- Daily - CERT.at

Tageszusammenfassung - Freitag 29-11-2013
by Daily end-of-shift report 29 Nov '13

29 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 28-11-2013 18:00 − Freitag 29-11-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** Stealing Credit Cards - A WordPress and vBulletin Hack *** --------------------------------------------- What better way to celebrate Thanksgiving than to share an interesting case that involves two of the most popular CMS applications out there - vBulletin and WordPress. Here is a real case that we just worked on this week, involving an attacker dead set on stealing credit card information. Enjoy! The Environment The client runs... --------------------------------------------- http://blog.sucuri.net/2013/11/stealing-credit-cards-a-wordpress-and-vbulle… *** JPEG Files Used For Targeted Attack Malware *** --------------------------------------------- We recently came across some malware of the SOGOMOT and MIRYAGO families that update themselves in an unusual way: they download JPEG files that contain encrypted configuration files/binaries. Not only that, we believe that this activity has been ongoing since at least the middle of 2010. A notable detail of the malware we came across... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/l94pQWbJ28g/ *** Security Bulletin: IBM BladeCenter Advanced Management Module Account Information Exposure (CVE-2013-6718) *** --------------------------------------------- An interface on the IBM BladeCenter Advanced Management Module (AMM) may expose user account names and passwords that have been configured on that AMM. CVE(s): CVE-2013-6718 Affected product(s) and affected version(s): These IBM BladeCenter Advanced Management Module Firmware versions are affected: v3.64B (BPET64B, BBET64B, and BPEO64B) v3.64C (BPET64C, BBET64C, and BPEO64C) v3.64G (BPET64G, BBET64G, and BPEO64G) This applies to the following hardware products: BladeCenter --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** Google Android com.android.settings Lets Local Applications Remove Device Locks *** --------------------------------------------- http://www.securitytracker.com/id/1029410 *** Cisco IOS XR SNMP Memory Leak Lets Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1029408 *** Cisco IOS XE MPLS Processing Flaw Let Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1029407 *** Joomla! All Video Share Component "avssearch" SQL Injection Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55888 *** FFmpeg Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55802 *** WordPress Highlight - Powerful Premium Theme Arbitrary File Upload Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55671 *** WordPress Store Locator Plugin Cross-Site Request Forgery Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55276

1 0

Tageszusammenfassung - Donnerstag 28-11-2013
by Daily end-of-shift report 28 Nov '13

28 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 27-11-2013 18:00 − Donnerstag 28-11-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** Fake 'October´s Billing Address Code' (BAC) form themed spam campaign leads to malware *** --------------------------------------------- Have you received a casual-sounding email enticing you into signing a Billing Address Code (BAC) form for October, in order for the Payroll Manager to proceed with the transaction? Based on our statistics, tens of thousands of users received these malicious spam emails over the last 24 hours, with the cybercriminal(s) behind them clearly interested in expanding the size of their botnet through good old fashioned 'casual social engineering' campaigns. --------------------------------------------- http://www.webroot.com/blog/2013/11/27/fake-octobers-billing-address-code-b… *** Sharik Back for More After Php.Net Compromise *** --------------------------------------------- Sharik is a Trojan which injects itself into legitimate processes and adds registry entries for an added level of persistence. The infection also sends information about the victims PC to a remote server. The threat can also receive commands from a known CnC server to download further malicious files. --------------------------------------------- http://research.zscaler.com/2013/11/sharik-back-for-more-after-phpnet.html *** ATM Traffic + TCPDump + Video = Good or Evil?, (Wed, Nov 27th) *** --------------------------------------------- I was working with a client recently, working through the move of a Credit Union branch. In passing, he mentioned that they were looking at a new security camera setup, and the vendor had mentioned that it would need a SPAN or MIRROR port on the switch set up. At that point my antennae came online - SPAN or MIRROR ports set up a session where all packets from one switch ports are "mirrored" to another switch port. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17111 *** Microsoft Security Advisory (2914486): Vulnerability in Microsoft Windows Kernel Could Allow Elevation of Privilege - Version: 1.0 *** --------------------------------------------- Microsoft is investigating new reports of a vulnerability in a kernel component of Windows XP and Windows Server 2003. We are aware of limited, targeted attacks that attempt to exploit this vulnerability. --------------------------------------------- http://technet.microsoft.com/en-ca/security/advisory/2914486 *** THOUSANDS of Ruby on Rails sites leave logins lying around *** --------------------------------------------- A security researcher has warned that a Ruby on Rails vulnerability first outlined in September is continuing to linger on the Web, courtesy of admins that don't realise a vulnerability exists in its default CookieStore session storage mechanism. --------------------------------------------- http://www.theregister.co.uk/2013/11/28/thousands_of_ror_sites_leave_logins… *** FakeAV + Ransomware = Windows Expert Console *** --------------------------------------------- During the last months we have been talking mainly about police virus infections, and more recently about CryptoLocker, the new major ransomware family. However that doesn´t mean that our good 'old friends' known as FakeAV aren´t around. --------------------------------------------- http://pandalabs.pandasecurity.com/fakeav-ransomware-windows-expert-console/ *** Linux Worm Targeting Hidden Devices *** --------------------------------------------- Symantec has discovered a new Linux worm that appears to be engineered to target the 'Internet of things'. The worm is capable of attacking a range of small, Internet-enabled devices in addition to traditional computers. Variants exist for chip architectures usually found in devices such as home routers, set-top boxes and security cameras. --------------------------------------------- http://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices *** You have a Skype voicemail. PSYCHE! Its just some fiendish Trojan-flinging spam *** --------------------------------------------- A spam run of fake Skype voicemail alert emails actually comes packed with malware, a UK police agency warns. Action Fraud said the zip file attachments come contaminated with a variant of the notorious ZeuS banking Trojan. --------------------------------------------- http://www.theregister.co.uk/2013/11/28/skype_voicemail_alert_spam_flings_z… *** Microsoft Cybersecurity Report: Top 10 Most Wanted Enterprise Threats *** --------------------------------------------- The latest report found that in the enterprise environment, on average about 11% of systems encountered malware, worldwide between the third quarter of 2012 (3Q12) and the second quarter of 2013 (2Q13). The "encounter rate" is defined as the percentage of computers running Microsoft real-time security software that report detecting malware - typically resulting in a blocked installation of malware. --------------------------------------------- http://blogs.technet.com/b/security/archive/2013/11/25/microsoft-cybersecur… *** Quassel IRC Backlog Access Bypass Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55640 *** DSA-2804 drupal7 *** --------------------------------------------- http://www.debian.org/security/2013/dsa-2804 *** DSA-2803 quagga *** --------------------------------------------- http://www.debian.org/security/2013/dsa-2803 *** HP Service Manager and ServiceCenter Unspecified Flaw Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1029400 *** Subversion mod_dontdothat Path Validation Flaw Lets Remote Users Bypass Security Restrictions *** --------------------------------------------- http://www.securitytracker.com/id/1029402 *** Yahoo Open Redirect Vulnerability or "Designing vulnerabilities" *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110200 *** ownCloud Unspecified Security Bypass Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55792

1 0

Tageszusammenfassung - Mittwoch 27-11-2013
by Daily end-of-shift report 27 Nov '13

27 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 26-11-2013 18:00 − Mittwoch 27-11-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** The Season For Danger: Holiday Season Spam And Phishing *** --------------------------------------------- For many, the holiday season is a season for shopping and spending. But cybercriminals see it in a different light-they see it as a prime opportunity to steal. Take, for example, online shopping. Malicious websites to try and trick online shoppers into giving them their money instead of the legitimate shopping websites. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/the-season-for-d… *** InMobi: Another Vulnaggressive Adware Opens Billions of JavaScript 'Sidedoors' on Android Devices *** --------------------------------------------- FireEye mobile security researchers identified another new mobile threat, which we call 'JavaScript Sidedoors', which we discovered in the popular InMobi ad library. InMobi exposes dangerous behaviors such as making phone calls without user consent through JavaScript interfaces, which creates a 'sidedoor' for attackers to exploit by injecting malicious JavaScript through hijacking InMobi's HTTP traffic. ... --------------------------------------------- http://www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-anothe… *** Ruby on Rails CookieStore Vulnerability Plagues Prominent Websites *** --------------------------------------------- Websites using an older version of Ruby on Rails, including Kickstarter and UrbanSpoon, remain vulnerable to a vulnerability in the frameworks cookie storage mechanism. --------------------------------------------- http://threatpost.com/ruby-on-rails-cookiestore-vulnerability-plagues-promi… *** An Anti-Fraud Service for Fraudsters *** --------------------------------------------- Many online businesses rely on automated fraud detection tools to weed out suspicious and unauthorized purchases. Oddly enough, the sorts of dodgy online businesses advertised by spam do the same thing, only they tend to use underground alternatives that are far cheaper and tuned to block not only fraudulent purchases, but also "test buys" from security researchers, law enforcement and other meddlers. --------------------------------------------- http://krebsonsecurity.com/2013/11/anti-fraud-service-for-fraudsters/ *** Security and policy surrounding bring your own devices (BYOD) *** --------------------------------------------- As the proliferation of devices continues to capture the imagination of consumers, and has ignited what is referred to as bring your own device (BYOD) revolution, many IT departments across the globe are now facing increased security considerations. While organizations encourage BYOD for cost savings and productivity, it is also important to have robust security policies supporting BYOD. --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2013/11/26/security-and-policy-surr… *** Our protection metrics - October results *** --------------------------------------------- Last month we introduced our monthly protection metrics and talked about our September results. Today, we'd like to talk about our results from October. If you want a refresh on the definition of the metrics we use in our monthly results, see our prior post: Our protection metrics - September results. During October 2013, while our rate of incorrect detections remained low, and our performance metrics stayed fairly consistent, the infection rate of 0.18 percent was higher in --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2013/11/26/our-protection-metrics-o… *** White hat Wi-Fi hacking shows vulnerability of business data *** --------------------------------------------- White hat hackers have shown that usernames, passwords, contact lists, details of e-commerce accounts and banking details can be sniffed easily from public Wi-Fi hotspots. --------------------------------------------- http://www.computerweekly.com/news/2240209927/White-hat-Wi-Fi-hacking-shows… *** Volatility 2.3 and FireEyes diskless, memory-only Trojan.APT.9002 *** --------------------------------------------- FireEyes Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method, posted 10 NOV 2013 is specific to an attack that "loaded the payload directly into memory without first writing to disk." As such, this "will further complicate network defenders ability to triage compromised systems, using traditional forensics methods." --------------------------------------------- http://holisticinfosec.blogspot.co.uk/2013/11/volatility-23-and-fireeyes-di… *** Malware creation hits record-high numbers In 2013, according to PandaLabs Q3 Report *** --------------------------------------------- Panda Security, The Cloud Security Company, has just published the results of its Quarterly Report for Q3 2013, drawn up by PandaLabs, the company's anti-malware laboratory. One of the main conclusions that can be drawn from this global study is that malware creation has hit a new record high, with nearly 10 million new strains identified so far this year. --------------------------------------------- http://press.pandasecurity.com/news/malware-creation-hits-record-high-numbe… *** Security Headers on the Top 1,000,000 Websites: November 2013 Report *** --------------------------------------------- It has been almost exactly a year since we conducted the first top 1 million security headers report so it is a great time to re-run the analysis and see how well security header adoption is growing. As before, the latest Chrome and Firefox User-Agent strings were used to make requests to the top 1 million sites over both HTTP and HTTPS. --------------------------------------------- https://www.veracode.com/blog/2013/11/security-headers-on-the-top-1000000-w… *** Finding Cryptolocker Encrypted Files using the NTFS Master File Table *** --------------------------------------------- For the most part, everyone seems to be familiar with the new variants of Cyptolocker making the rounds these days. To quickly summarize, this form of ransomware that encrypts documents and pictures found on local and mapped network drives in an attempt to obtain payment for the decryption keys. --------------------------------------------- http://securitybraindump.blogspot.ru/2013/11/finding-cryptolocker-encrypted… *** Rogue that takes webcam pictures of you *** --------------------------------------------- Recently we heard of a rogue fake antivirus that takes screenshots and webcam images in an attempt to further scare you into succumbing to it's scam. We gathered a sample and sure enough, given some time it will indeed use the webcam and take a picture of what's in front of the camera at that time. This variant is called "Antivirus Security Pro" and it's as nasty as you can get. --------------------------------------------- http://www.webroot.com/blog/2013/11/27/new-rogue-now-takes-screenshots/ *** Vuln: Drupal Core Image Module HTML Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63848 *** Xen Privileged Ring Access Flaw Lets Local Users Gain Elevated Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1029396 *** Debian Security Advisory DSA-2804 drupal7 *** --------------------------------------------- http://www.debian.org/security/2013/dsa-2804 *** Debian Security Advisory DSA-2803 quagga *** --------------------------------------------- http://www.debian.org/security/2013/dsa-2803

1 0

Tageszusammenfassung - Dienstag 26-11-2013
by Daily end-of-shift report 26 Nov '13

26 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 25-11-2013 18:00 − Dienstag 26-11-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** Rätselhafte Entführungen im Internet *** --------------------------------------------- Geheimdienste müssen gar nicht direkt am Kabel lauschen. Der Netzwerkdienstleister Renesys berichtet von einer deutlichen Zunahme von seltsamen Routing-Vorfällen, bei denen Netzwerkverkehr über andere Länder, manchmal sogar Kontinente umgeleitet wird. --------------------------------------------- http://www.heise.de/security/meldung/Raetselhafte-Entfuehrungen-im-Internet… *** The Need for Incident Response *** --------------------------------------------- On an average day in the UK more than 100 .co.uk domain websites are hacked according to the statistics in the Zone-h.org online database. Website hacks are increasing the volume of targeted attacks today. --------------------------------------------- http://www.fireeye.com/blog/corporate/2013/11/the-need-for-incident-respons… *** Fake tech support scam is trouble for legitimate remote help company *** --------------------------------------------- Fraud victims mistake legitimate tech company for fraudsters. --------------------------------------------- http://arstechnica.com/information-technology/2013/11/fake-tech-support-sca… *** VBScript Malware SOYSOS Deletes CAD Files *** --------------------------------------------- Cybercriminals can do just as much damage deleting users´ data as stealing it because file deletion can result in both data or monetary loss. One example would be CryptoLocker, which became notorious for combining the two - demanding money with the threat of data destruction. We recently came across a malware, detected as VBS_SOYSOS, that deletes important image files including .DWG files. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/vbscript-malware… *** Surge in "BlackShades" infections exposes machines worldwide to RAT *** --------------------------------------------- Over the last two months, attackers have opted to spread the malware via the Neutrino exploit kit, researchers found. --------------------------------------------- http://www.scmagazine.com/surge-in-blackshades-infections-exposes-machines-… *** A Look At A Silverlight Exploit *** --------------------------------------------- Recently, independent security researchers found that the Angler Exploit Kit had added Silverlight to their list of targeted software, using CVE-2013-0074. When we analyzed the available exploit, we found that in addition to CVE-2013-0074, a second vulnerability, CVE-2013-3896, in order to bypass ASLR. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/a-look-at-a-silv… *** [Honeypot Alert] More PHP-CGI Scanning (apache-magika.c) *** --------------------------------------------- In the past 24 hours, one of the WASC Distributed Web Honeypot participant's sensors picked up continued scanning for CVE-2012-1823 which is a vulnerability within PHP-CGI. --------------------------------------------- http://blog.spiderlabs.com/2013/11/honeypot-alert-more-php-cgi-scanning-apa… *** New Exploit Kit Atrax Boasts Tor Connectivity, Bitcoin Extraction *** --------------------------------------------- Yet another commercial crimekit has been spotted making the rounds on the underground malware forums that uses the anonymity network Tor to stealthily communicate with its command and control servers. --------------------------------------------- http://threatpost.com/new-exploit-kit-atrax-boasts-tor-connectivity-bitcoin… *** The internet mystery that has the world baffled *** --------------------------------------------- For the past two years, a mysterious online organisation has been setting the worlds finest code-breakers a series of seemingly unsolveable problems. But to what end? Welcome to the world of Cicada 3301. --------------------------------------------- http://www.telegraph.co.uk/technology/internet/10468112/The-internet-myster… *** Das Stuxnet-Duo: Bösartige Geschwister *** --------------------------------------------- Der deutsche Experte Ralph Langner hat nach drei Jahren Analyse ein abschließendes Papier zu Stuxnet vorgelegt. Demnach besteht die Cyber-Waffe aus zwei Schädlingen, von denen nur die zweite richtig bekannt wurde - zu Unrecht, meint Langner. --------------------------------------------- http://www.heise.de/security/meldung/Das-Stuxnet-Duo-Boesartige-Geschwister… *** Analysis: Online banking faces a new threat *** --------------------------------------------- Neverquest supports just about every possible trick on online bank attacks. In light of Neverquest´s self-replication capabilities, the number of users attacked could increase over a short period of time. --------------------------------------------- http://www.securelist.com/en/analysis/204792315/Online_banking_faces_a_new_… *** Nachholbedarf bei IT-Sicherheit: EU-Parlamentarier tappten in Hotspot-Falle *** --------------------------------------------- Alle EU-Parlamentarier sollen jetzt dringend ihre Passwörter ändern, fordert eine Mail der IT-Abteilung. Sie bestätigt, dass durch Angriffe im ungesicherten Parlaments-WLAN Zugangspasswörter ausspioniert wurden. --------------------------------------------- http://www.heise.de/security/meldung/Nachholbedarf-bei-IT-Sicherheit-EU-Par… *** How To Combat Online Surveillance *** --------------------------------------------- Governments have transformed the internet into a surveillance platform, but they are not omnipotent. They´re limited by material resources as much as the rest of us. We might not all be able to prevent the NSA and GCHQ from spying on us, but we can at least create more obstacles and make surveilling us more expensive. The more infrastructure you run, the safer the communication will be. --------------------------------------------- http://theoccupiedtimes.org/?p=12362 *** Why Crimekit Atrax will attract attention *** --------------------------------------------- CSIS researchers have observed an introduction of a new commercial crimekit being sold on several underground web forums. The kit is dubbed 'Atrax' and is both a cheap kit - costs less than $250 for the main platform - as well as it utilizes the TOR protocol for stealthy communication with C&Cs from where it is intended to get instructions, updates and new modules. --------------------------------------------- https://www.csis.dk/en/csis/blog/4103 *** Blackhole and Cool Exploit Kits Nearly Extinct *** --------------------------------------------- When authorities in Russia arrested Paunch, the alleged creator of the Blackhole exploit kit, last month, security researchers and watchers of the malware underground predicted that taking him off the board would put a dent in the use of Blackhole and force its customers onto other platforms. Six weeks later, it now appears that Blackhole is almost gone and the Cool exploit kit, another alleged creation of Paunch, has essentially disappeared, as well. --------------------------------------------- http://threatpost.com/blackhole-and-cool-exploit-kits-nearly-extinct/103034 *** IBM WebSphere Application Server Java Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55870 *** WordPress Contact Form 7 3.5.2 Shell Upload *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110177 *** WordPress Pinboard Shell Upload *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110175 *** TPLINK WR740N / WR740ND Cross Site Request Forgery *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110181 *** NETGEAR ReadyNAS Perl Code Evaluation *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110179 *** Vuln: HP LoadRunner Virtual User Generator CVE-2013-4837 Remote Code Execution Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63475 *** Bugtraq: Open-Xchange Security Advisory 2013-11-25 *** --------------------------------------------- http://www.securityfocus.com/archive/1/530008

1 0

Tageszusammenfassung - Montag 25-11-2013
by Daily end-of-shift report 25 Nov '13

25 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 22-11-2013 18:00 − Montag 25-11-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** Second Look at Stuxnet Reveals Older Dangerous Variant *** --------------------------------------------- ICS expert Ralph Langner has thrown back the covers on Stuxnet revealing a two-pronged attack intent not only on disrupting Irans nuclear capabilities, but flexing the attackers muscle in building weaponized malware. --------------------------------------------- http://threatpost.com/second-look-at-stuxnet-reveals-older-dangerous-varian… *** Google fixes flaw in Gmail password reset process *** --------------------------------------------- According to the researcher who discovered the bug, Google swiftly addressed the security issue, which could leave users passwords vulnerable to theft. --------------------------------------------- http://www.scmagazine.com/google-fixes-flaw-in-gmail-password-reset-process… *** Five Years Old And Still On The Run: DOWNAD *** --------------------------------------------- Five years ago, Conficker/DOWNAD was first seen and quickly became notorious due to how quickly it spread and how much damage it caused. Remarkably, after all that time, it´s still alive. It can still pose a serious problem, as it can propagate to other systems on the same network as an infected machine - a factor that may explain its high rate of infection to this day. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/five-years-old-a… *** Another Fake WordPress Plugin - And Yet Another SPAM Infection! *** --------------------------------------------- We clean hundreds and thousands of infected websites, a lot of the cleanups can be considered to be somewhat "routine". If you follow our blog, you often hear us say we´ve seen "this" numerous times, we´ve cleaned "that" numerous times. --------------------------------------------- http://blog.sucuri.net/2013/11/another-fake-wordpress-plugin-and-yet-anothe… *** Top Security Predictions for 2014 *** --------------------------------------------- As 2013 draws to a close, FireEye researchers are already looking ahead to 2014 and the shifting threat landscape. Expect fewer Java zero-day exploits and more browser-based ones. Watering-hole attacks may supplant spear-phishing attacks. --------------------------------------------- http://www.fireeye.com/blog/corporate/2013/11/top-security-predictions-for-… *** Port 0 DDOS, (Fri, Nov 22nd) *** --------------------------------------------- Following on the stories of amplification DDOS attacks using Chargen, and stories of "booters" via Brian Kreb's, I am watching with interest the increase in port 0 amplification DDOS attacks. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17081 *** Spam-Friendly Registrar 'Dynamic Dolphin' Shuttered *** --------------------------------------------- The organization that oversees the Internet domain name registration industry last week revoked the charter of Dynamic Dolphin, a registrar that has long been closely associated with spam and cybercrime. --------------------------------------------- http://krebsonsecurity.com/2013/11/spam-friendly-registrar-dynamic-dolphin-… *** LG smart TV snooping extends to home networks, second blogger says *** --------------------------------------------- A second blogger has published evidence that his LG-manufactured smart television is sharing sensitive user data with the Korea-based company in a post that offers support for the theory that the snooping isnt isolated behavior that affects a small number of sets. --------------------------------------------- http://arstechnica.com/security/2013/11/lg-smart-tv-snooping-extends-to-hom… *** CryptoLocker gang teams with botnet-builders on ransomware *** --------------------------------------------- The cyber-gang running the CryptoLocker extortion racket is sharing a big cut of any payments they squeeze out of their victims with criminal botnet owners working closely with them, says Symantec, which has been monitoring this underworld activity online. --------------------------------------------- http://www.pcworld.com/article/2066741/cryptolocker-gang-teams-with-botnet-… *** DSA-2802 nginx *** --------------------------------------------- http://www.debian.org/security/2013/dsa-2802 *** DSA-2801 libhttp-body-perl *** --------------------------------------------- http://www.debian.org/security/2013/dsa-2801 *** [webapps] - TPLINK WR740N/WR740ND - Multiple CSRF Vulnerabilities *** --------------------------------------------- http://www.exploit-db.com/exploits/29802 *** ImpressPages CMS 3.8 Stored XSS Vulnerability *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110168 *** Pirelli Discus DRG A125g Remote Change SSID Value Vulnerability *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110167 *** Google Gmail IOS Mobile Application - Persistent / Stored XSS *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110170 *** Ruby Heap Overflow in Floating Point Parsing Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1029388 *** Drupal Core Bugs Let Remote Users Conduct Cross-Site Scripting, Cross-Site Request Forgery, and Open Redirect Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1029386

1 0

Tageszusammenfassung - Freitag 22-11-2013
by Daily end-of-shift report 22 Nov '13

22 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 21-11-2013 18:00 − Freitag 22-11-2013 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner *** DNP3 Implementation Vulnerability (Update A) *** --------------------------------------------- Adam Crain of Automatak and independent researcher Chris Sistrunk reported an improper input validation vulnerability to NCCIC/ICS-CERT that was evident in numerous slave and/or master station software products. The researchers emphasize that the vulnerability is not with the DNP3 stack but with the --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-291-01A *** Facebook Vulnerability Discloses Friends Lists Defined as Private *** --------------------------------------------- Researchers from the Quotium Seeker Research Center identified a security flaw in Facebook privacy controls. The vulnerability allows attackers to see the friends list of any user on Facebook. This attack is carried out by abusing the 'People You May Know' mechanism on Facebook, ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110157 *** Imperva WAF/DAF 9.5 patch8 and 10.0 patch 2 localroot vulnerability *** --------------------------------------------- Topic: Imperva WAF/DAF 9.5 patch8 and 10.0 patch 2 localroot vulnerability Risk: High Text: Imperva use hardened centos 5.4 to run Web Application Firewall and Database Activity Monitoring product. It could be expl... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110158 *** Instagram for iOS Flattr account security bypass *** --------------------------------------------- Instagram for iOS could allow a remote attacker to bypass security restrictions, caused by an implementation error when the Instagram for iOS and Flattr are linked. An attacker could exploit this vulnerability by flattring the photos causing the money from the users account to be redirected. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/89162 *** Instagram for iOS upload module file upload *** --------------------------------------------- Instagram for iOS could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious PHP script, which could allow the attacker to execute arbitrary PHP code on the vulnerable system. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/89160 *** prettyPhoto Cross-Site Scripting Vulnerability *** --------------------------------------------- Input appended to the URL after /#!prettyPhoto/ is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability is confirmed in version 3.1.4. Prior versions may also be affected. --------------------------------------------- https://secunia.com/advisories/55769 *** Security Bulletin: IBM iNotes Cross-Site Scripting Vulnerability (CVE-2013-0595) *** --------------------------------------------- IBM iNotes versions 8.5.3 and 9.0 contain a cross-site scripting vulnerability. The fix for this issue is available starting in IBM Domino versions 8.5.3 Fix Pack 5 and 9.0.1. CVE(s): CVE-2013-0595 Affected product(s) and affected version(s): IBM iNotes 9.0 IBM iNotes 8.5.3 through 8.5.3 Fix Pack 4 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** VU#893462: Thomson Reuters Velocity Analytics Vhayu Analytic Server version 6.9.4 build 2995 contains a code injection vulnerability *** --------------------------------------------- Overview Thomson Reuters Velocity Analytics Vhayu Analytic Server version 6.94 build 2995 and possibly earlier versions contain a code injection vulnerability (CWE-94). Description CWE-94: Improper Control of Generation of Code (Code Injection) --------------------------------------------- http://www.kb.cert.org/vuls/id/893462 *** Dovecot checkpassword-reply Security Bypass Security Issue *** --------------------------------------------- A security issue has been reported in Dovecot, which can be exploited by malicious, local users to bypass certain security restrictions. --------------------------------------------- https://secunia.com/advisories/54808

1 0

Tageszusammenfassung - Donnerstag 21-11-2013
by Daily end-of-shift report 21 Nov '13

21 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 20-11-2013 18:00 − Donnerstag 21-11-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** EFF Scorecard Shows Crypto Leaders and Laggards *** --------------------------------------------- The Electronic Frontier Foundation (EFF) released its Encrypt the Web Report demonstrating how much encryption leading Internet companies and service providers are deploying. --------------------------------------------- http://threatpost.com/eff-scorecard-shows-crypto-leaders-and-laggards/102987 *** Tomcat-Wurm springt von Server zu Server *** --------------------------------------------- Symantec hat einen Wurm entdeckt, der Apaches Java-Webserver infiziert und als Java-Servlet von Server zu Server springt. Infizierte Rechner werden als DDoS-Schleudern und Proxys missbraucht. --------------------------------------------- http://www.heise.de/security/meldung/Tomcat-Wurm-springt-von-Server-zu-Serv… *** Are large scale Man in The Middle attacks underway?, (Thu, Nov 21st) *** --------------------------------------------- Renesys is reporting two separate incidents where they observed traffic for 1500 IP blocks being diverted for extended periods of time. They observed the traffic redirection for more than 2 months over the last year. Does it seem unusual for internet traffic between Ashburn Virginia (63.218.44.78) and Washington DC (63.234.113.110) to go through Russia to Belarus? That is exactly what they observed. Once traffic flows through your routers there are countless opportunities to capture and modify... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17075&rss *** A look at security effectiveness by industry *** --------------------------------------------- BitSight analyzed security ratings for over 70 Fortune 200 companies in four industries - energy, finance, retail and technology. The objective was to uncover quantifiable differences in security effectiveness and performance across industries from October 2012 through September 2013. --------------------------------------------- http://www.net-security.org/secworld.php?id=15991 *** 5 Considerations For Post-Breach Security Analytics *** --------------------------------------------- Preparing collection mechanisms ahead of time, preserving chain of custody on forensics data, and performing focused analysis all key in inspecting security data after a compromise --------------------------------------------- http://www.darkreading.com/5-considerations-for-post-breach-securit/2401641… *** EMC Document Sciences xPression cross-site request forgery *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/89073 *** SA-CORE-2013-003 - Drupal core - Multiple vulnerabilities *** --------------------------------------------- Advisory ID: DRUPAL-SA-CORE-2013-003 Project: Drupal coreVersion: 6.x, 7.x Date: 2013-November-20 Security risk: Highly critical Exploitable from: Remote Vulnerability: Multiple vulnerabilities Description: Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.Multiple vulnerabilities due to optimistic cross-site request forgery protection (Form API validation - Drupal 6 and 7)Drupals form API has built-in cross-site request forgery (CSRF) validation, and also allows any... --------------------------------------------- https://drupal.org/SA-CORE-2013-003 *** SA-CONTRIB-2013-096 - Entity reference - Access bypass *** *** SA-CONTRIB-2013-095 - Organic Groups - Access bypass *** *** SA-CONTRIB-2013-094 - EU Cookie Compliance - Cross Site Scripting (XSS) *** *** SA-CONTRIB-2013-093 - Invitation - Access Bypass *** --------------------------------------------- https://drupal.org/node/2140237 https://drupal.org/node/2140217 https://drupal.org/node/2140123 https://drupal.org/node/2140097 *** Vuln: SAP NetWeaver SHSTI_UPLOAD_XML() Function XML External Entity Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63779 *** Vuln: SAP NetWeaver Logviewer Security Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/58615 *** Vuln: SAP NetWeaver SAP Portal URI Redirection Weakness *** --------------------------------------------- http://www.securityfocus.com/bid/63783 *** Vuln: SAProuter NI Route Message Handling Heap Buffer Overflow Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/60054 *** Security Bulletin: Multiple security vulnerabilities exist in IBM InfoSphere Master Data Management - Collaborative Edition (CVE-2013-0478, CVE-2013-0477) *** --------------------------------------------- IBM InfoSphere Master Data Management - Collaborative Edition versions 10.1, 10.0 and IBM InfoSphere Master Data Management Server for Product Information Management versions 9.1, 9.0, 6.0 are vulnerable to cross-site scripting and content spoofing. CVE(s): CVE-2013-0477, and CVE-2013-0478 Affected product(s) and affected version(s): IBM InfoSphere Master Data Management - Collaborative Edition Versions 10.1 and 10.0 IBM InfoSphere Master Data Management Server for Product Information... --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul… *** SKIDATA RFID Freemotion.Gate Unauthenticated Web Service Aribtrary Remote Command Execution *** --------------------------------------------- Title: SKIDATA RFID Freemotion.Gate Unauthenticated Web Service Aribtrary Remote Command Execution Product: Freemotion.Gate Vendor: SKIDATA, http://www.skidata.com/en/ Vulnerable Versions: 4.1.3.5 and likely all prior versions. --------------------------------------------- http://www.keepingkidsonshred.com/2013/11/skidata-rfid-freemotiongate.html *** Splunk Cross-Site Scripting Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55774 *** WHMCS "unserialize()" PHP Code Execution and Multiple Unspecified Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55717

1 0

Tageszusammenfassung - Mittwoch 20-11-2013
by Daily end-of-shift report 20 Nov '13

20 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 19-11-2013 18:00 − Mittwoch 20-11-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** New variant of Android ransomware "Fake Defender" surfaces *** --------------------------------------------- Symantec researchers believe the malicious app is a variant of "Fake Defender," malware used in earlier ransomware scams. --------------------------------------------- http://www.scmagazine.com/new-variant-of-android-ransomware-fake-defender-s… *** Google Extends Scope of External Bug Bounty *** --------------------------------------------- Google has expanded the bounds of its Patch Rewards Program to include open source components of Android, Apache, Sendmail, OpenVPN and other services. --------------------------------------------- http://threatpost.com/google-extends-scope-of-external-bug-bounty/102962 *** TrustKeeper Scan Engine Update - November 14, 2013 *** --------------------------------------------- It's time again for another TrustKeeper Scan Engine update. This release contains over 30 new tests vulnerabilities in Cisco ASA/IOS, JIRA, jQuery, Microsoft Windows, Oracle Database/MySQL, and more. This release also contains default credential checks for both WordPress and Cisco ASA SSL VPN (aka: AnyConnect). --------------------------------------------- http://blog.spiderlabs.com/2013/11/trustkeeper-scan-engine-update-november-… *** VU#295276: Adobe ColdFusion is vulnerable to cross-site scripting via the logviewer directory *** --------------------------------------------- Adobe ColdFusion 10 update 11 and possibly earlier versions contains a reflected cross-site scripting (XSS) vulnerability. An attacker can inject arbitrary HTML content (including script) within the /logviewer/ directory. The vulnerability requires using a relative path, although there is no directory traversal vulnerability. --------------------------------------------- http://www.kb.cert.org/vuls/id/295276 *** Understanding Google´s Blacklist Cleaning Your Hacked Website and Removing From Blacklist *** --------------------------------------------- Today we found an interesting case where Google was blacklisting a client´s site but not sharing the reason why. The fact they were sharing very little info should not be new, but what we found as we dove a little deeper should be. The idea is to provide you webmasters with the required insight toRead More --------------------------------------------- http://blog.sucuri.net/2013/11/understanding-googles-blacklist-cleaning-you… *** Searching live memory on a running machine with winpmem, (Wed, Nov 20th) *** --------------------------------------------- Winpmem may appear to be a simple a memory acquisition tool, but it is really much more. One of my favorite parts of Winpmem is that it has the ability to analyze live memory on a running computer. Rather than dumping the memory and analyzing it in two seperate steps you can search for memory on a running system. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17063 *** Netflixers Beware: Angler Exploit Kit Targets Silverlight Vulnerability *** --------------------------------------------- Developers behind the Angler Exploit Kit have added a new exploit over the last week that leverages a vulnerability in Microsoft´s Silverlight framework. --------------------------------------------- http://threatpost.com/netflixers-beware-angler-exploit-kit-targets-silverli… *** Mobile threats in October 2013 *** --------------------------------------------- In 2013, Russian anti-virus company Doctor Web started using a new system to collect statistics, so that it could promptly obtain information about the malicious applications that are threatening Google Android. An analysis of the data collected in October showed that the Dr.Web resident monitor under Android detected malware about 11 million times, and over 4 million threats to Android were detected by the scanner. These figures correspond to data obtained in September 2013. --------------------------------------------- http://news.drweb.com/show/?i=4061&lng=en&c=9 *** Repeated attacks hijack huge chunks of Internet traffic, researchers warn *** --------------------------------------------- Man-in-the-middle attacks divert data on scale never before seen in the wild. --------------------------------------------- http://arstechnica.com/security/2013/11/repeated-attacks-hijack-huge-chunks… *** US police department pays $750 Cryptolocker Trojan ransom demand *** --------------------------------------------- A US police department was so determined to get back important files that had been encrypted by the rampaging Cryptolocker Trojan it decided to pay the sizable ransom being demanded by the criminals. --------------------------------------------- http://news.techworld.com/security/3489937/us-police-department-pays-750-cr… *** Backup the best defense against (Cri)locked files *** --------------------------------------------- Crilock also known as CryptoLocker - is one notorious ransomware that´s been making the rounds since early September. Its primary payload is to target and encrypt your files, such as your pictures and Office documents. All of the file types that can be encrypted are listed in our Trojan:Win32/Crilock.A and Trojan:Win32/Crilock.B descriptions. --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2013/11/19/backup-the-best-defense-… *** JBoss Attacks Up Since Exploit Code Disclosure *** --------------------------------------------- Researchers at Imperva have detected a surge in attacks against webservers running JBoss Application Server since the public disclosure of exploit code last month. --------------------------------------------- http://threatpost.com/jboss-attacks-up-since-exploit-code-disclosure/102971 *** [webapps] - Ruckus Wireless Zoneflex 2942 Wireless Access Point - Authentication Bypass *** --------------------------------------------- http://www.exploit-db.com/exploits/29709 *** nginx URI Parsing Flaw Lets Remote Users Bypass Security Restrictions *** --------------------------------------------- http://www.securitytracker.com/id/1029363 *** PayPal Billsafe Cross Site Scripting *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110142 *** EMC Document Sciences xPression XSS / CSRF / Redirect / SQL Injection *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110139

1 0

Tageszusammenfassung - Dienstag 19-11-2013
by Daily end-of-shift report 19 Nov '13

19 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 18-11-2013 18:00 − Dienstag 19-11-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** Am I Sending Traffic to a "Sinkhole"?, (Mon, Nov 18th) *** --------------------------------------------- It has become common practice to setup "Sinkholes" to capture traffic sent my infected hosts to command and control servers. These Sinkholes are usually established after a malicious domain name has been discovered and registrars agreed to redirect respective NS records to a specific name server configured by the entity operating the Sinkhole. More recently for example Microsoft gained court orders to take over... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17048 *** Google Completes Upgrade of its SSL Certificates to 2048-Bit RSA *** --------------------------------------------- Google announced today it has completed upgrading all of its SSL certificates to 2048-bit RSA or better, up from 1024. --------------------------------------------- http://threatpost.com/google-completes-upgrade-of-its-ssl-certificates-to-2… *** Facebook URL redirection vulnerability patched *** --------------------------------------------- A Facebook URL redirection vulnerability discovered last week was patched just a day after a blog post detailing the bug went live. --------------------------------------------- http://www.scmagazine.com//facebook-url-redirection-vulnerability-patched/a… *** Winpmem - Mild mannered memory aquisition tool??, (Tue, Nov 19th) *** --------------------------------------------- There should be little argument that with todays threats you should always acquire a memory image when dealing with any type of malware. Modern desktops can have 16 gigabytes of RAM or more filled with evidence that is usually crutial to understanding what was happening on that machine. Failure to acquire that memory will make analyzing the other forensic artifacts difficult or in some cases impossible. Chad Tilbury (@chadtilbury) recently told me about a new memory acquisition tool that I want... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17054&rss *** Old JBoss vuln in the wild, needs patching *** --------------------------------------------- Remote code execution, the usual thing JBoss sysadmins need to get busy hardening their systems, with a rising number of attacks against the system, according to Imperva. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2013/11/19/old_jboss_v… *** Cybercriminals spamvertise tens of thousands of fake "Sent from my iPhone" themed emails, expose users to malware *** --------------------------------------------- Cybercriminals are currently mass mailing tens of thousands of malicious emails, supposedly including a photo attachment that's been "Sent from an iPhone". The social engineering driven spam campaign is, however, the latest attempt by a cybercriminal/group of cybercriminals that we've been monitor for a while, to attempt to trick gullible users into unknowingly joining the botnet operated by the malicious actor(s) behind the campaign. Detection rate for the spamvertised... --------------------------------------------- http://www.webroot.com/blog/2013/11/19/cybercriminals-spamvertise-tens-thou… *** A .BIT Odd *** --------------------------------------------- Like many security researchers, I see a lot of new malicious sites every week, far too many in fact. One thing that sets security researchers apart is that we can see a top-level domain (TLD) like .cc and recall instantly that it belongs to the Cocos Islands in the Indian Ocean, with a tiny population,... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/rFeNuxSPHUg/ *** Vuln: Chainfire SuperSU CVE-2013-6775 Arbitrary Command Execution Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63715 *** Vuln: Multiple Android Superuser Packages CVE-2013-6769 Arbitrary Command Execution Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63712 *** Opera Unspecified Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55720 *** Network Security Services (NSS) Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55557 *** Vuln: MIT Kerberos 5 CVE-2013-6800 Remote Denial of Service Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63770 *** Elastix Multiple Cross-Site Scripting Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55739 *** Splunk Test Scripts Let Remote Authenticated Users Execute Arbitrary Shell Scripts on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1029316

1 0

Tageszusammenfassung - Montag 18-11-2013
by Daily end-of-shift report 18 Nov '13

18 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 15-11-2013 18:00 − Montag 18-11-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** Password hack of vBulletin.com fuels fears of in-the-wild 0-day attacks *** --------------------------------------------- Hacks on sites using the widely used forum software spread to its maker. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/FIA9t0-8N04/story01… *** BKDR_SHIZ Responsible For SAP Attacks, And More *** --------------------------------------------- There have been recent reports of malware that targeted SAP users for information theft. We detect this threat as BKDR_SHIZ.TO, and it belongs to a malware family that has been detected since 2010. So far, this particular family has received little attention, but its targeting of SAP applications has raised its profile considerably. So what... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/O578f6Dl3Js/ *** Exploiting the Supermicro Onboard IPMI Controller *** --------------------------------------------- Last week @hdmoore published the details about several vulnerabilities into the Supermicro IPMI firmware. With the advisory's release, several modules were landed into Metasploit in order to check Supermicro's device against several of the published vulnerabilities. --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2013/11/15/exploitin… *** Explaining and Speculating About QUANTUM *** --------------------------------------------- Nicholas Weaver has a great essay explaining how the NSAs QUANTUM packet injection system works, what we know it does, what else it can possibly do, and how to defend against it. Remember that while QUANTUM is an NSA program, other countries engage in these sorts of attacks as well. By securing the Internet against QUANTUM, we protect ourselves against... --------------------------------------------- https://www.schneier.com/blog/archives/2013/11/explaining_and.html *** Various Schneier Audio and Video Talks and Interviews *** --------------------------------------------- News articles about me (or with good quotes by me). My talk at the IETF Vancouver meeting on NSA and surveillance. Im the first speaker after the administrivia. Press articles about me and the IETF meeting. Other video interviews with me.... --------------------------------------------- https://www.schneier.com/blog/archives/2013/11/various_schneie.html *** Sagan as a Log Normalizer, (Sat, Nov 16th) *** --------------------------------------------- "Sagan is an open source (GNU/GPLv2) high performance, real-time log analysis & correlation engine that run under *nix operating systems (Linux/FreeBSD/ OpenBSD/etc)."[1] Sagan is a log analysis engine that uses structure rules with the same basic structure as Snort rules. The alerts can be written to a Snort IDS/IPS database in the Unified2 file format using Barnyard2. This mean the alerts can be read using Sguil, BASE or SQueRT to name a few. It is easy to setup, just need to --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17039&rss *** SpiderLabs Radio November 15, 2013 w/ Space Rogue *** --------------------------------------------- This weeks episode of SpiderLabs Radio hosted by Space Rogue is brought to you by Trustwave SpiderLabs and features stories about Stuxnet on ISS, Facebook scans for Adobe, MacRumours, SEA hits Vice, bitcash.cz, Cracked gets cracked, Loyaltybuild, No Nukes in JP, OWASP AppSec USA, SRs Last SLR and more! Listen to SpiderLabs radio in iTunes. Or you can download the MP3 file directly here. Or listen right from your browser with this embedded player. --------------------------------------------- http://blog.spiderlabs.com/2013/11/spiderlabs-radio-november-15-2013-w-spac… *** Vendor of TDoS products/services releases new multi-threaded SIP-based TDoS tool *** --------------------------------------------- Telephony Denial of Service Attacks (TDoS) continue representing a growing market segment within the Russian/Eastern European underground market, with more vendors populating it with propositions for products and services aiming to disrupt the phone communications of prospective victims. From purely malicious in-house infrastructure - dozens of USB hubs with 3G USB modems using fraudulently obtained, non-attributable SIM cards - abuse of legitimate infrastructure, like Skype, ICQ, a... --------------------------------------------- http://www.webroot.com/blog/2013/11/15/vendor-tdos-productsservices-release… *** Bugtraq: Cross-Site Scripting (XSS) in Tweet Blender Wordpress Plugin *** --------------------------------------------- http://www.securityfocus.com/archive/1/529853 *** Vuln: GnuTLS libdane/dane.c CVE-2013-4487 Incomplete Fix Remote Buffer Overflow Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63469 *** MS13-095 - Important : Vulnerability in Digital Signatures Could Allow Denial of Service (2868626) - Version: 1.0 *** --------------------------------------------- This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service when an affected web service processes a specially crafted X.509 certificate. --------------------------------------------- http://technet.microsoft.com/en-gb/security/bulletin/ms13-095 *** SAP Netweaver Web Application Server J2EE SAP Portal Redirection Weakness *** *** SAP Netweaver DataCollector and JavaDumpService Servlets Multiple Cross-Site Scripting Vulnerabilities *** *** SAP NetWeaver Input Validation Flaw in SRTT_GET_COUNT_BEFORE_KEY_RFC Function Lets Remote Authenticated Users Inject SQL Commands *** --------------------------------------------- https://secunia.com/advisories/55778 https://secunia.com/advisories/55777 http://www.securitytracker.com/id/1029352 *** gitlab-shell Multiple Vulnerabilities *** *** GitLab API Access Security Bypass Security Issue *** --------------------------------------------- https://secunia.com/advisories/55683 https://secunia.com/advisories/55691 *** IBM Tivoli System Automation Application Manager Java Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55794 *** Foreman Host and Host Group SQL Injection Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55722 *** [webapps] - ManageEngine DesktopCentral 8.0.0 build 80293 - Arbitrary File Upload Vulnerability *** --------------------------------------------- http://www.exploit-db.com/exploits/29674

1 0

Tageszusammenfassung - Freitag 15-11-2013
by Daily end-of-shift report 15 Nov '13

15 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 14-11-2013 18:00 − Freitag 15-11-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** Blog: The rush for CVE-2013-3906 - a hot commodity *** --------------------------------------------- Two days ago FireEye reported that the recent CVE-2013-3906 exploit has begun to be used by new threat actors other than the original ones. The new infected documents share similarities with previously detected exploits but carry a different payload. This time these exploits are being used to deliver Taidoor and PlugX backdoors, according to FireEye. --------------------------------------------- http://www.securelist.com/en/blog/208214158/The_rush_for_CVE_2013_3906_a_ho… *** CVE-2012-1889 is still alive! *** --------------------------------------------- In Zscaler´s daily scanning, we identified an instance where CVE-2012-1889 (MSXML Uninitialized Memory Corruption Vulnerability) is still alive. Lets take a look. --------------------------------------------- http://research.zscaler.com/2013/11/cve-2012-1889-is-still-alive.html *** Febipos for Internet Explorer *** --------------------------------------------- In a previous blog post we discussed Trojan:JS/Febipos.A, a malicious browser extension that targets the Facebook profiles of Google Chrome and Mozilla Firefox users. We recently came across a new Febipos sample that was specifically developed for Internet Explorer - we detect it as Trojan:Win32/Febipos.B!dll. --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2013/11/14/febipos-for-internet-exp… *** Linux backdoor squirts code into SSH to keep its badness buried *** --------------------------------------------- Fokirtor! It LOOKED like legitimate traffic... Security researchers have discovered a Linux backdoor that uses a covert communication protocol to disguise its presence on compromised systems. --------------------------------------------- http://www.theregister.co.uk/2013/11/15/stealthy_linux_backdoor/ *** Mobile Pwn2Own: Internet Explorer 11 geknackt, Chrome schon geflickt *** --------------------------------------------- Die von Pinkie Pie benutzte Chrome-Lücke wurde von Google mittlerweile geschlossen. Forscher der Zero Day Initiative gelang es unterdessen, Internet Explorer 11 auf einem Surface Pro zu übernehmen. --------------------------------------------- http://www.heise.de/security/meldung/Mobile-Pwn2Own-Internet-Explorer-11-ge… *** Blog: AutoCAD - new platform for start page Trojans *** --------------------------------------------- In China, start page Trojans have become a popular type of malware because by changing users´ browser start pages to point to some navigation site, the owner of the site can get a large amount of web traffic which can then be converted into large sums of money. In order to spread such Trojans as broadly as possible, Trojan authors have even turned their sights to AutoCAD. --------------------------------------------- http://www.securelist.com/en/blog/8141/AutoCAD_new_platform_for_start_page_… *** Research Into BIOS Attacks Underscores Their Danger *** --------------------------------------------- For three years, Dragos Ruiu has attempted to track down a digital ghost in his network, whose presence is only felt in strange anomalies and odd system behavior. The anomalies ranged from system instability, to "bricked" USB sticks and data seemingly modified on the fly, according to online posts. --------------------------------------------- http://www.darkreading.com/advanced-threats/research-into-bios-attacks-unde… *** Eight Security Predictions for 2014 *** --------------------------------------------- 2013 was not an easy year in cybersecurity and we expect 2014 attacks will be even more complex. In a new report out today, Websense Security Labs researchers collectively outlined eight predictions and recommendations for 2014. --------------------------------------------- http://community.websense.com/blogs/securitylabs/archive/2013/11/14/eight-s… *** The Security Impact of HTTP Caching Headers, (Fri, Nov 15th) *** --------------------------------------------- Earlier this week, an update for Media-Wiki fixed a bug in how it used caching headers. The headers allowed authenticated content to be cached, which may lead to sessions being shared between users using the same proxy server. I think this is a good reason to talk a bit about caching in web applications and why it is important for security. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17033&rss *** Google Chrome for Android Multiple Memory Corruption Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55744 *** Nagios XI "tfPassword" SQL Injection Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55695 *** VMSA-2013-0013 *** --------------------------------------------- VMware Workstation host privilege escalation vulnerability --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2013-0013.html *** Cisco IOS CSG Parse Error Drop Function Flaw Lets Remote Users Bypass Access Controls *** --------------------------------------------- http://www.securitytracker.com/id/1029342 *** Cisco ASA IPv6 NAT Bug Lets Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1029341 *** mod_nss FakeBasicAuth authentication bypass *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110110 *** APPLE-SA-2013-11-14-1 iOS 7.0.4 *** --------------------------------------------- http://prod.lists.apple.com/archives/security-announce/2013/Nov/msg00000.ht… *** Security Bulletin: IBM Platform Cluster Manager Standard Edition (CVE-2013-2251 CVE-2013-2248 CVE-2013-2135 CVE-2013-2134 CVE-2013-2115 CVE-2013-1966 CVE-2013-1965 CVE-2013-4310) *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm…

1 0

Tageszusammenfassung - Donnerstag 14-11-2013
by Daily end-of-shift report 14 Nov '13

14 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 13-11-2013 18:00 − Donnerstag 14-11-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** Stanford Metaphone Project Aims to Show Dangers of Metadata Collection *** --------------------------------------------- When the first NSA surveillance story broke in June, about the agency´s collection of phone metadata from Verizon, most people likely had never heard the word metadata before. Even some security and privacy experts weren´t sure what the term encompassed, and now a group of security researchers at Stanford have started a new project to collect data from Android users to see exactly how much information can be drawn from the logs of phone calls and texts. --------------------------------------------- http://threatpost.com/stanford-metaphone-project-aims-to-show-dangers-of-me… *** Thunderbird gibt falschem Absender das Echtheits-Siegel *** --------------------------------------------- Eigentlich sollen digitale Signaturen sicherstellen, dass man sich auf den Absender einer E-Mail verlassen kann. Allerdings stellt sich Thunderbird im Umgang mit signierten E-Mails so ungeschickt an, dass man falsche Absender vortuschen kann. --------------------------------------------- http://www.heise.de/security/meldung/Thunderbird-gibt-falschem-Absender-das… *** Unusual BHEK-Like Spam With Attachment Found *** --------------------------------------------- Soon after Paunch was arrested, we found that the flow of spam campaigns going to sites with the Blackhole Exploit Kit (BHEK) had slowed down considerably. Instead, we saw an increase in messages with a malicious attachment. Recently, however, we came across rather unusual spam samples that combines characteristics of both attacks. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/unusual-bhek-lik… *** Mobile Pwn2Own: Galaxy S4 und iOS gehackt *** --------------------------------------------- Am ersten Tag des Wettbewerbs Mobile Pwn2Own in Tokio wurde auf Samsungs Galaxy S4 eine Sicherheitslücke gezeigt, die es ermöglicht, beliebige Apps zu installieren. Chinesische Hacker zeigten Schwachstellen in Safari unter iOS 6.1.4 und 7.0.3. --------------------------------------------- http://www.heise.de/security/meldung/Mobile-Pwn2Own-Galaxy-S4-und-iOS-gehac… *** Analysis: IT Threat Evolution: Q3 2013 *** --------------------------------------------- IT Threat Evolution: Q3 2013 Targeted Attacks / APT Malware Stories Web security and data breaches Mobile malware --------------------------------------------- http://www.securelist.com/en/analysis/204792312/IT_Threat_Evolution_Q3_2013 *** A-DOH!-BE hack: Facebook warns users whose logins were spilled *** --------------------------------------------- Facebook is using a list of hacked Adobe accounts posted by the miscreants themselves to warn its own customers about password reuse. --------------------------------------------- http://www.theregister.co.uk/2013/11/14/facebook_adobe_password_leak_warnin… *** New OSX/Crisis or Business Cards Gone Wild *** --------------------------------------------- In these days of computer conspiracies, the Mac is not left out. A new variant of Remote Control System, Hacking Team´s spyware, landed on VirusTotal with a detection rate of 0 out of 47 scanners. RCS, also known as OSX/Crisis, is an expensive rootkit used by governments during targeted attacks. --------------------------------------------- http://www.intego.com/mac-security-blog/new-osx-crisis-business-cards-gone-… *** Cracked.com Serving Malware in Drive-By Downloads *** --------------------------------------------- The popular humor website, Cracked[dot]com reportedly hosted malware that infected the machines of of its visitors over the weekend and may still be doing so, according to Barracuda Labs research. --------------------------------------------- http://threatpost.com/cracked-com-serving-malware-in-drive-by-downloads/102… *** eGroupware HTML File Uploads Script Insertion Vulnerability *** --------------------------------------------- https://secunia.com/advisories/54368 *** LastPass Android Container PIN / Auto-Wipe Bypass *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110101 *** IBM Multiple Storage Products Apache Struts Security Bypass Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55706 *** SA-CONTRIB-2013-091 - Groups, Communities and Co (GCC) - Access Bypass *** --------------------------------------------- Remote Vulnerability: Access bypassDescriptionThis module enables you to manage groups and assign content and users to groups.The module doesnt sufficiently check permissions to some of the configuration pages allowing unprivileged users to access the roles and permissions pages of the GCC module.CVE --------------------------------------------- https://drupal.org/node/2135267 *** SA-CONTRIB-2013-090 - Revisioning - Access Bypass *** --------------------------------------------- Remote Vulnerability: Access bypassDescriptionThis module enables you to create content publication workflows whereby one version of the content is "live" (publicly visible), while another is being edited and moderated privately until found fit for publication.The module doesnt sufficiently apply node access permissions --------------------------------------------- https://drupal.org/node/2135257

1 0

Tageszusammenfassung - Mittwoch 13-11-2013
by Daily end-of-shift report 13 Nov '13

13 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 12-11-2013 18:00 − Mittwoch 13-11-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** Summary for November 2013 - Version: 1.0 *** --------------------------------------------- This bulletin summary lists security bulletins released for November 2013. With the release of the security bulletins for November 2013, this bulletin summary replaces the bulletin advance notification originally issued November 7, 2013. --------------------------------------------- http://technet.microsoft.com/en-us/security/bulletin/ms13-nov *** Blog: Sinkholing the Hlux/Kelihos botnet - what happened? *** --------------------------------------------- Back in March 2012 we teamed up with Crowdstrike, the Honeynet Project and Dell SecureWorks in disabling the second version of the Hlux/Kelihos-Botnet. Now we thought it would be a good time for an update on what has happened to that sinkhole-server over the last 19 months. --------------------------------------------- http://www.securelist.com/en/blog/208214147/Sinkholing_the_Hlux_Kelihos_bot… *** Microsoft Warns Customers Away From SHA-1 and RC4 *** --------------------------------------------- The RC4 and SHA-1 algorithms have taken a lot of hits in recent years, with new attacks popping up on a regular basis. Many security experts and cryptographers have been recommending that vendors begin phasing the two out, and Microsoft on Tuesday said that is now recommending to developers that they deprecate RC4 and stop using the SHA-1 hash algorithm. --------------------------------------------- http://threatpost.com/microsoft-warns-customers-away-from-sha-1-and-rc4/102… *** Introducing Enhanced Mitigation Experience Toolkit (EMET) 4.1 *** --------------------------------------------- In June 2013, we released EMET 4.0 and customer response has been fantastic. Many customers across the world now include EMET as part of their defense-in-depth strategy and appreciate how EMET helps businesses prevent attackers from gaining access to computers systems. Today, we´re releasing a new version, EMET 4.1, with updates that simplify configuration and accelerate deployment. --------------------------------------------- http://blogs.technet.com/b/srd/archive/2013/11/12/introducing-enhanced-miti… *** Adobe Patches Flash, ColdFusion Flaws Unrelated to Breach *** --------------------------------------------- Adobe patched critical vulnerabilities in its Flash Player and ColdFusion Web application server; the company said the bugs are unrelated to the recent breach and source code theft. --------------------------------------------- http://threatpost.com/adobe-patches-flash-coldfusion-flaws-unrelated-to-bre… *** Simulated attacks give London banks a trial run in readiness *** --------------------------------------------- The planned event, called "Waking Shark II," marks the second year the city of London had participated in the security preparedness exercises. --------------------------------------------- http://www.scmagazine.com//simulated-attacks-give-london-banks-a-trial-run-… *** November Patch Tuesday Addresses New IE Zero-Day Exploit, But TIFF Vulnerability Still Unpatched *** --------------------------------------------- It´s worth noting that another recent TIFF-related zero-day that we discussed has not been patched as part of this month´s update, so the recommendations and work-arounds that were suggested at that time remain in effect. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/november-patch-t… *** Malicious multi-hop iframe campaign affects thousands of Web sites, leads to a cocktail of client-side exploits *** --------------------------------------------- Sharing is caring. In this post, I´ll put the spotlight on a currently circulating, massive - thousands of sites affected - malicious iframe campaign, that attempts to drop malicious software on the hosts of unaware Web site visitors through a cocktail of client-side exploits. The campaign, featuring a variety of evasive tactics making it harder to analyze, continues to efficiently pop up on thousands of legitimate Web sites. --------------------------------------------- http://www.webroot.com/blog/2013/11/13/malicious-multi-hop-iframe-campaign-… *** Cross-site scripting vulnerabilities in EMC Documentum eRoom *** --------------------------------------------- Due to improper input validation, Documentum eRoom suffers from multiple cross-site scripting vulnerabilities, which allow an attacker to steal other users sessions, to impersonate other users and to gain unauthorized access to documents hosted in eRooms. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2013… *** BlackBerry Patches Remote Access Feature Vulnerable to Exploit *** --------------------------------------------- BlackBerry patched two serious vulnerabilities in its BlackBerry Link product. --------------------------------------------- http://threatpost.com/blackberry-patches-remote-access-feature-vulnerable-t… *** cPanel Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55478 *** Red Hat Network Satellite Server Grants Administrative Access to Remote Users *** --------------------------------------------- http://www.securitytracker.com/id/1029331 *** JunOS 11.4 Cross Site Scripting *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110085 *** FortiAnalyzer 5.0.4 - CSRF Vulnerability *** --------------------------------------------- http://www.exploit-db.com/exploits/29550 *** Security Bulletin: Potential Security Vulnerability fixed in WebSphere Virtual Enterprise (CVE-2013-5425) *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_pot…

1 0

Tageszusammenfassung - Dienstag 12-11-2013
by Daily end-of-shift report 12 Nov '13

12 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 11-11-2013 18:00 − Dienstag 12-11-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** ActiveX Control issue being addressed in Update Tuesday *** --------------------------------------------- Late last Friday, November 8, 2013, a vulnerability, CVE-2013-3918, affecting an Internet Explorer ActiveX Control was publically disclosed. We have confirmed that this vulnerability is an issue already scheduled to be addressed in 'Bulletin 3', which will be released as MS13-090, as listed in the November Advanced Notification Service (ANS). --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2013/11/11/activex-control-issue-be… *** Samsung, Nokia say they don´t know how to track a powered-down phone *** --------------------------------------------- Back in July 2013, The Washington Post reported that nearly a decade ago, the National Security Agency developed a new technique that allowed spooks to find cellphones even when they were turned off. --------------------------------------------- http://arstechnica.com/security/2013/11/samsung-nokia-say-they-dont-know-ho… *** Chinese Bitcoin exchange shutters, taking £2.5 MEEELION *** --------------------------------------------- Another one Bits the dust... Chinese Bitcoin exchange GBL has shut down, taking with it over 25 million yuan ($US4.1m) of investors´ money, in another warning to those who don't look before they leap with the digital currency. --------------------------------------------- http://www.theregister.co.uk/2013/11/12/bitcoin_gbl_hong_kong_collapse/ MSRT November 2013 - Napolar --------------------------------------------- We first noticed the new family we named Win32/Napolar being distributed in the wild in early August this year. It quickly became a big problem on our customers´ machines. Napolar is one of two families targeted by the Malicious Software Removal Tool (MSRT) this month. The other is the bitcoin mining family Win32/Deminnix. --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2013/11/12/msrt-november-2013-napol… *** GCHQ Used Fake LinkedIn Pages to Target Engineers *** --------------------------------------------- The Belgacom employees probably thought nothing was amiss when they pulled up their profiles on LinkedIn, the professional networking site. The pages looked the way they always did, and they didnt take any longer than usual to load. --------------------------------------------- http://www.spiegel.de/international/world/ghcq-targets-engineers-with-fake-… *** Smartphone PIN revealed by camera and microphone *** --------------------------------------------- The PIN for a smartphone can be revealed by its camera and microphone, researchers have warned. Using a programme called PIN Skimmer a team from the University of Cambridge found that codes entered on a number-only soft keypad could be identified. --------------------------------------------- http://www.bbc.co.uk/news/technology-24897581 *** A Peek Inside a Customer-ized API-enabled DIY Online Lab for Generating Multi-OS Mobile Malware *** --------------------------------------------- The exponential growth of mobile malware over the last couple of years, can be attributed to a variety of growth factors, the majority of which continue playing an inseparable role in the overall success and growth of the cybercrime ecosystem in general. --------------------------------------------- http://ddanchev.blogspot.co.uk/2013/11/a-peek-inside-customer-ized-api-enab… *** Cyber Attack on Finland is a Warning for the EU *** --------------------------------------------- A highly sophisticated multi-year cyber attack targeting Finland´s diplomatic communications is likely to have been replicated against other EU and Western countries. --------------------------------------------- http://www.chathamhouse.org/media/comment/view/195392? *** Selfish Miners Could Exploit P2P Nature of Bitcoin Network *** --------------------------------------------- While researchers and academics are just at the beginning of the process of trying to judge the value of a recent paper on a vulnerability in the Bitcoin protocol, some are arguing that there is a smaller point that´s being missed in all of the back and forth: There is a problem with the peer-to-peer set-up of the Bitcoin network that could be exploited for profit. --------------------------------------------- http://threatpost.com/selfish-miners-could-exploit-p2p-nature-of-bitcoin-ne… *** Vuln: strongSwan CVE-2013-6075 Authorization Security Bypass and Denial of Service Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63489 *** FOSCAM IP-Cameras SSID cross-site scripting *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/88629 *** Belkin NetCam Wifi Camera Hardcoded Credentials *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110079 *** WordPress Curvo Themes - Arbitrary code execution *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110081

1 0

Tageszusammenfassung - Montag 11-11-2013
by Daily end-of-shift report 11 Nov '13

11 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 08-11-2013 18:00 − Montag 11-11-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** New IE Zero-Day found in Watering Hole Attack *** --------------------------------------------- FireEye Labs has identified a new IE zero-day exploit hosted on a breached website based in the U.S. It´s a brand new IE zero-day that compromises anyone visiting a malicious website; classic drive-by download attack. The exploit leverages a new information leakage vulnerability and an IE out-of-bounds memory access vulnerability to achieve code execution. --------------------------------------------- http://www.fireeye.com/blog/technical/2013/11/new-ie-zero-day-found-in-wate… FOLLOW-UP: *** Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method *** --------------------------------------------- Recently, we discovered a new IE zero-day exploit in the wild, which has been used in a strategic Web compromise. Specifically, the attackers inserted this zero-day exploit into a strategically important website, known to draw visitors that are likely interested in national and international security policy. --------------------------------------------- http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephe… *** No Patch Tuesday update for Microsoft zero-day vulnerability *** --------------------------------------------- Microsoft is preparing eight fixes for next weeks upcoming Nov. 12 Patch Tuesday, but an update to a recently discovered zero-day vulnerability is not one of them. --------------------------------------------- http://www.scmagazine.com/no-patch-tuesday-update-for-microsoft-zero-day-vu… *** Case Study: Analyzing a WordPress Attack - Dissecting the webr00t cgi shell - Part I *** --------------------------------------------- November 1st started like any other day on the web. Billions of requests were being shot virtually between servers in safe and not so safe attempts to access information. After months of waiting, finally one of those not so safe request hit one of our honeypots. --------------------------------------------- http://blog.sucuri.net/2013/11/case-study-analyzing-a-wordpress-attack-diss… *** CryptoLocker Emergence Connected to Blackhole Exploit Kit Arrest *** --------------------------------------------- The past few weeks have seen the ransomware CryptoLocker emerge as a significant threat for many users. Our monitoring of this threat has revealed details on how it spreads, specifically its connection to spam and ZeuS. However, it looks there is more to the emergence of this thread than initially discovered. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/cryptolocker-eme… *** October 2013 virus activity overview *** --------------------------------------------- November 5, 2013 Mid-autumn 2013 was marked by an upsurge in the number of encryption Trojans: hundreds of users whose systems were compromised by encoders contacted Doctor Webs support service in October. Also discovered were new malicious programs for Android, which has long been targeted by intruders. Viruses Statistics collected in October by Dr.Web CureIt! indicate that the downloader Trojan.LoadMoney.1 tops the list of detected threats. --------------------------------------------- http://news.drweb.com/show/?i=4052&lng=en&c=9 *** Supertrojaner BadBIOS: Unwahrscheinlich, aber möglich *** --------------------------------------------- Der Sicherheitsforscher Dragos Ruiu behauptet, auf seinen Rechnern wüte ein im BIOS verankerter Supertrojaner, der auch ohne Netzanschluss kommuniziert. Es mehren sich skeptische Stimmen - technisch unmöglich ist Malware wie BadBIOS jedoch nicht. --------------------------------------------- http://www.heise.de/security/meldung/Supertrojaner-BadBIOS-Unwahrscheinlich… *** Hintergrund: ENISA-Empfehlungen zu Krypto-Verfahren *** --------------------------------------------- Die oberste, europäische Sicherheitsbehörde, die ENISA gibt Empfehlungen zu Algorithmen und Schlüssellängen. --------------------------------------------- http://www.heise.de/security/artikel/ENISA-Empfehlungen-zu-Krypto-Verfahren… *** Learn to Pentest SAP with Metasploit As ERP Attacks Go Mainstream *** --------------------------------------------- This month, a security researcher disclosed that a version of the old banking Trojan 'Trojan.ibank' has been modified to look for SAP GUI installations, a concerning sign that SAP system hacking has gone into mainstream cybercrime. --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2013/11/11/learn-to-… *** Erweiterungen für Googles Webbrowser Chrome nur noch aus offiziellem Store *** --------------------------------------------- Google will Windows-Anwender besser vor Malware schützen. Chrome-Versionen für andere Plattformen sind von der Maßnahme nicht betroffen. --------------------------------------------- http://www.heise.de/security/meldung/Erweiterungen-fuer-Googles-Webbrowser-… *** Horde Groupware Web Mail Edition 5.1.2 - CSRF Vulnerability *** --------------------------------------------- http://www.exploit-db.com/exploits/29519 *** Debian Security Advisory DSA-2793 libav *** --------------------------------------------- http://www.debian.org/security/2013/dsa-2793 *** Redaxo 4.5 CMS Vulnerabilities *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110070 *** Bugtraq: Belkin WiFi NetCam video stream backdoor with unchangeable admin/admin credentials *** --------------------------------------------- http://www.securityfocus.com/archive/1/529722 *** D-Link Router 2760N Multiple XSS *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110075 *** Security Bulletin: IBM WebSphere Portal vulnerable to URL Manipulation CVE-2013-5454 PM99205 *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** Security Bulletin: Multiple vulnerabilities in Security AppScan Enterprise (CVE-2013-5453, CVE-2013-5450) *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul…

1 0

Tageszusammenfassung - Freitag 8-11-2013
by Daily end-of-shift report 08 Nov '13

08 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 07-11-2013 18:00 − Freitag 08-11-2013 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Advance Notification for November 2013 - Version: 1.0 *** --------------------------------------------- This is an advance notification of security bulletins that Microsoft is intending to release on November 12, 2013. --------------------------------------------- http://technet.microsoft.com/en-us/security/bulletin/ms13-nov *** Clarification on Security Advisory 2896666 and the ANS for the November 2013 Security Bulletin Release *** --------------------------------------------- Today, we're providing advance notification for the release of eight bulletins, three Critical and five Important, for November 2013. The Critical updates address vulnerabilities in Internet Explorer and Microsoft Windows, and the Important updates address issues in Windows and Office. While this release won't include an update for the issue first described in Security Advisory 2896666, we'd like to tell you a bit more about it. We're working to develop a security update... --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2013/11/07/clarification-on-securit… *** Exploits of critical Microsoft zero day more widespread than thought *** --------------------------------------------- At least two hacker gangs exploit TIFF vulnerability to hijack users computers. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/6hCE3JS8yQI/story01… *** Despite patches, Supermicros IPMI firmware is far from secure, researchers say *** --------------------------------------------- The IPMI in Supermicro motherboards has vulnerabilities that can give attackers unuathorized access to servers, Rapid7 researchers said --------------------------------------------- http://www.csoonline.com/article/742836/despite-patches-supermicro-39-s-ipm… *** PCI council publishes updated payment security standards *** --------------------------------------------- Version 3.0 of the PCI Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS) became available today. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/Ktdq0wWA1L8/ *** VU#274923: Dual_EC_DRBG output using untrusted curve constants may be predictable *** --------------------------------------------- Vulnerability Note VU#274923 Dual_EC_DRBG output using untrusted curve constants may be predictable Original Release date: 07 Nov 2013 | Last revised: 07 Nov 2013 Overview Output of the Dual Elliptic Curve Deterministic Random Bit Generator (DUAL_EC_DRBG) algorithm may be predictable by an attacker who has chosen elliptic curve parameters in advance. Description NIST SP 800-90A defines three elliptic curves for use in Dual_EC_DBRG but does not describe the provenance of the parameters used --------------------------------------------- http://www.kb.cert.org/vuls/id/274923 *** Source code for proprietary spam bot offered for sale, acts as force multiplier for cybercrime-friendly activity *** --------------------------------------------- In a professional cybercrime ecosystem, largely resembling that of a legitimate economy, market participants constantly strive to optimize their campaigns, achieve stolen assets liquidity, and most importantly, aim to reach a degree of efficiency that would help them gain market share. Thus, help them secure multiple revenue streams. Despite the increased transparency on the Russian/Easter European underground market - largely thanks to improved social networking courtesy of the... --------------------------------------------- http://www.webroot.com/blog/2013/11/07/source-code-proprietary-spam-bot-off… *** Security Bulletin: Vulnerabilities in Sametime Enterprise Meeting Server (CVE-2013-3044, CVE-2013-3045, CVE-2013-0537, CVE-2013-3985) *** --------------------------------------------- The security bulletin addresses various vulnerabilities found in the Sametime Enterprise Meeting Server regarding spoofing and domain cookies. CVE(s): and CVE-2013-3044, CVE-2013-3045, CVE-2013-0537, CVE-2013-3985 Affected product(s) and affected version(s): IBM Lotus Sametime WebPlayer versions 8.5.2 and 8.5.2.1 Refer to the following reference URLs for remediation and additional vulnerability details. Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21654355 X-Force --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_vul… *** Security Bulletin: IBM Lotus Sametime WebPlayer Denial-of-Service (CVE-2013-3986) *** --------------------------------------------- An attacker participating in a Sametime Audio Visual (AV) session may be able to crash the IBM Sametime WebPlayer extension (Firefox extension) session of other users. CVE(s): and CVE-2013-3986 Affected product(s) and affected version(s): IBM Lotus Sametime WebPlayer versions 8.5.2 and 8.5.2.1 Refer to the following reference URLs for remediation and additional vulnerability details. Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21654041 X-Force Database: --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** Security Bulletin: For safer administration of IBM Domino server, use Domino Administrator client instead of Domino Web Administrator *** --------------------------------------------- IBM Domino Web Administrator (webadmin.nsf) has two cross-site scripting vulnerabilities and one cross-site request forgery of low CVSS score. These vulnerabilities do not exist in the Domino Administrator client. To prevent the potential for these attacks, use the Domino Administrator client or mitigations listed below. Domino Web Administrator is deprecated. CVE(s): CVE-2013-4051, CVE-2013-4055, CVE-2013-4050.. --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_for… *** IBM WebSphere Real Time Java Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55618 *** CTF365: A New Capture The Flag Platform for Ongoing Competitions *** --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2013/11/08/ctf365--i… *** OpenSSH Security Advisory: gcmrekey.adv *** --------------------------------------------- A memory corruption vulnerability exists in the post-authentication sshd process when an AES-GCM cipher (aes128-gcm(a)openssh.com or aes256-gcm(a)openssh.com) is selected during kex exchange. --------------------------------------------- http://www.openssh.org/txt/gcmrekey.adv

1 0

Tageszusammenfassung - Donnerstag 7-11-2013
by Daily end-of-shift report 07 Nov '13

07 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 06-11-2013 18:00 − Donnerstag 07-11-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** The Dual Use Exploit: CVE-2013-3906 Used in Both Targeted Attacks and Crimeware Campaigns *** --------------------------------------------- A zero-day vulnerability was recently discovered that exploits a Microsoft graphics component using malicious Word documents as the initial infection vector. Microsoft has confirmed that this exploit has been used in "attacks observed are very limited and carefully carried out... --------------------------------------------- http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/the-dual-use-e… *** Analysis: Spam in Q3 2013 *** --------------------------------------------- The percentage of spam in total email traffic decreased by 2.4% from the second quarter of 2013 and came to 68.3%. --------------------------------------------- http://www.securelist.com/en/analysis/204792311/Spam_in_Q3_2013 *** Blackhat SEO and ASP Sites *** --------------------------------------------- It's all too easy to scream and holler at PHP based websites and the various malware variants associate with the technology, but perhaps we're a bit too biased. Here is a quick post on ASP variant. Thought we'd give you Microsoft types some love too. Today we found this nice BlackHat SEO attack: Finding it... --------------------------------------------- http://blog.sucuri.net/2013/11/blackhat-seo-and-asp-sites.html *** Bugtraq: CVE-2013-4425: Private key disclosure, Osirix (lite, 64bit and FDA cleader version) (Medical Application) *** --------------------------------------------- http://www.securityfocus.com/archive/1/529659 *** Vuln: Imperva SecureSphere Web Application Firewall Search Field SQL Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/62948 *** Security Bulletin: Multiple vulnerabilities in current releases of the IBM SDK, Java Technology Edition *** --------------------------------------------- Issues disclosed in the Oracle October 2013 Java SE Critical Patch Update, plus 6 additional vulnerabilities --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21655201 *** [20131103] Joomla! Core XSS Vulnerability *** --------------------------------------------- Inadequate filtering leads to XSS vulnerability in com_contact. --------------------------------------------- http://developer.joomla.org/security/572-core-xss-20131103.html *** Vuln: Google Android Signature Verification Security Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63547 *** SA-CONTRIB-2013-089 - Node Access Keys - Access Bypass *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2013-089Project: Node Access Keys (third-party module)Version: 7.xDate: 2013-November-06Security risk: Moderately criticalExploitable from: RemoteVulnerability: Access bypassDescriptionNode Access Keys helps to grant users temporary view permissions to selected content types on a per user role basis. However, it only implements hook_node_access() and not hook_query_alter(), which means any listing of nodes does not respect the node view access.CVE identifier(s)... --------------------------------------------- https://drupal.org/node/2129379 *** SA-CONTRIB-2013-088 - Secure Pages - Missing Encryption of Sensitive Data *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2013-088Project: Secure Pages (third-party module)Version: 6.xDate: 2013-November-06Security risk: Less criticalExploitable from: RemoteVulnerability: Missing Encryption of Sensitive DataDescriptionThe Secure Pages module manages redirects between HTTP and HTTPS pages.A flaw in the URL path matching could lead some pages and forms to be transmitted via plain HTTP, even if the administrator intended those pages to use HTTPS. This flaw may surface either due to a... --------------------------------------------- https://drupal.org/node/2129381 *** SA-CONTRIB-2013-087 - Payment for Webform - Access Bypass *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2013-087Project: Payment for Webform (third-party module)Version: 7.xDate: 2013-November-06Security risk: Not criticalExploitable from: RemoteVulnerability: Access bypassDescriptionThis module enables you to ask for or require payments before users can submit webforms. It previously allowed anonymous users to sometimes use other anonymous users payments when submitting a form. Payment for Webform never supported anonymous users, but there was also nothing that... --------------------------------------------- https://drupal.org/node/2129373

1 0

Tageszusammenfassung - Mittwoch 6-11-2013
by Daily end-of-shift report 06 Nov '13

06 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 05-11-2013 18:00 − Mittwoch 06-11-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** Attacks on New Microsoft Zero Day Using Multi-Stage Malware *** --------------------------------------------- Attackers exploiting the Microsoft Windows and Office zero day revealed yesterday are using an exploit that includes a malicious RAR file as well as a fake Office document as the lure, and are installing a wide variety of malicious components on newly infected systems. The attacks seen thus far are mainly centered in Pakistan. The... --------------------------------------------- http://threatpost.com/attacks-on-new-microsoft-zero-day-using-multi-stage-m… *** Malicious PDF Analysis Evasion Techniques *** --------------------------------------------- In many exploit kits, malicious PDF files are some of the most common threats used to try to infect users with various malicious files. Naturally, security vendors invest in efforts to detect these files properly - and their creators invest in efforts to evade those vendors. Using feedback provided by the Smart Protection Network, we... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/XOJob_q_Zag/ *** Asus fixt schwerwiegende Sicherheitslücke in WebStorage *** --------------------------------------------- Die Client-Software WebStorage gehört zu einer Reihe von Apps, die Asus auf seinen Android-Geräten ab Werk installiert. heise netze hatte bei Routine-Kontrollen einen Implementierungsfehler aufgedeckt. --------------------------------------------- http://www.heise.de/security/meldung/Asus-fixt-schwerwiegende-Sicherheitslu… *** Google Bots Doing SQL Injection Attacks *** --------------------------------------------- One of the things we have to be very sensitive about when writing rules for our CloudProxy Website Firewall is to never block any major search engine bot (ie., Google, Bing, Yahoo, etc..). To date, we've been pretty good about this, but every now and then you come across unique scenarios like the one in this post, that make you scratch your head and think, what if a legitimate search engine bot was being used to attack the site? Should we still allow the attack to go through? --------------------------------------------- http://blog.sucuri.net/2013/11/google-bots-doing-sql-injection-attacks.html *** Security Bulletin: IBM Sterling Certificate Wizard Shared Memory Permission Vulnerability (CVE-2013-1500) *** --------------------------------------------- The IBM Sterling Certificate Wizard is susceptible to a shared memory permission vulnerability. CVE(s): CVE-2013-1500 Affected product(s) and affected version(s): IBM Sterling Certificate Wizard: 1.3, 1.4 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** Security Bulletin: Potential security vulnerability exist in the IBM Java SDKs TLS implementation that is shipped with Tivoli Netcool/OMNIbus Web GUI (CVE-2012-5081) *** --------------------------------------------- The JDKs TLS implementation does not strictly check the TLS vector length as set out in the latest RFC 5246. CVE(s): CVE-2012-5081 Affected product(s) and affected version(s): Tivoli Netcool/OMNIbus Web GUI: 7.3.0, 7.3.1, 7.4.0 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_pot… *** Security Bulletin: IBM Sterling Connect:Enterprise Secure Client Shared Memory Permission Vulnerability (CVE-2013-1500) *** --------------------------------------------- The IBM Sterling Connect:Enterprise Secure Client is susceptible to a shared memory permission vulnerability. CVE(s): CVE-2013-1500 Affected product(s) and affected version(s): IBM Sterling Secure Client: 1.3, 1.4 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** Vivotek IP Cameras RTSP Authentication Bypass *** --------------------------------------------- Topic: Vivotek IP Cameras RTSP Authentication Bypass Risk: High Text:Core Security - Corelabs Advisory http://corelabs.coresecurity.com Vivotek IP Cameras RTSP Authentication Bypass 1. *A... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110038 *** Bugtraq: Open-Xchange Security Advisory 2013-11-06 *** --------------------------------------------- http://www.securityfocus.com/archive/1/529635 *** Kerberos Multi-realm KDC NULL Pointer Dereference Denial of Service Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55588 *** Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco WAAS Mobile Remote Code Execution Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco TelePresence VX Clinical Assistant Administrative Password Reset Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Tweetbot for Mac / for iOS Cross-Site Request Forgery Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55462 *** Arbor Peakflow X Security Bypass and Cross-Site Scripting Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55536

1 0

Tageszusammenfassung - Dienstag 5-11-2013
by Daily end-of-shift report 05 Nov '13

05 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 04-11-2013 18:00 − Dienstag 05-11-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** Switzerland to set up Swiss cloud free of NSA, GCHQ snooping (it hopes) *** --------------------------------------------- Gnomes of Zurich want spook-immune system Swisscom, the Swiss telco thats majority owned by its government, will set up a "Swiss cloud" hosted entirely in the land of cuckoo clocks and fine chocolate - and try to make the service impervious to malware and uninvited spooks. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2013/11/04/switzerland… *** Is your vacuum cleaner sending spam?, (Tue, Nov 5th) *** --------------------------------------------- Past week, a story in a Saint Petersburg (the icy one, not the beach) newspaper caught quite some attention, and was picked up by The Register [1]. The story claimed that appliances like tea kettles, vacuum cleaners and iron(y|ing) irons shipped from China and sold in Russia were discovered to contain rogue, WiFi enabled chip sets. As soon as power was applied, the vacuum cleaner began trolling for open WiFi access points, and if it found one, it would hook up to a spam relay and start ... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16958 *** When attackers use your DNS to check for the sites you are visiting, (Mon, Nov 4th) *** --------------------------------------------- Nowadays, attackers are definitely interested in checking what sites you are visiting. Depending on that information, they can setup attacks like the following: Phising websites and e-mail scams targeted to specific people so they leave their private information. Network spoofing with tools like dsniff, where attackers can tell computers that the sites they want to visit are located somewhere else, therefore enabling them to interact with victims posing like the original site. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16955 *** Manifest: Bei XMPP/Jabber soll Verschlüsselung zur Pflicht werden *** --------------------------------------------- Entwickler und Betreiber von XMPP-/Jabber-Software und -Diensten, darunter auch der Jabber-Erfinder Jeremie Miller, wollen es zur Pflicht machen, die Kommunikation über XMPP in Zukunft zu verschlüsseln. --------------------------------------------- http://www.golem.de/news/manifest-bei-xmpp-jabber-soll-verschluesselung-zur… *** Biggest Risks in IPv6 Security Today *** --------------------------------------------- Although IPv6 packets have started to flow, network engineers still tread lightly because of lingering security concerns. Here are the top six security risks in IPv6 network security today as voted by gogoNET members, a community of 95,000 network professionals. --------------------------------------------- http://www.cio.com/article/742652/Biggest_Risks_in_IPv6_Security_Today *** WhatsApp-Backup speichert Klartext bei Apple *** --------------------------------------------- Die eingebaute Backup-Funktion des beliebten Messaging-Programms speichert auf dem iPhone alle Texte und Bilder bei Apples iCloud - und zwar völlig unverschlüsselt. --------------------------------------------- http://www.heise.de/security/meldung/WhatsApp-Backup-speichert-Klartext-bei… *** Cisco Security Notices *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… *** Vuln: Cisco Prime Central for Hosted Collaboration Solution CVE-2013-5564 Denial of Service Vulnerability *** --------------------------------------------- Cisco Prime Central for Hosted Collaboration Solution CVE-2013-5564 Denial of Service Vulnerability --------------------------------------------- http://www.securityfocus.com/bid/63490 *** Bugtraq: ESA-2013-070: EMC Documentum Cross Site Scripting Vulnerability. *** --------------------------------------------- http://www.securityfocus.com/archive/1/529620 *** Bugtraq: ESA-2013-073: EMC Documentum eRoom Multiple Cross Site Scripting Vulnerabilities. *** --------------------------------------------- http://www.securityfocus.com/archive/1/529621 *** VU#436214: Attachmate Verastream Host Integrator Vulnerable to Arbitrary File Uploads *** --------------------------------------------- Vulnerability Note VU#436214 Attachmate Verastream Host Integrator Vulnerable to Arbitrary File Uploads Original Release date: 04 Nov 2013 | Last revised: 04 Nov 2013 Overview The Attachmate Verastream Host Integrator (VHI) is vulnerable to arbitrary file uploads. --------------------------------------------- http://www.kb.cert.org/vuls/id/436214 *** GitLab Remote code execution vulnerability in the code search feature *** --------------------------------------------- Topic: GitLab Remote code execution vulnerability in the code search feature Risk: High Text:Remote code execution vulnerability in the code search feature of GitLab There is a remote code execution vulnerability in t... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110026 *** GitLab Remote code execution vulnerability in the SSH key upload *** --------------------------------------------- Topic: GitLab Remote code execution vulnerability in the SSH key upload Risk: High Text:# Remote code execution vulnerability in the SSH key upload feature of GitLab There is a remote code execution vulnerability... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110025

1 0

Tageszusammenfassung - Montag 4-11-2013
by Daily end-of-shift report 04 Nov '13

04 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 31-10-2013 18:00 − Montag 04-11-2013 18:00 Handler: Otmar Lendl Co-Handler: Stephan Richter *** Top three recommendations for securing your personal data using cryptography, by EU cyber security Agency ENISA in new report *** --------------------------------------------- ENISA, the European Union's "cyber security" Agency today launched a report that all authorities should better promote cryptographic measure to safeguard personal data. --------------------------------------------- http://www.enisa.europa.eu/media/press-releases/top-three-recommendations-f… *** Know Your Enemy: Tracking A Rapidly Evolving APT Actor *** --------------------------------------------- Between Oct. 24-25 FireEye detected two spear-phishing attacks attributed a threat actor we have previously dubbed admin(a)338.[1] The newly discovered attacks targeted a number of organizations and were apparently focused on gathering data related to international trade, finance and economic... --------------------------------------------- http://www.fireeye.com/blog/technical/2013/10/know-your-enemy-tracking-a-ra… *** How To Avoid CryptoLocker Ransomware *** --------------------------------------------- Over the past several weeks, a handful of frantic Microsoft Windows users have written in to ask what they might do to recover from PC infections from "CryptoLocker," the generic name for an increasingly prevalent and nasty strain of malicious software that encrypts your files until you pay a ransom. Unfortunately, the answer for these folks is usually either to pay up or suck it up. This post offers a few pointers to help readers avoid becoming the next victim. --------------------------------------------- http://krebsonsecurity.com/2013/11/how-to-avoid-cryptolocker-ransomware/ *** Why Motivated Attackers Often Get What They Want *** --------------------------------------------- Do you work for a company possessing information which could be of financial value to people outside the organization? Or, perhaps even a foreign state would find it useful to gain access to the documents youre storing on that shared network drive? Yes? Then congratulations, you may already be the target of a persistent and motivated attacker (who sometimes, but rarely, is also advanced).According to this CERT-FI presentation, even Finland has seen nearly a decade of these attacks. Nowadays, --------------------------------------------- http://www.f-secure.com/weblog/archives/00002632.html *** Google-dorks based mass Web site hacking/SQL injecting tool helps facilitate malicious online activity *** --------------------------------------------- Among the most common misconceptions regarding the exploitation (hacking) of Web sites, is that no one would exclusively target *your* Web site, given that the there are so many high profile Web sites to hack into. In reality though, thanks to the public/commercial availability of tools relying on the exploitation of remote Web application vulnerabilities, the insecurely configured Web sites/forums/blogs, as well as the millions of malware-infected hosts internationally, virtually every Web --------------------------------------------- http://www.webroot.com/blog/2013/11/01/peek-inside-google-dorks-based-mass-… *** Secunias PSI Country Report - Q3 2013, (Fri, Nov 1st) *** --------------------------------------------- On the heels of discussing Microsofts Security Intelligence Report v15 wherein the obvious takeaway is "Windows XP be gone!", Secunias just-released PSI Country Report - Q3 2013 is an interesting supplemental read. Here are the summary details: Programs Installed: 75, from 25 different vendors 40% (30 of 75) of these programs are Microsoft programs 60% (45 of 75) of these programs are from third-party vendors Users with unpatched Operating Systems: 14.6% (WinXP, Win7, Win8, --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16943&rss *** July-September 2013 *** --------------------------------------------- NOTE 1: The "ICS-CERT Monitor" newsletter offers a means of promoting preparedness, information sharing, and collaboration with the 16 critical infrastructure sectors. ICS-CERT accomplishes this on a day-to-day basis through sector briefings, meetings, conferences, and information product releases. --------------------------------------------- http://ics-cert.us-cert.gov/monitors/ICS-MM201310 *** SOHO Router Horror Stories: German Webcast with Mike Messner *** --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2013/11/04/soho-rout… *** Nordex NC2 - Cross-Site Scripting Vulnerability *** --------------------------------------------- NCCIC/ICS-CERT is aware of a public report of a Cross-Site Scripting vulnerability affecting the Nordex Control 2 (NC2) application, a supervisory control and data acquisition/human-machine interface (SCADA/HMI) product. According to this report, the vulnerability is exploitable by allowing a specially crafted request that could execute arbitrary script code. This report was released without coordination with either the vendor or NCCIC/ICS-CERT. NCCIC/ICS-CERT is attempting to... --------------------------------------------- http://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-304-01 *** VU#450646: Tiki Wiki CMS Groupware version 11.0 contains a cross-site scripting (XSS) vulnerability *** --------------------------------------------- Vulnerability Note VU#450646 Tiki Wiki CMS Groupware version 11.0 contains a cross-site scripting (XSS) vulnerability Original Release date: 31 Oct 2013 | Last revised: 31 Oct 2013 Overview Tiki Wiki CMS Groupware version 11.0 and possibly earlier versions contain a cross-site scripting (XSS) vulnerability (CWE-79). Description CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)Tiki Wiki CMS Groupware version 11.0 and possibly earlier versions contain a --------------------------------------------- http://www.kb.cert.org/vuls/id/450646 *** VMSA-2013-0009.2 *** --------------------------------------------- VMware vSphere, ESX and ESXi updates to third party libraries --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2013-0009.html *** TP-Link Cross Site Request Forgery Vulnerability *** --------------------------------------------- Topic: TP-Link Cross Site Request Forgery Vulnerability Risk: Medium Text:I. Introduction Today the majority of wired Internet connections is used with an embedded NAT router, which allows using ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100223 *** Zend Framework Proxied Request Processing IP Spoofing Weakness *** --------------------------------------------- https://secunia.com/advisories/55529 *** Novell ZENworks Configuration Management Directory Traversal Flaw Lets Remote Users Obtain Files *** --------------------------------------------- http://www.securitytracker.com/id/1029289 *** Security Bulletins for multiple HP Products *** --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** Security Bulletins for multiple IBM Products *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_inf… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_pot… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul… http://www.securityfocus.com/bid/62018

1 0

Tageszusammenfassung - Donnerstag 31-10-2013
by Daily end-of-shift report 31 Oct '13

31 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 30-10-2013 18:00 − Donnerstag 31-10-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** VU#326830: NAS4Free version 9.1.0.1 contains a remote command execution vulnerability *** --------------------------------------------- NAS4Free version 9.1.0.1.804 and possibly earlier versions contain a remote code execution vulnerability. NAS4Free allows an authenticated user to post PHP code to an HTTP script and have the code executed remotely. By default, NAS4Free runs with root privileges. A remotely authenticated attacker can send an HTTP POST request that contains a malicious PHP file which can cause the script to run directly on the machine. --------------------------------------------- http://www.kb.cert.org/vuls/id/326830 *** Mozilla Fixes 10 Vulnerabilities with Firefox 25 *** --------------------------------------------- Mozilla released Firefox 25 yesterday, fixing 10 vulnerabilities, five of them critical. --------------------------------------------- http://threatpost.com/mozilla-fixes-10-vulnerabilities-with-firefox-25/1027… *** A New Wave of WIN32/CAPHAW Attacks - A ThreatLabZ Analysis *** --------------------------------------------- Introduction and setting the context Over the last month, the ThreatLabZ researchers have been actively monitoring a recent uptick in the numbers of Win32/Caphaw (henceforward known as Caphaw) infections that have been actively targeting users bank accounts since 2011. --------------------------------------------- http://research.zscaler.com/2013/09/a-new-wave-of-win32caphaw-attacks.html *** Silent Circle and Lavabit launch 'DarkMail Alliance' to thwart e-mail spying *** --------------------------------------------- Silent Circle CTO: "What we're getting rid of is SMTP." --------------------------------------------- http://arstechnica.com/business/2013/10/silent-circle-and-lavabit-launch-da… *** MS Security Intelligence Report Volume 15: January 2013 to June 2013 *** --------------------------------------------- The Microsoft Security Intelligence Report (SIR) analyzes the threat landscape of exploits, vulnerabilities, and malware using data from Internet services and over 600 million computers worldwide. Threat awareness can help you protect your organization, software, and people. --------------------------------------------- http://download.microsoft.com/download/5/0/3/50310CCE-8AF5-4FB4-83E2-03F1DA… *** Meet 'badBIOS', the mysterious Mac and PC malware that jumps airgaps *** --------------------------------------------- Like a super strain of bacteria, the rookkit plaguing Dragos Ruiu is omnipotent. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/jeFXBU0x_Vc/story01… *** Compliance Checklist: Cloud Encryption Best Practices for Banks and Insurance Companies *** --------------------------------------------- For industries whose handling of sensitive consumer data renders them subject to strict regulations, the cloud is anything but a simple choice. Before you can commit to the cloud, you'll have to understand exactly what cloud information protection measures you must take to remain in regulatory compliance. --------------------------------------------- http://blog.ciphercloud.com/compliance-checklist-cloud-encryption-practices… *** Weekly Update: Exploiting (Kind of) Popular FOSS Apps *** --------------------------------------------- - Moodle Remote Command Execution - vTigerCRM v5.4.0/v5.3.0 Authenticated Remote Code Execution - Zabbix Authenticated Remote Command Execution - Mac OS X Persistent Payload Installer - Persistent Payload in Windows Volume Shadow Copy - and many more --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2013/10/30/weekly-up… *** Cisco IOS XE Multiple Bugs Let Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1029277 *** Moodle Remote Command Execution *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100211 *** D-Link Backdoor Czechr Exploit *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100219 *** ISPConfig Authenticated Arbitrary PHP Code Execution *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100215

1 0

Tageszusammenfassung - Mittwoch 30-10-2013
by Daily end-of-shift report 30 Oct '13

30 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 29-10-2013 18:00 − Mittwoch 30-10-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** Nuclear Exploit Pack Getting More Aggresive *** --------------------------------------------- Churning through our logs, we recently observed a significant rise in the number of transactions involving the Nuclear Exploit Pack, which has been in the news for quite some time now. In the past week, we stumbled upon thousands of transactions involving the Nuclear Exploit Pack infestation. --------------------------------------------- http://research.zscaler.com/2013/10/nuclear-exploit-pack-getting-more.html *** A Tour Through The Chinese Underground *** --------------------------------------------- The Chinese underground has played host to many cybercriminals over the years. In the research brief titled Beyond Online Gaming Cybercrime: Revisiting the Chinese Underground Market, we provide some details of the current state of the Chinese underground economy. Last year, we looked into this underground sector, and this brief is a continuation of those efforts. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/a-tour-through-t… *** Major Corporations Fail to Defend Against Social Engineering *** --------------------------------------------- Companies such as Apple and General Motors gave up crucial company information to social engineers during the annual Capture the Flag contest at Def Con. --------------------------------------------- http://threatpost.com/major-corporations-fail-to-defend-against-social-engi… *** iOS apps can be hijacked to show fraudulent content and intercept data *** --------------------------------------------- A large number of apps for iPhones and iPads are susceptible to hacks that cause them to surreptitiously send and receive data to and from malicious servers instead of the legitimate ones they were designed to connect to, security researchers said on Tuesday. --------------------------------------------- http://arstechnica.com/security/2013/10/ios-apps-can-be-hijacked-to-show-fr… *** New Injection Campaign Peddling Rogue Software Downloads *** --------------------------------------------- A mass injection campaign surfaced over the last two weeks that´s already compromised at least 40,000 web pages worldwide and is tricking victims into downloading rogue, unwanted software to their computer. --------------------------------------------- http://threatpost.com/new-injection-campaign-peddling-rogue-software-downlo… *** Defending Against CryptoLocker *** --------------------------------------------- CryptoLocker infections were found across different regions, including North America, Europe Middle East and the Asia Pacific. Almost two-thirds of the affected victims - 64% - were from the US. Other affected countries include the UK and Canada, with 11% and 6% of global victims, respectively. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/defending-agains… *** Analysis: Kaspersky Lab Report: Java under attack - the evolution of exploits in 2012-2013 *** --------------------------------------------- One of the biggest problems facing the IT security industry is the use of vulnerabilities in legitimate software to launch malware attacks. Malicious programs can use these vulnerabilities to infect a computer without attracting the attention of the user and, in some cases, without triggering an alert from security software. --------------------------------------------- http://www.securelist.com/en/analysis/204792310/Kaspersky_Lab_Report_Java_u… *** Microsoft sieht Rückgang der Virengefahr, aber steigende Infektionen *** --------------------------------------------- In fast allen großen Ländern habe die Zahl der 'Begegnungen mit Schad-Software' deutlich abgenommen, konstatiert der aktuelle Microsoft Security Intelligence Report. Für Entwarnung ist es jedoch zu früh - denn die Zahl der Infektionen nimmt trotzdem zu. --------------------------------------------- http://www.heise.de/security/meldung/Microsoft-sieht-Rueckgang-der-Virengef… *** Joomla! Media Manager allows arbitrary file upload and execution *** --------------------------------------------- A vulnerability has been discovered in older versions of the Joomla! content management software that allow an authenticated attacker to upload active content through the media manager form ('administrator/components/com_media/helpers/media.php'). Joomla! allows files with a trailing '.' to pass the upload checks. --------------------------------------------- http://www.kb.cert.org/vuls/id/639620 *** Apples Siri is helping users bypass iOS security *** --------------------------------------------- Siri was designed to be an effective personal assistant, but since the release of iOS 7, the artificial intelligence is bringing the bad with the good. --------------------------------------------- http://www.scmagazine.com/apples-siri-is-helping-users-bypass-ios-security/… *** [remote] - Apache / PHP 5.x Remote Code Execution Exploit *** --------------------------------------------- +++ Betrifft veraltete Versionen +++ Unaffected versions are patched by CVE-2012-1823. --------------------------------------------- http://www.exploit-db.com/exploits/29290 *** Vuln: Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-5599 Remote Memory Corruption Vulnerability *** --------------------------------------------- +++ Betrifft veraltete Versionen +++ --------------------------------------------- http://www.securityfocus.com/bid/63423 *** ASUS RT-N13U Backdoor Account *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100206 *** Vuln: XAMPP for Windows Multiple Cross Site Scripting and SQL Injection Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/53979 *** Citrix XenDesktop Upgrade Feature Bug Lets Remote Authenticated Users Bypass Policy Controls *** --------------------------------------------- http://www.securitytracker.com/id/1029263 *** WordPress MoneyTheme Cross Site Scripting / Shell Upload *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100199 *** WordPress Curvo Shell Upload *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100197 *** Google Play Billing Bypass *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100203 *** sup Remote Command Execution *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100202

1 0

Tageszusammenfassung - Dienstag 29-10-2013
by Daily end-of-shift report 29 Oct '13

29 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 28-10-2013 18:00 − Dienstag 29-10-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** Hintergrund: iOS-Virenscanner mit zweifelhaftem Nutzen *** --------------------------------------------- Avira hat eine Virenschutz-App für iOS herausgegeben, die vor schadhaften Prozessen schützen soll. Welche das sind und wie diese erkannt werden, verrät das Unternehmen nicht. --------------------------------------------- http://www.heise.de/security/artikel/iOS-Virenscanner-mit-zweifelhaftem-Nut… *** Exploit cocktail (Struts, Java, Windows) going after 3-month old vulnerabilities *** --------------------------------------------- When ISC reader Yin reported earlier today that one of their servers had been hacked via the Apache Struts remote command execution vulnerability (CVE-2013-2251), at first this was flagged as "business as usual". Said vulnerability, after all, is known since July, and weve been seeing exploit attempts since early August (diary here). --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16913 *** ATM malware Ploutus updated with English-language version *** --------------------------------------------- The Spanish-language ATM malware, which allowed attackers in Mexico to force ATMs to spit out cash, now has an updated English-language version. --------------------------------------------- http://www.scmagazine.com//atm-malware-ploutus-updated-with-english-languag… *** Adobe Breach Impacted At Least 38 Million Users *** --------------------------------------------- The recent data breach at Adobe that exposed user account information and prompted a flurry of password reset emails impacted at least 38 million users, the company now says. It also appears that the already massive source code leak at Adobe is broadening to include the companys Photoshop family of graphical design products. --------------------------------------------- http://krebsonsecurity.com/2013/10/adobe-breach-impacted-at-least-38-millio… *** Analysis: Spam in September 2013 *** --------------------------------------------- In September, the proportion of world spam in mail traffic continued to decline and reached 66%. As always the spammers focused on advertising seasonal goods and services. For example, the number of offers related to energy saving and insulating buildings increased significantly. --------------------------------------------- http://www.securelist.com/en/analysis/204792309/Spam_in_September_2013 *** Routerpwn *** --------------------------------------------- Routerpwn is a web application that helps you in the exploitation of vulnerabilities in residential routers. It is a compilation of ready to run local and remote web exploits. --------------------------------------------- http://www.routerpwn.com/ *** Windows XP ist und bleibt ein hochriskantes System *** --------------------------------------------- Im aktuellen Security Intelligence Report (SIR) warnt Microsoft erneut vor Windows XP. Sicherheits-Chef Tim Rains verteidigt die Entscheidung, den Support einzustellen. --------------------------------------------- http://futurezone.at/digital-life/windows-xp-ist-und-bleibt-ein-hochriskant… *** Internet Safety - Tips for Parents *** --------------------------------------------- Internet basics can be as straightforward as pushing buttons or clicking a mouse. Understanding how youth use the Internet, however, can be an overwhelming task, especially for adults who don't spend much time online. --------------------------------------------- http://bc.rcmp-grc.gc.ca/ViewPage.action?siteNodeId=87&languageId=1&content… *** Cyber Security Assesment Netherlands *** --------------------------------------------- Cybercrime and digital espionage remain the biggest threats to both governments and the business community. The threat of disruption of online services has increased. Clearly visible in the past year has been the rise of the criminal cyber services sector. Cyber-attack tools are made commercially available through `cybercrime as a service´. --------------------------------------------- https://www.ncsc.nl/english/current-topics/news/cyber-security-assesment-ne… *** Social media and digital identity. Prevention and incident response *** --------------------------------------------- The hack of a social media account is a common incident that could have a serious impact of our digital identity. How to prevent it? What to do in case of hack? --------------------------------------------- http://securityaffairs.co/wordpress/19143/cyber-crime/social-media-security… *** Angebliches Fritzbox-Fax entpuppt sich als Trojaner *** --------------------------------------------- Schadhafte E-Mails, die sich als Fax-Benachrichtigungen einer Fritzbox tarnen, verbreiten sich momentan rapide. In dem beigefügten Zip-Archiv befindet sich nicht etwa ein Fax, sondern ein Trojaner. --------------------------------------------- http://www.heise.de/security/meldung/Angebliches-Fritzbox-Fax-entpuppt-sich… *** Facebook Android Flaws Enable Any App to Get User's Access Tokens *** --------------------------------------------- A researcher has discovered serious vulnerabilities in the main Facebook and Facebook Messenger apps for Android that enable any other app on a device to access the user's Facebook access token and take over her account. --------------------------------------------- http://threatpost.com/facebook-android-flaws-enable-any-app-to-get-users-ac… *** [webapps] - Pirelli Discus DRG A125g - Password Disclosure Vulnerability. *** --------------------------------------------- http://www.exploit-db.com/exploits/29262 *** DSA-2786 icu *** --------------------------------------------- http://www.debian.org/security/2013/dsa-2786 *** vBulletin 4.1.x / 5.x.x Administrative User Injection *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100192 *** MobileIron 4.5.4 Cross Site Scripting *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100190 *** SAP Financial Services Statutory Reporting for Insurance (FS-SR) Unspecified Flaw Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1029256

1 0

Tageszusammenfassung - Montag 28-10-2013
by Daily end-of-shift report 28 Oct '13

28 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 25-10-2013 18:00 − Montag 28-10-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** Email contains phishing scam, not iPhone 5S *** --------------------------------------------- A new phishing email circulating the globe is preying on Apple fans who cant wait to get their hands on the coming iPhone 5S and iPhone 5c devices. --------------------------------------------- http://www.scmagazine.com/email-contains-phishing-scam-not-iphone-5s/articl… *** Blog: Cryptolocker Wants Your Money! *** --------------------------------------------- A new ransomware Trojan is on the loose. The attackers give you roughly three days to pay them, otherwise your data is gone forever. --------------------------------------------- http://www.securelist.com/en/blog/208214109/Cryptolocker_Wants_Your_Money *** Blog-Software Wordpress 3.7 aktualisiert sich selbst *** --------------------------------------------- In der neuen Version 3.7 hält sich die Blog-Software Wordpress selbst aktuell: Sicherheitsupdates werden künftig im Hintergrund automatisch eingespielt, wenn die Konfiguration das zulässt. Weitere Neuerungen dienen ebenfalls vorrangig der Sicherheit. --------------------------------------------- http://www.heise.de/security/meldung/Blog-Software-Wordpress-3-7-aktualisie… *** Periodic Connections to Control Server Offer New Way to Detect Botnets *** --------------------------------------------- A number of recent botnets and advanced threats use HTTP as their primary communications channel with their control servers. McAfee Labs research during the last couple of years reveals that more than 60 percent of the top botnet families depend on HTTP. These numbers have increased significantly over the last few quarters. --------------------------------------------- http://blogs.mcafee.com/mcafee-labs/periodic-links-to-control-server-offer-… *** Improving Hadoop Security with Host Intrusion Detection (Part 2) *** --------------------------------------------- This is a continuation of our previous post on Hadoop security. As we mentioned in our earlier post, we can use OSSEC to monitor for the file integrity of these existing Hadoop and HBase systems. OSSEC creates logs which a system administrator can use to check for various system events. It´s worth noting that big data systems ... --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/improving-hadoop… *** Active Perl/Shellbot Trojan *** --------------------------------------------- ISC received a submission from Zach of a Perl/Shellbot.B trojan served by fallencrafts[.]info/download/himad.png. The trojan has limited detection on Virustotal and the script contains a 'hostauth' of sosick[.]net[3] and the IRC server where the compromised systems are connecting to is located at 89.248.172.144. What we have so far, it appears it is exploiting older version of Plesk. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16907&rss *** LinkedIn kann Mails mitlesen *** --------------------------------------------- Die kürzlich eingeführte Intro-Technik für iOS bringt dem Berufsnetzwerk Kritik ein: Sie sei ein Traum für Angreifer und Sicherheitsdienste. Die Firma verteidigt sich: Alles sei sicher und man respektiere die Privatsphäre der Nutzer. --------------------------------------------- http://www.heise.de/security/meldung/LinkedIn-kann-Mails-mitlesen-2034490.h… *** Einbruch bei Buffer *** --------------------------------------------- Der Social-Media-Dienst wurde gestern gehackt. Laut Unternehmensblog sollen weder Passwörter noch Kreditkarteninformationen abhanden gekommen sein. --------------------------------------------- http://www.heise.de/security/meldung/Einbruch-bei-Buffer-2034519.html *** Storewize: IBM warnt vor Sicherheitslücke in Storage-Systemen *** --------------------------------------------- In den SAN-Controllern der Serie Storewize von IBM steckt eine Lücke, mit der ein Angreifer die Konfiguration ändern und auch Daten löschen kann. Abhilfe schafft ein Firmware-Update, das schon bereitsteht. (IBM, Netzwerk) --------------------------------------------- http://www.golem.de/news/storewize-ibm-warnt-vor-sicherheitsluecke-in-stora… *** End User Devices Security and Configuration Guidance *** --------------------------------------------- UK Gov Configuration guidance for the following platforms: End User Devices Security Guidance: Windows Phone 8 End User Devices Security Guidance: Android 4.2 End User Devices Security Guidance: Windows 7 and Windows 8 End User Devices Security Guidance: Ubuntu 12.04 End User Devices Security Guidance: Windows 8 RT ... --------------------------------------------- https://www.gov.uk/government/collections/end-user-devices-security-guidanc… *** Bypassing security scanners by changing the system language *** --------------------------------------------- Luiz Eduardo and Joaquim Espinhara´s found that the majority of pentesting tools analyze specific problems in web applications - such as SQL injection - via the return messages that are provided by the application, and not by the error code that is reported by the database management system. So, what would happen if the setup language was not English, but Chinese or Portuguese? As their research showed, if the target SQL server doesnt use English by default, the scanners wont be able to --------------------------------------------- http://www.net-security.org/secworld.php?id=15832 *** Cisco Identity Services Engine contains an input validation vulnerability *** --------------------------------------------- Vulnerability Note VU#952422 Cisco Identity Services Engine contains an input validation vulnerability Original Release date: 28 Oct 2013 | Last revised: 28 Oct 2013 Overview Cisco Identity Services Engine contains an input validation vulnerability (CWE-20). Description CWE-20: Improper Input ValidationCisco Identity Services Engine (ISE) contains an input validation vulnerability. --------------------------------------------- http://www.kb.cert.org/vuls/id/952422 *** I challenged hackers to investigate me and what they found out is chilling *** --------------------------------------------- It´s my first class of the semester at New York University. I´m discussing the evils of plagiarism and falsifying sources with 11 graduate journalism students when, without warning, my computer freezes. I fruitlessly tap on the keyboard as my laptop takes on a life of its own and reboots. Seconds later the screen flashes a message. --------------------------------------------- http://pandodaily.com/2013/10/26/i-challenged-hackers-to-investigate-me-and… *** Spam-Versender. Schauen Sie doch mal bitte in Ihren Junk-Ordner *** --------------------------------------------- Werbefilter funktionieren inzwischen ziemlich zuverlässig. Das wissen auch die Spam-Versender. Deshalb schicken sie noch eine zweite Nachricht hinterher. --------------------------------------------- http://www.heise.de/security/meldung/Spam-Versender-Schauen-Sie-doch-mal-bi… *** Scan Shows 65% of ReadyNAS Boxes on Web Vulnerable to Critical Bug *** --------------------------------------------- It´s been known for some time now several months, in fact that there is a critical, remotely exploitable vulnerability in some of Netgear´s ReadyNAS storage boxes, and a patch has been available since July. However, many of the boxes exposed to the Web are still vulnerable, and a recent scan by HD Moore of Rapid7 found that ... --------------------------------------------- http://threatpost.com/scan-shows-65-of-readynas-boxes-on-web-vulnerable-to-… *** Vuln: Cisco Catalyst 3750 Series Switches Default Credentials Security Bypass Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/63342 *** Bugtraq: Multiple CSRF Horde Groupware Web mail Edition 5.1.2 *** --------------------------------------------- http://www.securityfocus.com/archive/1/529466 *** Bugtraq: DD-WRT v24-sp2 Command Injection *** --------------------------------------------- http://www.securityfocus.com/archive/1/529463 *** Apache Struts2 showcase multiple XSS *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100185 *** DSA-2787 roundcube *** --------------------------------------------- http://www.debian.org/security/2013/dsa-2787 *** Woltlab Burning Board Regenbogenwiese 2007 Addon SQL Injection Exploit. *** --------------------------------------------- http://www.exploit-db.com/exploits/29023 *** GnuPG Side-Channel Attack Lets Local Users Recover RSA Secret Keys *** --------------------------------------------- http://www.securitytracker.com/id/1029242 *** DSA-2785 chromium-browser *** --------------------------------------------- http://www.debian.org/security/2013/dsa-2785

1 0

Tageszusammenfassung - Freitag 25-10-2013
by Daily end-of-shift report 25 Oct '13

25 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 24-10-2013 18:00 − Freitag 25-10-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** Periodic Links to Control Server Offer New Way to Detect Botnets *** --------------------------------------------- A number of recent botnets and advanced threats use HTTP as their primary communications channel with their control servers. McAfee Labs research during the last couple of years reveals that more than 60 percent of the top botnet families depend on HTTP. These numbers have increased significantly over the last few quarters. The following pie […] --------------------------------------------- http://blogs.mcafee.com/mcafee-labs/periodic-links-to-control-server-offer-… *** DDoS mitigation firm notes dramatic increase in reflection attack style *** --------------------------------------------- Between Q3 2012 and Q3 2013, distributed reflection denial-of-service (DrDoS) attacks increased 265 percent, a global attack report found. --------------------------------------------- http://www.scmagazine.com/ddos-mitigation-firm-notes-dramatic-increase-in-r… *** LinkedIn Intro App Equivalent to Man in the Middle Attack, Experts Say *** --------------------------------------------- LinkedIn’s release of its Intro app yesterday for Apple iOS mobile devices raised more than a few eyebrows for behaviors that are tantamount to a man-in-the-middle attack, experts said. --------------------------------------------- http://threatpost.com/linkedin-intro-app-equivalent-to-man-in-the-middle-at… *** Evasive Tactics: Terminator RAT *** --------------------------------------------- FireEye Labs has been tracking a variety of APT threat actors that have been slightly changing their tools, techniques and procedures (TTPs) in order to evade network defenses. Earlier, we documented changes to Aumlib, the malware used in the attack... --------------------------------------------- http://www.fireeye.com/blog/technical/malware-research/2013/10/evasive-tact… *** Cybercriminals release new commercially available Android/BlackBerry supporting mobile malware bot *** --------------------------------------------- Thanks to the growing adoption of mobile banking, in combination with the utilization of mobile devices to conduct financial transactions, opportunistic cybercriminals are quickly capitalizing on this emerging market segment. Made evident by the release of Android/BlackBerry compatible mobile malware bots. This site is empowering potential cybercriminals with the necessary ‘know-how’ when it comes to ‘cashing out’ compromised accounts of E-banking victims who have... --------------------------------------------- http://www.webroot.com/blog/2013/10/25/cybercriminals-release-new-commercia… *** OSX/Leverage.a Analysis *** --------------------------------------------- A few days ago, a new OSX malware was detected in the wild. It looks like a picture and behaves like it when you click on it. Everything looks fine when the clicked picture is opened on the screen, but the malware also performs some other actions. After the first look, we saw that the malware copies itself to /Users/Shared/UserEvent.app with the ditto command, and creates a LaunchAgent to load itself when the computer starts with these shell commands: mkdir ~/Library/LaunchAgents echo --------------------------------------------- http://www.alienvault.com/open-threat-exchange/blog/osx-leveragea-analysis *** PHP.net zur Verbreitung von Malware missbraucht *** --------------------------------------------- Entgegen früherer Aussagen der Administratoren wurde die Projektseite von PHP doch Opfer eines Hackerangriffs. Zwei Server wurden gekapert und zur Verteilung von Schadcode eingesetzt. --------------------------------------------- http://www.heise.de/security/meldung/PHP-net-zur-Verbreitung-von-Malware-mi… *** ProSoft Technology RadioLinx ControlScape PRNG Vulnerability *** --------------------------------------------- RadioLinx ControlScape is prone to a predictable random number generator weakness. Attackers can leverage this weakness to aid in brute-force attacks. Other attacks are also possible. --------------------------------------------- http://www.securityfocus.com/bid/62238/ http://ics-cert.us-cert.gov/advisories/ICSA-13-248-01 *** Vuln: OpenStack Keystone Tokens Validation CVE-2013-4222 Security Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/61725 *** Vuln: OpenStack Nova CVE-2013-4261 Denial of Service Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/62200 *** Vuln: OpenStack Nova CVE-2013-4278 Security Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/62016 *** CA SiteMinder Input Validation Flaw Permits Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1029237 *** libvirt API Access Control Flaw Lets Remote Authenticated Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1029241 *** Vuln: GnuTLS CVE-2013-4466 libdane/dane.c Remote Buffer Overflow Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63326 *** Vuln: VICIDIAL manager_send.php CVE-2013-4468 Command Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63288 *** Security Bulletin: Tivoli Netcool/OMNIbus Web GUI - IBM WebSphere Application Server PM44303 security bypass (CVE-2012-3325) and Hash denial of service (CVE-2011-4858) *** --------------------------------------------- CVE-2012-3325: After installing an Interim Fix for PM44303 or a Fix Pack containing PM44303, there is a potential security exposure with IBM WebSphere Application Server. CVE-2011-4858: Potential Denial of Service (DoS) security exposure when using web-based applications due to Java HashTable implementation vulnerability. --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_tiv…

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily