especially ad libraries, are widely used in Android apps. Unfortunately, many of them have security and privacy issues. In this blog, we summarize our findings related to the insecure usage of JavaScript binding in ad libraries.
---------------------------------------------
http://www.fireeye.com/blog/technical/2014/01/js-binding-over-http-vulnerab…
*** ECAVA INTEGRAXOR BUFFER OVERFLOW VULNERABILITY ***
---------------------------------------------
Overview: This advisory is a follow-up to the alert titled ICS-ALERT-14-015-01 Ecava IntegraXor Buffer Overflow Vulnerability that was published January 15, 2014, on the NCCIC/ICS-CERT Web site.
Independent researcher Luigi Auriemma identified a buffer overflow vulnerability in the Ecava IntegraXor application without coordination with NCCIC/ICS-CERT, the vendor, or any other coordinating entity known to NCCIC/ICS-CERT. Ecava has produced a patch version that mitigates this vulnerability.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-14-016-01
*** A Closer Look at the Target Malware, Part II ***
---------------------------------------------
Yesterdays story about the point-of-sale malware used in the Target attack has prompted a flood of reporting from antivirus and security vendors. Buried within those reports are some interesting details that speak to possible actors involved and to the timing and discovery of this breach.
---------------------------------------------
http://feedproxy.google.com/~r/KrebsOnSecurity/~3/V1LusjgMQk8/
*** HPSBUX02961 SSRT101420 rev.1 - HP-UX Running BIND, Remote Denial of Service (DoS) ***
---------------------------------------------
A potential security vulnerability has been identified with HP-UX running BIND. This vulnerability could be exploited remotely to create a Denial of Service (DoS).
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…
*** Thingbot: Botnetz infiziert Kühlschrank ***
---------------------------------------------
Ein US-Sicherheitsunternehmen hat ein Botnetz enttarnt. Das Besondere daran ist, dass etwa ein Viertel der infizierten Geräte keine Computer sind, sondern andere Internet-fähige Geräte - darunter ein Kühlschrank. (Spam, Malware)
---------------------------------------------
http://www.golem.de/news/thingbot-botnetz-infiziert-kuehlschrank-1401-10397…
*** Microsoft löscht Tor-Software nach Trojaner-Befall ***
---------------------------------------------
Von mehreren hunderttausend Windows-PCs hat Microsoft veraltete Tor-Software gelöscht, die ein Trojaner installiert hatte. Auf bis zu zwei Millionen Rechnern soll der heimlich eingerichtete Dienst immer noch aktiv sein.
---------------------------------------------
http://www.heise.de/security/meldung/Microsoft-loescht-Tor-Software-nach-Tr…
*** Oldboot: the first bootkit on Android ***
---------------------------------------------
A few days ago, we found an Android Trojan using brand new method to modify devices boot partition and booting script file to launch system service and extract malicious application during the early stage of systems booting. Due to the special RAM disk feature of Android devices boot partition, all current mobile antivirus product in the world can't completely remove this Trojan or effectively repair the system. We named this Android Trojan family as Oldboot. As far as we
---------------------------------------------
http://blogs.360.cn/360mobile/2014/01/17/oldboot-the-first-bootkit-on-andro…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 15-01-2014 18:00 − Donnerstag 16-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Robert Waldner
*** Compromised Sites Pull Fake Flash Player From SkyDrive ***
---------------------------------------------
On most days, our WorldMap shows more of the same thing. Today is an exception.One infection is topping so high in the charts that it pretty much captured our attention.Checking the recent history of this threat, we saw that these past few days, it has been increasing in infection hits.So we dug deeper It wasnt long before we saw that a lot of scripts hosted in various websites got compromised. Our telemetry actually showed that almost 40% of the infected websites were hosted in Germany. In
---------------------------------------------
http://www.f-secure.com/weblog/archives/00002659.html
*** Microsoft antimalware support for Windows XP ***
---------------------------------------------
Microsoft has announced the Windows XP end of support date of April 8, 2014. After this date, Windows XP will no longer be a supported operating system. To help organizations complete their migrations, Microsoft will continue to provide updates to our antimalware signatures and engine for Windows XP users through July 14, 2015. This does not affect the end-of-support date of Windows XP, or the supportability of Windows XP for other Microsoft products, which deliver and apply those signatures.
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2014/01/15/microsoft-antimalware-su…
*** SA-CORE-2014-001 - Drupal core - Multiple vulnerabilities ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CORE-2014-001Project: Drupal coreVersion: 6.x, 7.xDate: 2014-January-15Security risk: Highly criticalExploitable from: RemoteVulnerability: Multiple vulnerabilitiesDescriptionMultiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.Impersonation (OpenID module - Drupal 6 and 7 - Highly critical)A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack
---------------------------------------------
https://drupal.org/SA-CORE-2014-001
*** A First Look at the Target Intrusion, Malware ***
---------------------------------------------
Last weekend, Target finally disclosed at least one cause of the massive data breach that exposed personal and financial information on more than 110 million customers: Malicious software that infected point-of-sale systems at Target checkout counters. Todays post includes new information about the malware apparently used in the attack, according to two sources with knowledge of the matter.
---------------------------------------------
http://feedproxy.google.com/~r/KrebsOnSecurity/~3/OVODHvnhoQs/
*** Amazons public cloud fingered as USs biggest MALWARE LAIR ***
---------------------------------------------
Cyber-crooks lurve Bezos & Cos servers and their whitelisted IP addresses Amazons public cloud is the largest haven of malware spreaders in the US, according to security company Solutionary.…
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/01/16/amazon_clou…
*** Ecava IntegraXor Buffer Overflow Vulnerability ***
---------------------------------------------
NCCIC/ICS-CERT is aware of a public report of a buffer overflow vulnerability with proof-of-concept (PoC) exploit code affecting Ecava IntegraXor, a supervisory control and data acquisition/human-machine interface (SCADA/HMI) product. According to this report, the vulnerability is exploitable by using a command to load an arbitrary resource from an arbitrary DLL located in the program’s main folder.
---------------------------------------------
http://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-015-01
*** Advisory (ICSA-13-344-01) WellinTech Multiple Vulnerabilities ***
---------------------------------------------
NCCIC/ICS-CERT received reports from the Zero Day Initiative (ZDI) regarding a remote code execution vulnerability and an information disclosure vulnerability in WellinTech KingSCADA, KingAlarm&Event, and KingGraphic applications. These vulnerabilities were reported to ZDI by security researcher Andrea Micalizzi. WellinTech has produced a new version that mitigates these vulnerabilities. These vulnerabilities could be exploited remotely.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-344-01
*** Google verstärkt Anti-Spam-Team mit Zukauf ***
---------------------------------------------
Das Team des Startups Impermium, das ein System gegen E-Mail-Account-Missbrauch entwickelt, wechselt zum Internet-Giganten.
---------------------------------------------
http://www.heise.de/security/meldung/Google-verstaerkt-Anti-Spam-Team-mit-Z…
*** Telekom reagiert mit Blog-Eintrag auf gefälschte Rechnungen ***
---------------------------------------------
Erneut versenden Kriminelle gefälschte Online-Rechnungen der Telekom als Lockmittel, um Schadsoftware zu verbreiten. Dieses Mal reagiert der Konzern mit Warn-Mails und einem Blog-Eintrag, der Unterscheidungsmerkmale zu echten Rechnungen erklärt.
---------------------------------------------
http://www.heise.de/security/meldung/Telekom-reagiert-mit-Blog-Eintrag-auf-…
*** The Hidden Backdoors to the City of Cron ***
---------------------------------------------
An attackers key to creating a profitable malware campaign is its persistency. Malicious code that is easily detected and removed will not generate enough value for their creators. This is the reason why we are seeing more and more malware using creative backdoor techniques, different obfuscation methods, and using unique approaches to increase the lifespanRead More
---------------------------------------------
http://feedproxy.google.com/~r/sucuri/blog/~3/MCeUaRyYi88/the-hidden-backdo…
*** DynDNS-Dienst knickt unter DDoS-Attacke ein ***
---------------------------------------------
Dyn, Betreiber eines der bekanntesten DynDNS-Dienstes, ist Ziel eines DDoS-Angriffs geworden. Es ist zwar nur ein Teil der DNS-Infrastruktur des Anbieters betroffen, aber die Störung schlägt dennoch bis zu den Nutzern durch.
---------------------------------------------
http://www.heise.de/newsticker/meldung/DynDNS-Dienst-knickt-unter-DDoS-Atta…
*** Niederländische Behörden warnen vor Webcams ***
---------------------------------------------
Die niederländischen Justizbehörden warnen, dass die in Tablets und Latops eingebauten Webcams eine Sicherheitslücke darstellen, über die Hacker eindringen können. Abkleben wird empfohlen.
---------------------------------------------
http://www.heise.de/security/meldung/Niederlaendische-Behoerden-warnen-vor-…
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 14-01-2014 18:00 − Mittwoch 15-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** Verfassungsschutz: Gefahr der Online-Wirtschaftsspionage noch immer unterschätzt ***
---------------------------------------------
Viele kleine und mittelständische Unternehmen sähen Ausgaben für IT-Sicherheit immer noch nicht als gut investiertes Geld an, meinte der Präsident des Bundesamts für Verfassungsschutz.
---------------------------------------------
http://www.heise.de/security/meldung/Verfassungsschutz-Gefahr-der-Online-Wi…
*** NSA zapft auch Computer ohne Internetverbindung an ***
---------------------------------------------
Die NSA hat weltweit auf rund 100.000 Computern Spionagesoftware installiert. Auch zu Computern ohne Internetverbindung hat sich der US-Geheimdienst Zutritt verschafft.
---------------------------------------------
http://futurezone.at/netzpolitik/nsa-zapft-auch-computer-ohne-internetverbi…
*** A Look Into the Future and the January 2014 Bulletin Release ***
---------------------------------------------
In January, there are those who like to make predictions about the upcoming year. I am not one of those people. Instead, I like to quote Niels Bohr who said, "Prediction is very difficult, especially if it's about the future." However, I can say without a doubt that change is afoot in 2014. In February, usage of the MD5 hash algorithm in certificates will be restricted, as first discussed in Security Advisory 2862973, and the update goes out through Microsoft Update on the...
---------------------------------------------
http://blogs.technet.com/b/msrc/archive/2014/01/14/a-look-into-the-future-a…
*** Kritische und wichtige Patches von Adobe und Microsoft ***
---------------------------------------------
Was lange währt wird endlich gut: Microsoft hat an seinem Patchday unter anderem die Rechteausweitungslücke in Windows geschlossen, die mindestens seit November für Angriffe missbraucht wird. Von Adobe gibt es dringende Updates für Acrobat und Reader.
---------------------------------------------
http://www.heise.de/security/meldung/Kritische-und-wichtige-Patches-von-Ado…
*** Oracle schließt 144 Sicherheitslücken ***
---------------------------------------------
Update betrifft auch Java 7 und Java 5
---------------------------------------------
http://derstandard.at/1388651059299
*** Adobe Security Bulletins Posted ***
---------------------------------------------
Today, we released the following Security Bulletins:
APSB14-01 – Security updates available for Adobe Reader and Acrobat
APSB14-02 – Security updates available for Adobe Flash Player
Customers of the affected products should consult the relevant Security Bulletin(s) for details.
---------------------------------------------
http://blogs.adobe.com/psirt/?p=1041
*** Oracle Critical Patch Update Advisory - January 2014 ***
---------------------------------------------
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 144 new security fixes across the product families listed below.
---------------------------------------------
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
*** Summary for January 2014 - Version: 1.0 ***
---------------------------------------------
This bulletin summary lists security bulletins released for January 2014.
With the release of the security bulletins for January 2014, this bulletin summary replaces the bulletin advance notification originally issued January 9, 2014. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification.
---------------------------------------------
http://technet.microsoft.com/en-ca/security/bulletin/ms14-jan
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 13-01-2014 18:00 − Dienstag 14-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Robert Waldner
*** HPSBUX02960 SSRT101419 rev.1 - HP-UX Running NTP, Remote Denial of Service (DoS) ***
---------------------------------------------
A potential security vulnerability has been identified with HP-UX running NTP. The vulnerability could be exploited remotely to create a Denial of Service (DoS).
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…
*** Security: Mathematische Formel für den Cyberwar ***
---------------------------------------------
Zwei Wissenschaftler aus den USA haben eine Formel entwickelt, mit sie ausrechnen können, wann der beste Zeitpunkt ist, um einen Cyberangriff auf ein bestimmtes Ziel mit bestimmten Mitteln durchzuführen. (Cyberwar, Security)
---------------------------------------------
http://www.golem.de/news/security-mathematische-formel-fuer-den-cyberwar-14…
*** Router-Backdoor: Cisco, Netgear und Linksys versprechen Schutz ***
---------------------------------------------
Erst Ende Januar will Cisco ein Update liefern, das die in einigen Geraten gefundene Hintertür beseitigt; Netgear und Linksys nennen noch keinen Termin. Support-Anfragen zeigen, dass die Hintertür seit mindestens 10 Jahren aktiv ist.
---------------------------------------------
http://www.heise.de/security/meldung/Router-Backdoor-Cisco-Netgear-und-Link…
*** Spamming and scanning botnets - is there something I can do to block them from my site?, (Tue, Jan 14th) ***
---------------------------------------------
Spamming and scanning botnets - is there something I can do to block them from my site? This question keeps popping up on forums and all places popular with those beleaguer souls despondent of the random spamming and over filled logs from scanning. Although this isnt a Magic ball question answer does come out a: Maybe, Maybe not. The reason behind the ambiguity is logical, to a degree; it's easy trying to hinder, frustrate and reduce the effectiveness of automated botnet processes,
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17426&rss
*** ISC BIND NSEC3-Signed Zones Queries Handling Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability has been reported in ISC BIND, which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error when handling queries for NSEC3-signed zones and can be exploited to cause a crash with an "INSIST" failure by sending a specially crafted query.
Successful exploitation requires an authoritative nameservers serving at least one NSEC3-signed zone.
---------------------------------------------
https://secunia.com/advisories/56427
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 10-01-2014 18:00 − Montag 13-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Robert Waldner
*** Factsheet published: Certificates with 1024 bit RSA are being phased-out ***
---------------------------------------------
Does your organisation still use certificates with an RSA key-length of at most 1024 bits? The NCSC recommends to replace them. The factsheet Certificates with 1024 bit RSA are being phased-out provides you with more information and perspectives for action.
---------------------------------------------
https://www.ncsc.nl/english/current-topics/news/factsheet-published-certifi…
*** Symantec Endpoint Protection multiple vulnerabilities ***
---------------------------------------------
Symantec Endpoint Protection authentication privilege escalation
http://xforce.iss.net/xforce/xfdb/90224
Symantec Endpoint Protection search paths privilege escalation
http://xforce.iss.net/xforce/xfdb/90226
Symantec Endpoint Protection custom polocies security bypass
http://xforce.iss.net/xforce/xfdb/90225
*** Juniper Junos multiple vulnerabilities ***
---------------------------------------------
Juniper Junos CLI Commands Let Local Users Gain Elevated Privileges
http://www.securitytracker.com/id/1029585
Juniper Junos Branch SRX Series HTTP Processing Flaw Lets Remote Users Deny Service
http://www.securitytracker.com/id/1029584
Juniper Junos Branch SRX Series IP Processing Flaw Lets Remote Users Deny Service
http://www.securitytracker.com/id/1029583
Juniper Junos BGP Update Processing Flaw Lets Remote Users Deny Service
http://www.securitytracker.com/id/1029582
Juniper Junos XNM Command Processor Lets Remote Users Consume Excessive Memory on the Target System
http://www.securitytracker.com/id/1029586
*** Die tausend gestopften Löcher des FFmpeg ***
---------------------------------------------
Zwei Google-Ingenieure haben vor zwei Jahren damit begonnen, automatisiert nach Fehlern in dem freien Multimedia-Framework FFmpeg zu fahnden, von denen inzwischen über 1120 behoben wurden.
---------------------------------------------
http://www.heise.de/security/meldung/Die-tausend-gestopften-Loecher-des-FFm…
*** Microsoft Twitter accounts, blog hijacked by SEA ***
---------------------------------------------
Another week, ANOTHER security own goal for Redmond Microsoft had two Twitter accounts and an official blog compromised over the weekend in another embarrassing security incident for the Redmond giant.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/01/13/microsoft_t…
*** Trends in Targeted Attacks: 2013 ***
---------------------------------------------
FireEye has been busy over the last year. We have tracked malware-based espionage campaigns and published research papers on numerous advanced threat actors. We chopped through Poison Ivy, documented a cyber arms dealer, and revealed that Operation Ke3chang had targeted
---------------------------------------------
http://www.fireeye.com/blog/technical/malware-research/2014/01/trends-in-ta…
*** Cisco bestätigt Hintertür in mehreren Routern ***
---------------------------------------------
Test-Interface erlaubt Zugriff auf sensible Daten - Update soll noch im Jänner folgen
---------------------------------------------
http://derstandard.at/1388650811096
*** Bericht: Britischer Geheimdienst GCHQ schwächte GSM-Verschlüsselung ***
---------------------------------------------
Bislang wurde kolportiert, die NATO habe in den 1980er-Jahren auf einem schwachen A5/1-Algorithmus bestanden. Nun weist ein norwegischer Wissenschaftler den Briten die Verantwortung dafür zu.
---------------------------------------------
http://www.heise.de/security/meldung/Bericht-Britischer-Geheimdienst-GCHQ-s…
*** Versorgung mit Virensignaturen für Windows-XP-Rechner vorerst gesichert ***
---------------------------------------------
Am 8. April lässt Microsoft den Support für Windows XP fallen, doch die Antiviren-Hersteller beeindruckt das nicht. Die Folge: Um Signatur-Updates muss sich der XP-Anwender vorerst keine Sorgen machen, solange der Virenwächter nicht von Microsoft kommt.
---------------------------------------------
http://www.heise.de/security/meldung/Versorgung-mit-Virensignaturen-fuer-Wi…
*** LKA NRW warnt vor Betrugsversuchen angeblicher Microsoft-Mitarbeiter ***
---------------------------------------------
In den vergangenen Wochen haben sich Fälle gehäuft, in denen angebliche Mitarbeiter des Microsoft-Supports versuchen, PC-Nutzer per Telefon zu schädigen.
---------------------------------------------
http://www.heise.de/security/meldung/LKA-NRW-warnt-vor-Betrugsversuchen-ang…
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 09-01-2014 18:00 − Freitag 10-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** Understanding and mitigating NTP-based DDoS attacks ***
---------------------------------------------
Over the last couple of weeks you may have been hearing about a new tool in the DDoS arsenal: NTP-based attacks. These have become popular recently and caused trouble for some gaming web sites and service providers. Wed long thought that NTP might become a vector for DDoS attacks because, like DNS, it is a simple UDP-based protocol that can be persuaded to return a large reply to a small request. Unfortunately, that prediction has come true.
---------------------------------------------
http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-atta…
*** Advance Notification for January 2014 - Version: 1.0 ***
---------------------------------------------
This is an advance notification of security bulletins that Microsoft is intending to release on January 14, 2014.
This bulletin advance notification will be replaced with the January bulletin summary on January 14, 2014. For more information about the bulletin advance notification service, see...
---------------------------------------------
http://technet.microsoft.com/en-us/security/bulletin/ms14-jan
*** Oracle Critical Patch Update Pre-Release Announcement - January 2014 ***
---------------------------------------------
This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for January 2014, which will be released on Tuesday, January 14, 2014. While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Patch Update Advisory.
---------------------------------------------
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
*** Prenotification Security Advisory for Adobe Reader and Acrobat ***
---------------------------------------------
Adobe is planning to release security updates on Tuesday, January 14, 2014 for Adobe Reader and Acrobat XI (11.0.05) and earlier versions for Windows and Macintosh.
---------------------------------------------
http://helpx.adobe.com/security/products/reader/apsb14-01.html
*** Adobe, Microsoft und Oracle zelebrieren ersten Patchday des Jahres ***
---------------------------------------------
Kommenden Dienstag ist es wieder soweit. Adobe will kritische Lücken in Acrobat und Adobe Reader schließen, Microsoft unter anderem eine Windows-Lücke, die bereits seit November vergangenen Jahres ausgenutzt wird.
---------------------------------------------
http://www.heise.de/security/meldung/Adobe-Microsoft-und-Oracle-zelebrieren…
*** Tackling the Sefnit botnet Tor hazard ***
---------------------------------------------
Sefnit, a prevailing malware known for using infected computers for click fraud and bitcoin mining, has left millions of machines potentially vulnerable to future attacks. We recently blogged about Sefnit performing click fraud and how we added detection on the upstream Sefnit installer. In this blog we explain how the Tor client service, added by Sefnit, is posing a risk to millions of machines, and how we are working to address the problem. Win32/Sefnit made headlines last August as it took...
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2014/01/09/tackling-the-sefnit-botn…
*** Schon wieder hunderttausende Kundendaten durch xt:Commerce-Lücke geklaut ***
---------------------------------------------
Eine weitere Sicherheitslücke in xt:Commerce 3 und einigen der Nachfolger wird derzeit ausgenutzt, um die Namen, Mail-Adressen und Passwort-Hashes in Online-Shops zu entwenden. Betroffen sind über 230.000 Kunden vor allem aus Deutschland und Österreich.
---------------------------------------------
http://www.heise.de/security/meldung/Schon-wieder-hunderttausende-Kundendat…
*** Cisco Context Directory Agent Multiple Vulnerabilities ***
---------------------------------------------
Multiple vulnerabilities have been reported in Cisco Context Directory Agent, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to conduct cross-site scripting attacks and manipulate certain data.
---------------------------------------------
https://secunia.com/advisories/56365
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 08-01-2014 18:00 − Donnerstag 09-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** Intercepted Email Attempts to Steal Payments, (Wed, Jan 8th) ***
---------------------------------------------
A reader sent in details of a incident that is currently being investigated in their environment. (Thank you Peter for sharing! ) It appears to be a slick yet elaborate scam to divert a customer payment to the scammers. It occurs when the scammer attempts to slip into an email conversation and go undetected in order to channel an ordinary payment for service or goods into his own coffers. Here is a simple breakdown of the flow: Supplier sends business email to customer, email mentions a...
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17366&rss
*** ZeroAccess Takedown and the TDSS Aftermath ***
---------------------------------------------
Early December last year, Microsoft - in cooperation with certain law enforcement agencies - announced their takedown of the ZeroAccess operations. This development, however, also yielded an unexpected effect on another well-known botnet, in particular TDSS. TDSS and ZeroAccess ZeroAccess is one of the most notable botnets in the world, with its malware known for rootkit...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/v07x5pzmpj4/
*** Malvertising attacks via Yahoo ads may precede broader iframe attacks ***
---------------------------------------------
A New Years malvertisement attack on Yahoo.com that is believed to have infected the systems and devices of thousands of website visitors could signal an uptick in the use of highly effective iframe Web attacks on larger online communities.
---------------------------------------------
http://searchsecurity.techtarget.com/news/2240212218/Malvertising-attacks-v…
*** Personal banking apps leak info through phone ***
---------------------------------------------
For several years I have been reading about flaws in home banking apps, but I was skeptical. To be honest, when I started this research I was not expecting to find any significant results.
---------------------------------------------
http://blog.ioactive.com/2014/01/personal-banking-apps-leak-info-through.ht…
*** Falscher Alarm: Avast für Android hält alle Apps für Viren ***
---------------------------------------------
Ein fehlerhaftes Signaturupdate hat dazu geführt, dass Avast Android-Virenscanner am heutigen Donnerstag zahlreich fündig wurde.
---------------------------------------------
http://www.heise.de/security/meldung/Falscher-Alarm-Avast-fuer-Android-hael…
*** WordPress-Angreifer lieben TimThumb ***
---------------------------------------------
Akamai hat Attacken auf WordPress-Erweiterungen untersucht und festgestellt, dass sich die Angreifer vor allem auf ein Plug-in eingeschossen haben.
---------------------------------------------
http://www.heise.de/security/meldung/WordPress-Angreifer-lieben-TimThumb-20…
*** Critics Cut Deep on Yahoo Mail Encryption Rollout ***
---------------------------------------------
Yahoo has turned on HTTPS by default for its web-based email service, but the deployment is inconsistent across the board and experts are critical of its use of weak standards and the lack of Perfect Forward Secrecy and HSTS.
---------------------------------------------
http://threatpost.com/critics-cut-deep-on-yahoo-mail-encryption-rollout/103…
*** Drupal Media 7.x Access Bypass ***
---------------------------------------------
Topic: Drupal Media 7.x Access Bypass Risk: High Text:View online: https://drupal.org/node/2169767 * Advisory ID: PSA-2014-001 * Project: Media [1] (third-party module) ...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014010051
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 07-01-2014 18:00 − Mittwoch 08-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** 64-bit ZBOT Leverages Tor, Improves Evasion Techniques ***
---------------------------------------------
Reports have surfaced that ZeuS/ZBOT, the notorious online banking malware, is now targeting 64-bit systems. During our own investigation, we have confirmed that several ZBOT 32-bit samples (detected as TSPY_ZBOT.AAMV) do have an embedded 64-bit version (detected as TSPY64_ZBOT.AANP). However, our investigation also lead us to confirm other noteworthy routines of the malware, including its...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/RjjdkzMleq4/
*** Malicious Ads on DailyMotion Redirect to Fake AV Attack ***
---------------------------------------------
Popular video-sharing site DailyMotion is serving malicious ads that redirect site visitors to domains hosting Fake AV malware, security firm Invincea reports.
---------------------------------------------
http://threatpost.com/malicious-ads-on-dailymotion-redirect-to-fake-av-atta…
*** Einbruch in die Opensuse-Foren ***
---------------------------------------------
Die öffentlichen Opensuse-Foren sind Opfer eines Angriffs geworden und derzeit abgeschaltet.
---------------------------------------------
http://www.heise.de/security/meldung/Einbruch-in-die-Opensuse-Foren-2078128…
*** Yahoo Mail: Verschlüsselung wird endlich Default ***
---------------------------------------------
Alle Kommunikation mit Webmail-Service nun per HTTPS abgesichert - Aber kein Perfect Forward Secrecy
---------------------------------------------
http://derstandard.at/1388650341295
*** Satellite Links for Remote Networks May Pose Soft Target for Attackers ***
---------------------------------------------
Land-based terminals that send data to satellites may pose a soft target for hackers, an analysis from a computer security firm shows. VSATs, an abbreviation for "very small aperture terminals," supply Internet access to remote locations, enabling companies to transmit data from an isolated network to an organizations main one. The devices are used in a variety of industries, including energy, financial services and defense.
---------------------------------------------
http://www.cio.com/article/745580/Satellite_Links_for_Remote_Networks_May_P…
*** Linux Kernel, Font Bugs Fixed in Ubuntu ***
---------------------------------------------
A huge number of security vulnerabilities have been fixed in Ubuntu, including a remotely exploitable font flaw that an attacker could use to run arbitrary code on vulnerable machines. A number of Linux kernel flaws also were patched in some versions of the operating system. The font vulnerability affects five different versions of Ubuntu, including...
---------------------------------------------
http://threatpost.com/linux-kernel-font-bugs-fixed-in-ubuntu/103500
*** VU#487078: QNAP QTS path traversal vulnerability ***
---------------------------------------------
Vulnerability Note VU#487078 QNAP QTS path traversal vulnerability Original Release date: 08 Jan 2014 | Last revised: 08 Jan 2014 Overview QNAP QTS 4.0.3 and possibly earlier versions contain a path traversal vulnerability. Description CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) - CVE-2013-7174QNAP QTS is a Network-Attached Storage (NAS) system accessible via a web interface. QNAP QTS 4.0.3 and possibly earlier versions contain a path traversal...
---------------------------------------------
http://www.kb.cert.org/vuls/id/487078
*** Vuln: Cisco Unified Communications Manager Unauthorized Access Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/64690
*** HP 2620 Switch Series Cross-Site Request Forgery Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/56290
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 03-01-2014 18:00 − Dienstag 07-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Matthias Fraidl
*** Router auf Backdoor testen ***
---------------------------------------------
Die Netzwerkausrüster hüllen sich nach wie vor über den Zweck des kürzlich entdeckten, undokumentierten Router-Dienstes in Schweigen. So finden Sie heraus, ob Ihr Router ebenfalls auf Befehle wartet.
---------------------------------------------
http://www.heise.de/security/meldung/Router-auf-Backdoor-testen-2074844.html
*** Backdoor in Routern: Hersteller rätseln und analysieren ***
---------------------------------------------
Noch immer können die Router-Hersteller keine plausible Erklärung dafür liefern, dass auf auf ihren Geräten ein undokumentierter Konfigurationsdienst läuft. Sie sind nach eigenen Angaben selbst noch mit der Analyse beschäftigt.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Backdoor-in-Routern-Hersteller-raets…
*** Distributionen patchen Drupal -- außer Ubuntu ***
---------------------------------------------
Debian und Fedora liefern Sicherheitsupdates für kürzlich gemeldete Sicherheitsprobleme in Drupal. Wer Ubuntu nutzt, muss sich jedoch selber kümmern.
---------------------------------------------
http://www.heise.de/security/meldung/Distributionen-patchen-Drupal-ausser-U…
*** Recent Windows Zero-Day Targeted Embassies, Used Syria-related Email ***
---------------------------------------------
In late November, Microsoft revealed that a zero-day vulnerability was in use in targeted attacks against Windows XP and Server 2003 systems. From samples of the exploit examined, it has a backdoor payload that possesses sophisticated anti-analysis techniques. Further research of this earlier attack - discussed in the blog posts above - has revealed that the exploit was deployed via...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/xqgSESnrQns/
*** A Year of Spam: The Notable Trends of 2013 ***
---------------------------------------------
2013 was a year of change inthe spam landscape. The volume of spam increased from 2012. We witnessed the decline of a previously-successful exploit kit. The old became new again, thanks to different techniques used by spammers. While we still saw traditional types of spam, we also saw several "improvements" which allowed spammers to avoid...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/uZ0knuU7r3A/
*** Malware Deployed by Fake Digital Certificates Bypassing Endpoint Security ***
---------------------------------------------
Enterprises that place unwavering faith in the sanctity of digital certificates may want to re-think that belief, now that the latest chapter in the Win32/Winwebsec malware saga has revealed a troubling new development: the use of stolen authentication credentials. Win32/Winwebsec is the catch-all term used by Microsoft to reference a group of fake anti-virus programs [...]
---------------------------------------------
http://www.seculert.com/blog/2014/01/malware-deployed-by-fake-digital-certi…
*** Ransomware: Powerlocker wird für 100 US-Dollar angeboten ***
---------------------------------------------
Die Gruppe Malware Crusaders warnt vor einer neuen Ransomware, die nicht nur besser verschlüsselt, sondern mit zusätzlichen Funktionen ausgestattet ist. In einschlägigen Foren wird Powerlocker bereits für 100 US-Dollar angeboten. (Virus, Malware)
---------------------------------------------
http://www.golem.de/news/ransomware-powerlocker-wird-fuer-100-us-dollar-ang…
*** Malicious Advertisements served via Yahoo ***
---------------------------------------------
Fox-IT operates the shared Security Operations Center service ProtACT. This service monitors the networks of our clients for malicious activity. On January 3 we detected and investigated the infection of clients after they visited yahoo.com.
---------------------------------------------
http://blog.fox-it.com/2014/01/03/malicious-advertisements-served-via-yahoo/
*** WordPress Connect plugin for WordPress unspecified cross-site scripting ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/90106
*** Debian devscripts uscan.pl code execution ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/90107
*** [2013-12-27] XPath Injection in IBM Web Content Manager ***
---------------------------------------------
By exploiting the identified XPath Injection vulnerability, an unauthenticated user is able to extract sensitive application configuration data from vulnerable installations of IBM Web Content Manager.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2013…
*** HP Data Protector code execution ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/90001http://xforce.iss.net/xforce/xfdb/90002http://xforce.iss.net/xforce/xfdb/90003
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 02-01-2014 18:00 − Freitag 03-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: L. Aaron Kaplan
*** Greyhats expose 4.5 million Snapchat phone numbers using 'theoretical' hack ***
---------------------------------------------
Snapchat largely discounted weakness that partially exposed user numbers.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/8aPSkYeU_SA/
*** Target's Use of 3DES Encryption Invites Scrutiny, Worry ***
---------------------------------------------
Targets admission that encrypted PIN data was stolen and secured with 3DES encryption has experts concerned because of the age of the algorithm and the availability of stronger options.
---------------------------------------------
http://threatpost.com/targets-use-of-3des-encryption-invites-scrutiny-worry…
*** Mysterioese Backdoor in diversen Router-Modellen ***
---------------------------------------------
Auf Routern von Linksys und Netgear lauscht ein undokumentierter Dienst, der auf Befehle wartet. Bislang gibt es lediglich ein Indiz dafuer, was es damit auf sich haben koennte.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Mysterioese-Backdoor-in-diversen-Rou…
*** Scans Increase for New Linksys Backdoor (32764/TCP), (Thu, Jan 2nd) ***
---------------------------------------------
We do see a lot of probes for port 32764/TCP . According to a post to github from 2 days ago, some Linksys devices may be listening on this port enabling full unauthenticated admin access. [1] At this point, I urge everybody to scan their networks for devices listening on port 32764/TCP. If you use a Linksys router, try to scan its public IP address from outside your network. Our data shows almost no scans to the port prior to today, but a large number from 3 source IPs today. The by far
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17336&rss
*** NSA Exploit of the Day: DEITYBOUNCE ***
---------------------------------------------
Todays item from the NSAs Tailored Access Operations (TAO) group implant catalog is DEITYBOUNCE: DEITYBOUNCE (TS//SI//REL) DEITYBOUNCE provides software application persistence on Dell PowerEdge servers by exploiting the motherboard BIOS and utilizing System Management Mode (SMM) to gain periodic execution while the Operating System loads. (TS//SI//REL) This technique supports multi-processor systems with RAID hardware and Microsoft Windows 2000, 2003, and...
---------------------------------------------
https://www.schneier.com/blog/archives/2014/01/nsa_exploit_of.html
*** Advanced Dewplayer plugin for WordPress download-file.php directory traversal ***
---------------------------------------------
Advanced Dewplayer plugin for WordPress download-file.php directory traversal
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89978
*** "Penetrating Hard Targets": NSA arbeitet an Quantencomputern zur Kryptoanlayse ***
---------------------------------------------
Dokumente des NSA-Whistleblowers Edward Snowden legen nahe, dass die NSA bei der Entwicklung von Quantencomputern keinen Vorsprung hat. Mit derartiger Technik koennte bestehende Public-Key-Kryptographie geknackt werden.
---------------------------------------------
http://www.heise.de/security/meldung/Penetrating-Hard-Targets-NSA-arbeitet-…
*** HPSBMU02895 SSRT101253 rev.1 - HP Data Protector, Remote Increase of Privilege, Denial of Service (DoS), Execution of Arbitrary Code ***
---------------------------------------------
Potential security vulnerabilities have been identified with HP Data Protector. These vulnerabilities could be remotely exploited to allow an increase of privilege, create a Denial of Service (DoS), or execute arbitrary code.
---------------------------------------------
http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDispl…
*** Bundesnetzagentur praesentiert Entwurf des IT-Sicherheitskatalogs ***
---------------------------------------------
Eine Liste von Sicherheitsanforderungen soll die IT-Infrastruktur unserer Stromnetze absichern. Bis Februar kann man diesen Entwurf noch kommentieren.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Bundesnetzagentur-praesentiert-Entwu…
*** Cost/Benefit Analysis of NSAs 215 Metadata Collection Program ***
---------------------------------------------
It has amazed me that the NSA doesnt seem to do any cost/benefit analyses on any of its surveillance programs. This seems particularly important for bulk surveillance programs, as they have significant costs aside from the obvious monetary costs. In this paper, John Mueller and Mark G. Stewart have done the analysis on one of these programs. Worth reading....
---------------------------------------------
https://www.schneier.com/blog/archives/2014/01/costbenefit_ana_1.html
*** UPDATED X1 : OpenSSL.org Defaced by Attackers Gaining Access to Hypervisor, (Thu, Jan 2nd) ***
---------------------------------------------
By now, most of you have heard that the openssl.org website was defaced. While the source code and repositories were not tampered with, this obviously concerned people. What is more interesting is that the attack was made possible by gaining access to the hypervisor that hosts the VM responsible for the website. Attacks of this sort are likely to be more common as time goes on as it provides easy ability to take over a host without having to go through the effort of actually rooting a box.
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17333&rss
*** Bankautomaten per USB-Stick uebernommen ***
---------------------------------------------
Sicherheitsforscher haben Schadcode entdeckt, der per USB-Stick auf Geldautomaten geladen wird und Ganoven dann beliebig Geld auszahlt. Die Malware enthaelt ausserdem raffinierte Funktionen, die den Hintermaennern Kontrolle ueber die Auszahlungen gibt
---------------------------------------------
http://www.heise.de/security/meldung/Bankautomaten-per-USB-Stick-uebernomme…
*** Ubuntu bessert TLSv1.2-Unterstuetzung nach ***
---------------------------------------------
In aktuellen Ubuntu-Versionen kann die zentrale Crypto-Bibliothek OpenSSL kein TLSv1.2; das soll sich erst mit Ubuntu 14.04 LTS aendern.
---------------------------------------------
http://www.heise.de/security/meldung/Ubuntu-bessert-TLSv1-2-Unterstuetzung-…
*** Ueberwachung: BND fischt deutlich weniger Kommunikation ab ***
---------------------------------------------
Der Bundesnachrichtendienst hat seine Filtermethoden offenbar verbessert. Im Jahr 2012 sind viel weniger verdaechtige Kommunikationsinhalte als in den Vorjahren in den Netzen haengengeblieben. (Datenschutz, DE-CIX)
---------------------------------------------
http://www.golem.de/news/ueberwachung-bnd-fischt-deutlich-weniger-kommunika…
*** Slovenian jailed for creating code behind 12 MILLION strong Mariposa botnet army ***
---------------------------------------------
A Slovenian virus writer who created an infamous strain of malware used to infect an estimated 12 million computers worldwide has been jailed for almost five years.
---------------------------------------------
http://www.theregister.co.uk/2014/01/03/mariposa_botnet_mastermind_jailed/
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 30-12-2013 18:00 − Donnerstag 02-01-2014 18:00
Handler: L. Aaron Kaplan
Co-Handler: Stephan Richter
*** Joseph Stiglitz on Trust ***
---------------------------------------------
Joseph Stiglitz has an excellent essay on the value of trust, and the lack of it in todays society. Trust is what makes contracts, plans and everyday transactions possible; it facilitates the democratic process, from voting to law creation, and is necessary for social stability. It is essential for our lives. It is trust, more than money, that makes the...
---------------------------------------------
https://www.schneier.com/blog/archives/2013/12/joseph_stiglitz.html
*** Sqlmap Tricks for Advanced SQL Injection ***
---------------------------------------------
Sqlmap is an awesome tool that automates SQL Injection discovery and exploitation processes. I normally use it for exploitation only because I prefer manual detection in order to avoid stressing the web server or being blocked by IPS/WAF devices. Below I provide a basic overview of sqlmap and some configuration tweaks for finding trickier injection points. Basics Using sqlmap for classic SQLi is very straightforward: ./sqlmap.py -u http://mywebsite.com/page.php?vulnparam=hello The target URL...
---------------------------------------------
http://blog.spiderlabs.com/2013/12/sqlmap-tricks-for-advanced-sql-injection…
*** NSA Surveillance Has No Boundaries, Expert Says ***
---------------------------------------------
Expert Jacob Appelbaums keynote at CCC describes the deep catalog of hacks and backdoors at the NSAs disposal.
---------------------------------------------
http://threatpost.com/nsa-surveillance-has-no-boundaries-expert-says/103355
*** Protecting the data about data ***
---------------------------------------------
It has been said that encryption simply trades one secret (the data) for another (the key). In the same way, encrypting data naturally shifts attention to that which is not protected: the metadata.
---------------------------------------------
http://www.scmagazine.com//protecting-the-data-about-data/article/327122/
*** Yes, the BBC still uses FTP. And yes, a Russian crook hacked the server ***
---------------------------------------------
Convenient file-store a convenient target for crook touting access A BBC FTP server ftp.bbc.co.uk was compromised by a Russian hacker and access to it touted online, say computer security researchers.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2013/12/30/bbc_ftp_ser…
*** Why NSA spied on inexplicably unencrypted Windows crash reports ***
---------------------------------------------
Windows reports what hardware you have and what software doesnt work.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/CCjtHJ8WSwY/
*** 30C3: Sicherheitsalbträume des Jahres 2014 ***
---------------------------------------------
Unmodulierte Basisbandsysteme stellen nach Ansicht von Sicherheitsexperten des CCC lohnende Angriffsziele dar. Im Biometrie-Segment habe Apple mit Touch ID "die Büchse der Pandora" geöffnet.
---------------------------------------------
http://www.heise.de/newsticker/meldung/30C3-Sicherheitsalbtraeume-des-Jahre…
*** Juniper SSL VPN and UAC Host Checker Issue, (Tue, Dec 31st) ***
---------------------------------------------
A few readers have written asking about odd denials when trying to use Juniper VPNs. Turns out they released a Product Support Notification (subscription required) about their host check feature which fails on endpoints that have a local date set 12/31/2013 or later. There are working on a fix but as a workaround, you can change the local date on the PC, disable host checker verification all together or create a manual host checker process that disables checking firewall, anti-virus and/or
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17321&rss
*** X11/X.Org Security In Bad Shape ***
---------------------------------------------
An anonymous reader writes "A presentation at the Chaos Communication Congress explains how X11 Server security with being worse than it looks. The presenter found more than 120 bugs in a few months of security research and is not close to being done in his work. Upstream X.Org developers have begun to call most of his claims valid. The presentation by Ilja van Sprunde is available for streaming." Read more of this story at Slashdot.
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/W_cx3sKOALE/story01.htm
*** Administratoren! Machet Krypto, aber besser... ***
---------------------------------------------
Bettercrypto hilft Systemadmins, Verschlüsselung einzurichten und zu verbessern. Copy&Paste ist gewünscht, Verbesserungsvorschläge ebenso.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Administratoren-Machet-Krypto-aber-b…
*** Dual_EC_DRBG Backdoor: a Proof of Concept ***
---------------------------------------------
New submitter Reliable Windmill sends this followup to the report that RSA took money from the NSA to use backdoored tech for random number generation in encryption software. From the article: "Dual_EC_DRBG is an pseudo-random number generator promoted by NIST in NIST SP 800-90A and created by NSA. This algorithm is problematic because it has been made mandatory by the FIPS norm (and should be implemented in every FIPS approved software) and some vendors even promoted this algorithm as...
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/_PXJ0M1qmQI/story01.htm
*** Hacker finden Hintertüren in Netgear- und Linksys-Routern ***
---------------------------------------------
Ein findiger Hacker hat in den vergagnenen Tagen einen seltsamen Hintergrunddienst auf seinem Router entdeckt. Darüber kann sich jeder Zugang zu seinem Netzwerk verschaffen.
---------------------------------------------
http://futurezone.at/netzpolitik/hacker-finden-hintertueren-in-netgear-und-…
*** Österreichische Begeh: Kopierbarkeit von RFID-Schlüssel bekannt ***
---------------------------------------------
Unternehmen hat nach 30C3-Vortrag von Adrian Dabrowski Stellung bezogen
---------------------------------------------
http://derstandard.at/1388649760468
*** Manipulierte Speicherkarten als Malware-Versteck ***
---------------------------------------------
Hacker zeigen Angriff gegen eingebetteten Mikrokontroller - Daten können vor dem Betriebssystem versteckt werden
---------------------------------------------
http://derstandard.at/1388649791611
*** Snapchat schweigt nach Datenleck ***
---------------------------------------------
Der Anbieter der Foto-App Snapchat äußert sich bisher nicht zu dem Vorfall, bei dem Unbekannte die Daten von 4,6 Millionen Kunden erbeutet haben. Zuvor hatte das Unternehmen Warnungen von Sicherheitsexperten in den Wind geschlagen.
---------------------------------------------
http://www.heise.de/security/meldung/Snapchat-schweigt-nach-Datenleck-20742…
*** memcached mit löchriger Authentifizierung ***
---------------------------------------------
Die SASL-Authentifizierung des Cache-Servers ist zu gutmütig. Auch mit ungültigen Zugangsdaten kommt man beim zweiten Versuch rein.
---------------------------------------------
http://www.heise.de/security/meldung/memcached-mit-loechriger-Authentifizie…
*** OpenSSL.org Defaced by Attackers Gaining Access to Hypervisor, (Thu, Jan 2nd) ***
---------------------------------------------
By now, most of you have heard that the openssl.org website was defaced. While the source code and repositories were not tampered with, this obviously concerned people. What is more interesting is that the attack was made possible by gaining access to the hypervisor that hosts the VM responsible for the website. Attacks of this sort are likely to be more common as time goes on as it provides easy ability to take over a host without having to go through the effort of actually rooting a box.
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17333&rss
*** Der Spiegel Article on Networking Equipment Infiltration ***
---------------------------------------------
On December 29, 2013, the German news publication Der Spiegel published an article referencing leaked documents from the U.S. National Security Agency (NSA) that mentioned "software implants" for networking devices. Cisco is one of a number of technology companies mentioned in the article...
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-…
*** Security Notice-Statement About the Networking Equipment Infiltration Article in Der Spiegel ***
---------------------------------------------
On December 29, 2013, German news agency Der Spiegel published a report titled "Shopping for Spy Gear: Catalog Advertises NSA Toolbox" and described Huawei as one of the vendors that might be impacted.
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-notices…
*** Security Advisory-A DoS Vulnerability in the SSH Module on Huawei AR Router ***
---------------------------------------------
On Some Huawei AR routers that receive a large number of SSH authentication attack packets with malformed data, legitimate users fail to log in through SSH. Attackers can construct massive attack packets to cause the AR routers to deny SSH login from legitimate users. (HWPSIRT-2013-1255).
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor…
*** Vuln: mod_nss Module NSSVerifyClient CVE-2013-4566 Authentication Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/64114
*** Vuln: libgadu SSL Certificate Validation CVE-2013-4488 Security Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63473
*** Debian update for ruby-i18n ***
---------------------------------------------
https://secunia.com/advisories/56212
*** DSA-2833 openssl ***
---------------------------------------------
several vulnerabilities
---------------------------------------------
http://www.debian.org/security/2014/dsa-2833
*** DSA-2832 memcached ***
---------------------------------------------
several vulnerabilities
---------------------------------------------
http://www.debian.org/security/2014/dsa-2832
*** DSA-2831 puppet ***
---------------------------------------------
insecure temporary files
---------------------------------------------
http://www.debian.org/security/2013/dsa-2831
*** Debian update for typo3-src ***
---------------------------------------------
https://secunia.com/advisories/56266
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 27-12-2013 18:00 − Montag 30-12-2013 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** eBay Vulnerable to Account Hijacking Via XSRF ***
---------------------------------------------
A researcher reported a cross-site request forgery vulnerability to eBay in August, and despite repeated communication from the online auction that the code has been repaired, the site remains vulnerable to exploit.
---------------------------------------------
http://threatpost.com/ebay-vulnerable-to-account-hijacking-via-xsrf/103311
*** 12 Days of HaXmas: Meterpreter, Reloaded ***
---------------------------------------------
Over the last quarter of 2013, we here in the Democratic Freehold of Metasploit found that we needed to modernize our flagship remote access toolkit (RAT), Meterpreter. That started with cleaving Meterpreter out of the main Metasploit repository and setting it up with its own repository, and then bringing in a dedicated Meterpreter hacker, the indomitable OJ TheColonial Reeves. We couldn't be happier with the results so far.
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2013/12/27/meterpret…
*** 12 Days of HaXmas: Exploiting (and Fixing) RJS Rails Info Leaks ***
---------------------------------------------
Several weeks ago, Egor Homakov wrote a blog post pointing out a common info leak vulnerability in many Rails apps that utilize Remote JavaScript. The attack vector and implications can be hard to wrap your head around, so in this post I'll explain how the vulnerability occurs and how to exploit it.
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2013/12/29/remote-js…
*** Major flaw discovered in mobile software used by govt agencies ***
---------------------------------------------
The vulnerability discovered by an Israeli security researcher affects Samsungs Galaxy S4 device, which is currently used by government agencies.
---------------------------------------------
http://www.scmagazine.com/major-flaw-discovered-in-mobile-software-used-by-…
*** Who's Still Robbing ATMs with USB Sticks? ***
---------------------------------------------
Here's one quick way to rob a bank, over and over again. Find an ATM running Windows XP. Skeptical? Don't be, they're still installed all around the world. Next, cut a piece from its chassis to expose its USB port. ...
---------------------------------------------
http://www.wired.com/threatlevel/2013/12/whos-robbing-atms-usb-stick/
*** NTP reflection attack, (Fri, Dec 27th) ***
---------------------------------------------
Symantec has notice in the last few weeks that there is a significant NTP reflection attacks. NTP is Network time protocol and it's used to synch the time between client and server, it is a UDP protocol and it's run on port 123. In the NTP reflection attack the attacker send a crafted packet which request a large amount of date send to the host. "In this case, the attackers are taking advantage of the monlist command. Monlist is a remote command in older version of NTP that...
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17300
*** DRG online challenge(s), (Sat, Dec 28th) ***
---------------------------------------------
For the last couple of months DRG (the Dragon Research Group) has posted some interesting security challenges. The last one, for December, is currently online so if you want to test your security skills - and post the solutions for the public benefit, do not miss the current challenge available at http://dragonresearchgroup.org/challenges/201312/ Those of you who like playing CTFs will enjoy this. Other (older) challenges are still online too, so if you have some time off here's...
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17306
*** 30C3: Keine Hintertüren in Tor ***
---------------------------------------------
Roger Dingledine, Vater des Tor-Netzwerks, hat auf dem Hamburger Hackerkongress erklärt, dass eine Vertreterin des US-Justizministeriums auf eine bessere Überwachbarkeit des Anonymisierungsdienstes gedrängt habe.
---------------------------------------------
http://www.heise.de/security/meldung/30C3-Keine-Hintertueren-in-Tor-2072708…
*** The story of a Trojan Dropper I ***
---------------------------------------------
Introduction: Recently, Zscaler ThreatlabZ received a suspicious file from one of our customers, which was named "OrderDetails.zip". After extracting the executable file from the archive I have performed a virustotal scan to get some information about the file. At that time, very few antivirus vendors had definitions in place, which flagged the file as malicious. As such, I decided...
---------------------------------------------
http://research.zscaler.com/2013/12/the-story-of-trojan-dropper-i.html
*** The story of a Trojan dropper II ***
---------------------------------------------
Analysis: Lets analyze the PE file in detail and see what it's up to. Like most malware, this sample was packed and in order to properly analyze it, we must begin by unpacking the binary. Keeping this in mind, I began by debugging the file, hoping to find the reference to the data section in order to determine precisely where the encrypted portion of data was to be found. Fortunately,...
---------------------------------------------
http://research.zscaler.com/2013/12/the-story-of-trojan-dropper-ii.html
*** RFID-Begehcard: Mit dem Skipass in Wiens Wohnhäuser ***
---------------------------------------------
"Österreich ist sicher", heißt es vollmundig auf der Webseite des Begehsystems. Doch Häuser, die ihren Eingang mit der Begehcard sichern, sind leicht zu öffnen. Alles, was man dazu braucht, ist ein neu programmierbarer RFID-Skipass. (RFID, Sicherheitslücke)
---------------------------------------------
http://www.golem.de/news/rfid-begehcard-ohne-sicherheit-mit-dem-skipass-in-…
*** Open-Source Release of MANTIS Cyber-Threat Intelligence Management Framework ***
---------------------------------------------
Today, Siemens CERT is releasing the "MANTIS Cyber-Threat Intelligence Management Framework" as Open Source under GPL2+.
---------------------------------------------
http://making-security-measurable.1364806.n2.nabble.com/Open-Source-Release…
*** The Year in NSA ***
---------------------------------------------
It's that most wonderful time of the year, the time when everyone with access to an email machine puts together a list of the best or worst of whatever happened in the last 12 months. In the computer security world, there is no doubt that such a list would find NSA stories in places one...
---------------------------------------------
http://threatpost.com/the-year-in-nsa/103329
*** PIN Skimmer offers a new side channel attack against mobile devices ***
---------------------------------------------
Researchers with the University of Cambridge revealed just how effective PIN Skimmers can be against mobile devices in a recently released study on the new type of side-channel attack.
---------------------------------------------
http://www.scmagazine.com/pin-skimmer-offers-a-new-side-channel-attack-agai…
*** HP Application Information Optimizer Flaw in Archive Query Server Lets Remote Users Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1029542
*** HP Service Manager Input Validation Hole Permits Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1029541
*** HPSBMU02959 rev.1 - HP Service Manager WebTier and Windows Client, Cross-Site Scripting (XSS), Execution of Arbitrary Code and other Vulnerabilities ***
---------------------------------------------
Potential security vulnerabilities have been identified with HP Service Manager WebTier and Windows Client. The vulnerabilities could be remotely exploited including cross-site scripting (XSS) and execution of arbitrary code.
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…
*** DSA-2828 drupal6 ***
---------------------------------------------
several vulnerabilities
---------------------------------------------
http://www.debian.org/security/2013/dsa-2828
Next End-of-Shift Report on 2014-01-02
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 23-12-2013 18:00 − Freitag 27-12-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
*** Hintergrund: Erfolgreicher Angriff auf Linux-Verschlüsselung ***
---------------------------------------------
Linux Unified Key Setup (LUKS) ist das Standardverfahren für die Komplettverschlüsselung der Festplatte unter Linux; viele Systeme, darunter Ubuntu 12.04 LTS, setzen dabei LUKS im CBC-Modus ein. Jakob Lell demonstriert, dass diese Kombination anfällig für das Einschleusen einer Hinterür ist.
---------------------------------------------
http://www.heise.de/security/artikel/Erfolgreicher-Angriff-auf-Linux-Versch…
*** Protection metrics - November results ***
---------------------------------------------
In our October results, we talked about a trio of families related to Win32/Sefnit. Our November results showed progress against Sefnit and the installers and downloaders of Sefnit (Win32/Rotbrow and Win32/Brantall). In comparison to September, active Sefnit infections have been reduced by 82 percent. As with prior months, our rate of incorrect detections also remained low and performance stayed consistent.
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2013/12/23/protection-metrics-novem…
*** Turkey: Understanding high malware encounter rates in SIRv15 ***
---------------------------------------------
In our most recent version of the Security Intelligence Report, we compared the encounter rates of malware categories for the top 10 countries with computers reporting the most detections in 2Q13. Amongst these countries, Turkey stood out with considerably high encounter rates in multiple categories. Encounter rate is the percentage of computers in a country that reported at least one detection of malware.
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2013/12/23/turkey-understanding-hig…
*** Popular Registrar Namecheap Fixes DNS Hijack Bug ***
---------------------------------------------
The domain registrar and Web-hosting company Namecheap has fixed a cross site request forgery vulnerability in its DNS setup page.
---------------------------------------------
http://threatpost.com/popular-registrar-namecheap-fixes-dns-hijack-bug/1032…
*** What a successful exploit of a Linux server looks like ***
---------------------------------------------
Like most mainstream operating systems these days, fully patched installations of Linux provide a level of security that requires a fair amount of malicious hacking to overcome. Those assurances can be completely undone by a single unpatched application, as Andre' DiMino has demonstrated when he documented an Ubuntu machine in his lab being converted into a Bitcoin-mining, denial-of-service-spewing, vulnerability-exploiting hostage under the control of attackers.
---------------------------------------------
http://arstechnica.com/security/2013/12/anatomy-of-a-hack-what-a-successful…
*** Turkey Tops World in Per Capita Malware Encounters ***
---------------------------------------------
Microsoft claims that Turkish machines encounter more malware than computers in any other country in the world.
---------------------------------------------
http://threatpost.com/turkey-tops-world-in-per-capita-malware-encounters/10…
*** New Trojan.Mods mines bitcoins ***
---------------------------------------------
Russian anti-virus company Doctor Web is warning users about a new Trojan.Mods modification that has been dubbed Trojan.Mods.10. This Trojans authors followed the major trend of December 2013 and added a bitcoin miner to the set of Trojan.Mods.10's features. You may recall that Trojan.Mods programs were found in large numbers in the wild in spring 2013 and were primarily designed to intercept browsers DNS queries and redirect users to malignant sites.
---------------------------------------------
http://news.drweb.com/show/?i=4176&lng=en&c=9
*** New CryptoLocker Spreads Via Removable Drives ***
---------------------------------------------
We recently came across a CryptoLocker variant that had one notable feature - it has propagation routines.
Analysis of the malware, detected as WORM_CRILOCK.A, shows that this malware can spread via removable drives. This update is considered significant because this routine was unheard of in other CRILOCK variants.
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/new-cryptolocker…
*** OpenSSL mit kaputter Hintertür ***
---------------------------------------------
Die von der NSA als Hintertür entworfene Zufallszahlenfunktion Dual EC findet sich auch in der offenen Krypto-Bibliothek OpenSSL. Allerdings war sie dort funktionsunfähig, ohne dass es jemand bemerkt hätte.
---------------------------------------------
http://www.heise.de/security/meldung/OpenSSL-mit-kaputter-Hintertuer-207237…
*** Big Data and security analytics collide ***
---------------------------------------------
Big Data will become "The next big thing" - a critical re-evaluation and re-tooling of our analytical abilities. This is not about being able to query more data, but being able to query all data.
---------------------------------------------
http://www.scmagazine.com/big-data-and-security-analytics-collide/article/3…
*** Infection found on "feedburner.com" ***
---------------------------------------------
Recently we have seen the websites of MySQL and PHP.net being compromised. We have also blogged about Google Code being used as a drop site for holding malicious code. These instances clearly suggest that attackers are targeting popular websites and using them in their attacks as they are less likely to be blocked by URL filters. This time we found that Google acquired "FeedBurner", which provides custom RSS feeds and management tools to users is hosting an infected page.
---------------------------------------------
http://research.zscaler.com/2013/12/infection-found-on-feedburnercom.html
*** Hackers who breached php.net exposed visitors to highly unusual malware ***
---------------------------------------------
Eight weeks after hackers compromised the official PHP website and laced it with attack code, outside security researchers have uncovered evidence that some visitors were exposed to malware that's highly unusual, if not unique.
---------------------------------------------
http://arstechnica.com/security/2013/12/hackers-who-breached-php-net-expose…
*** Python Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/56234
*** Puppet Enterprise Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/56251
*** Novell Client Bug Lets Local Users Crash the System ***
---------------------------------------------
http://www.securitytracker.com/id/1029533
*** Cisco IOS XE VTY Authentication security bypass ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89901
*** cPanel WHM XML and JSON APIs Arbitrary File Disclosure Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/56207
*** VMware Patches Privilege Vulnerability in ESX, ESXi ***
---------------------------------------------
http://threatpost.com/vmware-patches-privilege-vulnerability-in-esx-esxi/10…
*** Zimbra 8.0.2 and 7.2.2 Collaboration Server LFI Exploit ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120155
*** Synology DiskStation Manager SLICEUPLOAD Remote Command Execution ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120156
*** RT: Request Tracker 4.0.10 SQL Injection ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013040083
*** Bugtraq: Song Exporter v2.1.1 RS iOS - File Include Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/530489
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 20-12-2013 18:00 − Montag 23-12-2013 18:00
Handler: L. Aaron Kaplan
Co-Handler: Stephan Richter
*** What to Expect in Surveillance Politics in 2014 (Hint: It's Not Reform) ***
---------------------------------------------
You would think that a federal district judge calling the NSA program almost Orwellian would be a good sign for surveillance and privacy in 2014. If you're holding out hope for an act of political courage to end bulk surveillance ...
---------------------------------------------
http://www.wired.com/opinion/2013/12/dont-get-too-excited-about-recent-ruli…
*** DHS Turns To Unpaid Interns For Nations Cyber Security ***
---------------------------------------------
theodp writes "A week after President Obama stressed the importance of computer science to America, the Department of Homeland Security put out a call for 100+ of the nations best-and-brightest college students to work for nothing on the nations cyber security. The unpaid internship program, DHS notes, is the realization of recommendations (PDF) from the Homeland Security Advisory Councils Task Force on CyberSkills, which included execs from Facebook, Lockheed Martin, and Sony, and was...
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/leJ5tNqGbgU/story01.htm
*** Microsoft Security Essentials Misses 39% of Malware ***
---------------------------------------------
Barence writes "The latest tests from Dennis Publishings security labs saw Microsoft Security Essentials fail to detect 39% of the real-world malware thrown at it. Dennis Technology Labs (DTL) tested nine home security products on a Windows 7 PC, including Security Essentials, which is distributed free to Windows users and built into Windows 8 in the form of Windows Defender. While the other eight packages all achieved protection scores of 87% or higher - with five scoring 98% or 99%..
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/8Vg-UHP2dqo/story01.htm
*** Kritische Sicherheitslücken in Write-Blocker entdeckt ***
---------------------------------------------
Gleich mehrere Sicherheitslücken entdeckte ein IT-Forensik-Experte in dem neuen Write-Blocker Ditto. Die Folge: Statt seine eigentliche Arbeit zu verrichten, kann das Gerät selbst als Angriffswerkzeug missbraucht werden und Untersuchungen torpedieren.
---------------------------------------------
http://www.heise.de/security/meldung/Kritische-Sicherheitsluecken-in-Write-…
*** Strange DNS Queries - Request for Packets, (Sat, Dec 21st) ***
---------------------------------------------
We have received a pcap sample of DNS queries that display a strange behavior. The queries are type ANY for domains ghmn.ru and fkfkfkfa.com. When doing a nslookup, both domains have 100 IPs listed under their domain names with each of them resolving exactly the same last octets (i.e. .1, .10, .100, etc). Queries with the same transaction ID are often repeated several times. The traffic samples we have received indicate the queries are sent by either a host or a server. If anyone else is...
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17264&rss
*** evasiOn7: Jailbreak für iOS 7 - mit umstrittenen Funktionen ***
---------------------------------------------
Ein erster Jailbreak für iOS 7, mit dem sich Apps jenseits von Apples App Store installieren lassen, ist verfügbar. Er geriet allerdings wegen Integration eines chinesischen App Stores mit Raubkopien und wegen Verschleierung des Codes gleich in Verruf.
---------------------------------------------
http://www.heise.de/security/meldung/evasiOn7-Jailbreak-fuer-iOS-7-mit-umst…
*** Backdoor in Krypto-Software: RSA Security dementiert NSA-Zahlungen ***
---------------------------------------------
Man habe "niemals einen geheimen Vertrag mit der NSA geschlossen, um einen bekannt anfälligen Zufallszahlengenerator in die Verschlüsselungsbibliotheken von BSAFE zu integrieren", betont RSA Security - leugnet aber keineswegs Zusammenarbeit mit der NSA.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Backdoor-in-Krypto-Software-RSA-Secu…
*** Anti-Bruteforce-Tool DenyHosts sperrt Admins aus ***
---------------------------------------------
Admins, die ihre Server mit DenyHosts vor Brute-Force-Angriffen schützen, müssen handeln - andernfalls stehen sie möglicherweise bald vor verschlossenen Türen.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Anti-Bruteforce-Tool-DenyHosts-sperr…
*** How I hacked a journalist ***
---------------------------------------------
It started off as a follow-up to a story a journalist had written several years ago. The story was about data protection, and had showed that a simple subject access request could provide you with enough information to steal someone's identity. Now, Claudia Joseph wanted to see if anything had changed and to update the world on the new dangers. What would happen if somebody was able to infiltrate your online life? Claudia contacted us and started the conversation with "Can you hack...
---------------------------------------------
http://www.nccgroup.com/en/blog/2013/12/how-i-hacked-a-journalist/
*** Practical malleability attack against CBC-Encrypted LUKS partitions ***
---------------------------------------------
Topic: Practical malleability attack against CBC-Encrypted LUKS partitions Risk: Medium Text:Article location: http://www.jakoblell.com/blog/2013/12/22/practical-malleability-attack-agai…...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120153
*** Alert: Adobe License Key Email Scam ***
---------------------------------------------
Adobe is aware of reports that a phishing campaign is underway involving malicious email purporting to deliver license keys for a variety of Adobe offerings. Customers who receive one of these emails should delete it immediately without downloading attachments or...
---------------------------------------------
http://blogs.adobe.com/psirt/2013/12/20/alert-adobe-license-key-email-scam/
*** [webapps] - Jenkins 1.523 - Inject Persistent HTML Code ***
---------------------------------------------
http://www.exploit-db.com/exploits/30408
*** Security Bulletin: Multiple vulnerabilities in current IBM SDK for Java for WebSphere Application Server Community 3.0.0.4 October 2013 CPU (CVE-2013-5802,CVE-2013-5825) ***
---------------------------------------------
Multiple security vulnerabilities exist in the IBM SDK for Java that is shipped with IBM WebSphere Application Server Community 3.0.0.4. CVE(s): CVE-2013-5802, and CVE-2013-5825 Affected product(s) and affected version(s): WebSphere Application Server Community Edition 3.0.0.4 Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin: http://www.ibm.com/support/docview.wss?uid=swg21660594 X-Force Database:...
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul…
*** Security Bulletin: Fix available for Unauthorized Information Retrieval Security Vulnerability in IBM WebSphere Portal (CVE-2013-6735) ***
---------------------------------------------
A fix that blocks unauthorized information retrieval is available for a security vulnerability in IBM WebSphere Portal.
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21660289
*** Wordpress information leakage and backdoor in writing settings ***
---------------------------------------------
Topic: Wordpress information leakage and backdoor in writing settings Risk: High Text:Hello list! As Ive announced earlier (http://seclists.org/fulldisclosure/2013/Nov/219), I conducted a Day of bugs in WordPr...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120152
*** Synology DiskStation Manager (DSM) multiple scripts directory traversal ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89892
*** Avant Browser Rendering Engines Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/56242
*** Nagios "process_cgivars()" Off-By-One Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55976
Next End-of-Shift Report on 2013-12-27
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 19-12-2013 18:00 − Freitag 20-12-2013 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Do You Hear What I Hear? ***
---------------------------------------------
This article, recently published in the Journal of Communications, adds another log to the BadBIOS fire. It has been stated that devices in the BadBIOS case are communicating across an air-gap with commodity PC audio hardware. This paper clearly spells out one workable way to communicate in this way. Even if this doesn't end up...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/XrnMZDjVZpk/
*** NSA's broken Dual_EC random number generator has a "fatal bug" in OpenSSL ***
---------------------------------------------
No plans to fix a bug in "toxic" algorithm that no one seems to use.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/DAvvFpw-R04/story01…
*** Microsoft warnt vor signierter Malware ***
---------------------------------------------
Immer mehr Schädlinge tragen eine gültige digitale Signatur. Die Unterschriften werden typischerweise mit gestohlenen Entwicklerzertifikaten erstellt.
---------------------------------------------
http://www.heise.de/security/meldung/Microsoft-warnt-vor-signierter-Malware…
*** Exploiting Password Recovery Functionalities ***
---------------------------------------------
Password recovery functionalities can result in vulnerabilities in the same application they are intended to protect. Vulnerabilities such as username enumeration (showing different error messages when the user exists or not in the database), sensitive information disclosure (sending the password in clear-text by e-mail to user) and recover password message hijack (involving an attacker receiving a copy of the recover password message) are some common vulnerabilities that may be found in a...
---------------------------------------------
http://blog.spiderlabs.com/2013/12/exploiting-password-recovery-functionali…
*** Quick Joomla Refresher ***
---------------------------------------------
I havent come into contact with Joomla for a while, but I had the opportunity recently in a penetration test of a web site that was running the popular Content Management System (CMS). In this blog post I mention some of the tools I used to check the security of a particular Joomla installation and comment upon their effectiveness. Depending on your source, Joomla is within the top five contenders for the most popular CMS. Alternatives include WordPress, Drupal and others. CMS frameworks have...
---------------------------------------------
http://blog.spiderlabs.com/2013/12/quick-joomla-refresher.html
*** Not quite the average exploit kit: Zuponcic ***
---------------------------------------------
This post connects three recent developments in the realm of malware infections: .htaccess server compromise, the Zuponcic exploit kit and the Ponmocup botnet. It seems that the defacto standard of exploit kits is getting competition. Understanding how this exploit kit works will give you a better chance of defending against it and for identifying the .htaccess compromise on your server.
---------------------------------------------
http://blog.fox-it.com/2013/12/19/not-quite-the-average-exploit-kit-zuponci…
*** Nach BKA-Einsatz: ZeroAccess-Botnetz streicht die Segel ***
---------------------------------------------
Die Drahtzieher hinter dem ZeroAccess-Botnetz schwenken die virtuelle weiße Fahne. Nach weiteren Aktionen der Strafverfolgungsbehörden haben sie das Bot hüten anscheinend vorerst aufgegeben.
---------------------------------------------
http://www.heise.de/security/meldung/Nach-BKA-Einsatz-ZeroAccess-Botnetz-st…
*** Digitale Forensik: Ungelöste Probleme bei Beweissicherung digitaler Artefakte ***
---------------------------------------------
Etliche Probleme der Beweissicherung digitaler Artefakte sind noch längst nicht gelöst, zeigte sich auf dem Workshop Forensik und Internetkriminalität. Dazu lieferte das BSI ein Lagebild, das von einem ungebrochenen Anstieg der Netzkriminalität ausgeht.
---------------------------------------------
http://www.heise.de/security/meldung/Digitale-Forensik-Ungeloeste-Probleme-…
*** BitTorrent stellt Peer-to-Peer-Chat-System vor ***
---------------------------------------------
Als Antwort auf die flächendeckende NSA-Schnüffelei hat BitTorrent ein Chat-System entwickelt, das ohne zentralen Server auskommt und anonyme, verschlüsselte Kommunikation ermöglicht.
---------------------------------------------
http://www.heise.de/security/meldung/BitTorrent-stellt-Peer-to-Peer-Chat-Sy…
*** Erneute Lücke in OpenX wird aktiv ausgenutzt ***
---------------------------------------------
Kritische Sicherheitslücken in der aktuellen Version der Anzeigen-Server-Software OpenX und in dessen Fork Revive werden genutzt, um Schad-Software zu verteilen. Das CERT-Bund benachrichtigt täglich mehrere betroffene Server-Betreiber.
---------------------------------------------
http://www.heise.de/security/meldung/Erneute-Luecke-in-OpenX-wird-aktiv-aus…
*** Viren-Statistiken: Rückblick finster, Ausblick noch finsterer ***
---------------------------------------------
Das Jahr 2014 hält für Smartphone-Benutzer besonders viele digitale Angriffe bereit, sagen Antivirenhersteller nach Auswertung ihrer Statistiken.
---------------------------------------------
http://www.heise.de/security/meldung/Viren-Statistiken-Rueckblick-finster-A…
*** RSA Archer eGRC Input Validation Flaws Permit Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1029523
*** WordPress URL Redirector Abuse and XSS vulnerabilities ***
---------------------------------------------
Topic: WordPress URL Redirector Abuse and XSS vulnerabilities Risk: Low Text:Hello list! As Ive announced earlier (http://seclists.org/fulldisclosure/2013/Nov/219), I conducted a Day of bugs in WordP...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120142
*** Google Picasa RAW Image Parsing Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/55555
*** cPanel Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/56146
*** Hitachi Cosminexus Products XML External Entities Information Disclosure Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/56142
*** IBM Security Access Manager for Enterprise Single Sign-On Security Issue and Two Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/56176
*** Revive Adserver "what" SQL Injection Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55963
*** Apache Santuario DTD Processing Flaw Lets Remote Users Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1029524
*** Apple Motion Memory Access Error Lets Remote Users Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1029521
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 18-12-2013 18:00 − Donnerstag 19-12-2013 18:00
Handler: Stephan Richter
Co-Handler: Robert Waldner
*** IBM HTTP Server GSKit SSLv2 Session Resuming Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability has been reported in IBM HTTP Server, which can be exploited by malicious people to cause a DoS (Denial of Service).
---------------------------------------------
https://secunia.com/advisories/56058
*** Tor use best practices ***
---------------------------------------------
To date the NSA's and FBI's primary attacks on Tor users have been MITM attacks (NSA) and hidden service web server compromises (FBI) which either sent tracking data to the Tor user's computer, compromised it, or both. Thus you need a reasonably secure system from which you can use Tor and reduce your risk of being tracked or compromised.
---------------------------------------------
http://digital-era.net/tor-use-best-practices/
*** New DDoS Bot Has a Fancy For Ferrets ***
---------------------------------------------
Researchers at Arbor Networks have discovered a new denial of service botnet called Trojan.Ferret.
---------------------------------------------
http://threatpost.com/new-ddos-bot-has-a-fancy-for-ferrets/103226
*** WordPress S3 Video Plugin "base" Cross-Site Scripting Vulnerability ***
---------------------------------------------
Input passed to the "base" GET parameter in wp-content/plugins/s3-video/views/video-management/preview_video.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The vulnerability is confirmed in version 0.96 and reported in versions prior to 0.983.
---------------------------------------------
https://secunia.com/advisories/56167
*** IrfanView GIF buffer overflow ***
---------------------------------------------
IrfanView is vulnerable to a heap-based buffer overflow, caused by improper bounds checking when processing the LZW code stream within GIF files. By persuading a victim to open a specially-crafted GIF file containing an overly long LZW code stream, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89820
*** NovaTech Orion DNP3 Improper Input Validation Vulnerability ***
---------------------------------------------
Adam Crain of Automatak and independent researcher Chris Sistrunk have identified an improper input validation vulnerability in the NovaTech Orion Substation Automation Platform. NovaTech has produced a firmware update that mitigates this vulnerability. The researchers have tested the firmware update to validate that it resolves the vulnerability.This vulnerability could be exploited remotely.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-352-01
*** IBM iNotes email message active content cross-site scripting ***
---------------------------------------------
IBM iNotes is vulnerable to cross-site scripting, caused by improper validation of active content within an email message. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials or other sensitive information.
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/86594
*** IBM iNotes ultra-light mode persistent cross-site scripting ***
---------------------------------------------
IBM iNotes is vulnerable to cross-site scripting in the ultra-light mode, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject and execute malicious script in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials or other sensitive information.
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/86595
*** SSA-742938 (Last Update 2013-12-17): Open Ports in SINAMICS S/G Firmware ***
---------------------------------------------
SSA-742938 (Last Update 2013-12-17): Open Ports in SINAMICS S/G Firmware
---------------------------------------------
https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit…
*** SA-CONTRIB-2013-098 - Ubercart - Session Fixation Vulnerability ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2013-098Project: Ubercart (third-party module)Version: 6.x, 7.xDate: 2013-12-18Security risk: Less criticalExploitable from: RemoteVulnerability: Session FixationDescriptionThe Ubercart module for Drupal provides a shopping cart and e-commerce features for Drupal.The module doesnt sufficiently protect against session fixation attacks when a user is automatically logged in to a newly created account during checkout.This vulnerability is mitigated by the fact that
---------------------------------------------
https://drupal.org/node/2158651
*** Researchers propose international vulnerability purchase plan ***
---------------------------------------------
In a bid to cut down on costs and eliminate potential misuse, NSS Labs has put forth an initiative imploring vendors to purchase vulnerabilities.
---------------------------------------------
http://feedproxy.google.com/~r/SCMagazineHome/~3/I9nD_zWQzsI/
*** cURL Certificate Validation Flaw Lets Remote Users Spoof SSL Servers ***
---------------------------------------------
A vulnerability was reported in cURL. A remote user that can conduct a man-in-the-middle attack can spoof SSL servers.
The software does not properly verify the certificate CN or SAN name field in certain cases. A remote user that can conduct a man-in-the-middle attack can spoof SSL servers.
Systems that use GnuTLS as the TLS backend are affected.
Systems with digital signature verification (CURLOPT_SSL_VERIFYPEER) disabled are affected.
---------------------------------------------
http://www.securitytracker.com/id/1029517
*** OpenJPEG Heap Overflows Let Remote Users Execute Arbitrary Code ***
---------------------------------------------
Several vulnerabilities were reported in OpenJPEG. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can cause denial of service conditions.
A remote user can create a specially crafted image file that, when loaded by the target user, will trigger a heap overflow and execute arbitrary code on the target system [CVE-2013-6045, CVE-2013-6054]. The code will run with the privileges of the target user.
A remote user can create a specially crafted image file that, when loaded by the target user, will cause the application that uses openJPEG to crash [CVE-2013-1447, CVE-2013-6052].
---------------------------------------------
http://www.securitytracker.com/id/1029514
*** Splunk Enterprise Data Processing Flaw Lets Remote Users Deny Service ***
---------------------------------------------
A vulnerability was reported in Splunk Enterprise. A remote user can cause denial of service conditions.
A remote user can send specially crafted data to cause the target server to become unavailable.
Systems configured as data 'receivers' on the listening or receiving port(s) are affected, including instances configured as indexers and forwarders configured as intermediate forwarders.
---------------------------------------------
http://www.securitytracker.com/id/1029519
*** Blog: Malware in metadata ***
---------------------------------------------
One of the systems I have been running collects all our web malware detections for .ES domains. I usually check it out every morning, just in case I see something especially interesting or relevant. And when I find something, I like to create some statistics to have a global overview.There are some things that I find every time I check my stats, like URLs that have been infected for more than 200 days, even being notified. That speaks of the lack of security awareness on some companies, and how
---------------------------------------------
http://www.securelist.com/en/blog/208214192/Malware_in_metadata
*** Factsheet Stop using Windows XP ***
---------------------------------------------
Microsoft will stop issuing Windows XP updates as of 8 April 2014. The operating system will receive the end-of-life status. The NCSC advises, together with DefCERT, Microsoft and Team High Tech Crime, to no longer use Windows XP, but to switch to another operating system.
---------------------------------------------
http://www.ncsc.nl/english/services/expertise-advice/knowledge-sharing/fact…
*** Cisco Unified Communications Manager Sensitive Information Disclosure Vulnerability ***
---------------------------------------------
A vulnerability in the disaster recovery system (DRS) of Cisco Unified Communications Manager (UCM) could allow an authenticated, remote attacker to acquire sensitive information about DRS-related devices.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013…
*** [Announce] [security fix] GnuPG 1.4.16 released ***
---------------------------------------------
Along with the publication of an interesting new side channel attack by Daniel Genkin, Adi Shamir, and Eran Tromer we announce the availability of a new stable GnuPG release to relieve this bug: Version 1.4.16. [...] Whats New =========== * Fixed the RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis attack as described by Genkin, Shamir, and Tromer. See . [CVE-2013-4576]
---------------------------------------------
http://lists.gnupg.org/pipermail/gnupg-devel/2013-December/028102.html
*** Acoustic Cryptanalysis ***
---------------------------------------------
This is neat: Here, we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPGs current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be...
---------------------------------------------
https://www.schneier.com/blog/archives/2013/12/acoustic_crypta.html
*** Apache XML Security Transforms Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability has been reported in Apache XML Security, which can be exploited by malicious people to cause a DoS (Denial of Service) in an application using the library.
The vulnerability is caused due to an error when applying Transforms and can be exploited to exhaust memory resources and cause a crash.
The vulnerability is reported in versions prior to 1.5.6.
---------------------------------------------
https://secunia.com/advisories/55639
*** TRENDnet Multiple Products Telnet Security Bypass Vulnerability ***
---------------------------------------------
A vulnerability has been reported in multiple TRENDnet products, which can be exploited by malicious people to bypass certain security restrictions.
The vulnerability is caused due to a certain undocumented functionality, which can be exploited to enable telnet management and subsequently manipulate device configuration.
---------------------------------------------
https://secunia.com/advisories/55890
*** Icinga Off-By-One and Buffer Overflow Vulnerabilities ***
---------------------------------------------
Some vulnerabilities have been reported in Icinga, which can be exploited by malicious users to potentially cause a DoS (Denial of Service) and compromise a vulnerable system.
1) Some boundary errors within the web interface when processing CGI parameters can be exploited to cause stack-based buffer overflows.
Successful exploitation of this vulnerability may allow execution of arbitrary code.
2) An off-by-one error within the "process_cgivars()" function can be exploited to cause an out of bounds read memory access.
The vulnerabilities are reported in versions prior to 1.10.2, 1.9.4, and 1.8.5.
---------------------------------------------
https://secunia.com/advisories/55987
*** Icinga Cross-Site Request Forgery Vulnerability ***
---------------------------------------------
A vulnerability has been reported in Icinga, which can be exploited by malicious people to conduct cross-site request forgery attacks.
The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions if a logged-in administrator visits a malicious web site.
The vulnerability is reported in version 1.10.2. Other versions may also be affected.
---------------------------------------------
https://secunia.com/advisories/55990
*** A peek inside the booming underground market for stealth Bitcoin/Litecoin mining tools ***
---------------------------------------------
The over-hyped market valuation of the buzzing P2P E-currency, Bitcoin, quickly gained the attention of cybercriminals internationally who promptly adapted to its sky rocketing valuation by releasing commercially available stealth Bitcoin miners, Bitcoin wallet stealing malware, as well as actually starting to offer the source code for their releases in an attempt to monetize their know-how and expertise in this area. Throughout 2013, we profiled several subscription based stealth Bitcoin
---------------------------------------------
http://feedproxy.google.com/~r/WebrootThreatBlog/~3/nKXPdGwlKk4/
*** IBM Domino / iNotes Script Insertion and Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
Multiple vulnerabilities have been reported in IBM Domino and IBM iNotes, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to conduct cross-site scripting attacks.
---------------------------------------------
https://secunia.com/advisories/56164