- Daily - CERT.at

Tageszusammenfassung - Mittwoch 13-11-2013
by Daily end-of-shift report 13 Nov '13

13 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 12-11-2013 18:00 − Mittwoch 13-11-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** Summary for November 2013 - Version: 1.0 *** --------------------------------------------- This bulletin summary lists security bulletins released for November 2013. With the release of the security bulletins for November 2013, this bulletin summary replaces the bulletin advance notification originally issued November 7, 2013. --------------------------------------------- http://technet.microsoft.com/en-us/security/bulletin/ms13-nov *** Blog: Sinkholing the Hlux/Kelihos botnet - what happened? *** --------------------------------------------- Back in March 2012 we teamed up with Crowdstrike, the Honeynet Project and Dell SecureWorks in disabling the second version of the Hlux/Kelihos-Botnet. Now we thought it would be a good time for an update on what has happened to that sinkhole-server over the last 19 months. --------------------------------------------- http://www.securelist.com/en/blog/208214147/Sinkholing_the_Hlux_Kelihos_bot… *** Microsoft Warns Customers Away From SHA-1 and RC4 *** --------------------------------------------- The RC4 and SHA-1 algorithms have taken a lot of hits in recent years, with new attacks popping up on a regular basis. Many security experts and cryptographers have been recommending that vendors begin phasing the two out, and Microsoft on Tuesday said that is now recommending to developers that they deprecate RC4 and stop using the SHA-1 hash algorithm. --------------------------------------------- http://threatpost.com/microsoft-warns-customers-away-from-sha-1-and-rc4/102… *** Introducing Enhanced Mitigation Experience Toolkit (EMET) 4.1 *** --------------------------------------------- In June 2013, we released EMET 4.0 and customer response has been fantastic. Many customers across the world now include EMET as part of their defense-in-depth strategy and appreciate how EMET helps businesses prevent attackers from gaining access to computers systems. Today, we´re releasing a new version, EMET 4.1, with updates that simplify configuration and accelerate deployment. --------------------------------------------- http://blogs.technet.com/b/srd/archive/2013/11/12/introducing-enhanced-miti… *** Adobe Patches Flash, ColdFusion Flaws Unrelated to Breach *** --------------------------------------------- Adobe patched critical vulnerabilities in its Flash Player and ColdFusion Web application server; the company said the bugs are unrelated to the recent breach and source code theft. --------------------------------------------- http://threatpost.com/adobe-patches-flash-coldfusion-flaws-unrelated-to-bre… *** Simulated attacks give London banks a trial run in readiness *** --------------------------------------------- The planned event, called "Waking Shark II," marks the second year the city of London had participated in the security preparedness exercises. --------------------------------------------- http://www.scmagazine.com//simulated-attacks-give-london-banks-a-trial-run-… *** November Patch Tuesday Addresses New IE Zero-Day Exploit, But TIFF Vulnerability Still Unpatched *** --------------------------------------------- It´s worth noting that another recent TIFF-related zero-day that we discussed has not been patched as part of this month´s update, so the recommendations and work-arounds that were suggested at that time remain in effect. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/november-patch-t… *** Malicious multi-hop iframe campaign affects thousands of Web sites, leads to a cocktail of client-side exploits *** --------------------------------------------- Sharing is caring. In this post, I´ll put the spotlight on a currently circulating, massive - thousands of sites affected - malicious iframe campaign, that attempts to drop malicious software on the hosts of unaware Web site visitors through a cocktail of client-side exploits. The campaign, featuring a variety of evasive tactics making it harder to analyze, continues to efficiently pop up on thousands of legitimate Web sites. --------------------------------------------- http://www.webroot.com/blog/2013/11/13/malicious-multi-hop-iframe-campaign-… *** Cross-site scripting vulnerabilities in EMC Documentum eRoom *** --------------------------------------------- Due to improper input validation, Documentum eRoom suffers from multiple cross-site scripting vulnerabilities, which allow an attacker to steal other users sessions, to impersonate other users and to gain unauthorized access to documents hosted in eRooms. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2013… *** BlackBerry Patches Remote Access Feature Vulnerable to Exploit *** --------------------------------------------- BlackBerry patched two serious vulnerabilities in its BlackBerry Link product. --------------------------------------------- http://threatpost.com/blackberry-patches-remote-access-feature-vulnerable-t… *** cPanel Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55478 *** Red Hat Network Satellite Server Grants Administrative Access to Remote Users *** --------------------------------------------- http://www.securitytracker.com/id/1029331 *** JunOS 11.4 Cross Site Scripting *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110085 *** FortiAnalyzer 5.0.4 - CSRF Vulnerability *** --------------------------------------------- http://www.exploit-db.com/exploits/29550 *** Security Bulletin: Potential Security Vulnerability fixed in WebSphere Virtual Enterprise (CVE-2013-5425) *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_pot…

1 0

Tageszusammenfassung - Dienstag 12-11-2013
by Daily end-of-shift report 12 Nov '13

12 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 11-11-2013 18:00 − Dienstag 12-11-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** ActiveX Control issue being addressed in Update Tuesday *** --------------------------------------------- Late last Friday, November 8, 2013, a vulnerability, CVE-2013-3918, affecting an Internet Explorer ActiveX Control was publically disclosed. We have confirmed that this vulnerability is an issue already scheduled to be addressed in 'Bulletin 3', which will be released as MS13-090, as listed in the November Advanced Notification Service (ANS). --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2013/11/11/activex-control-issue-be… *** Samsung, Nokia say they don´t know how to track a powered-down phone *** --------------------------------------------- Back in July 2013, The Washington Post reported that nearly a decade ago, the National Security Agency developed a new technique that allowed spooks to find cellphones even when they were turned off. --------------------------------------------- http://arstechnica.com/security/2013/11/samsung-nokia-say-they-dont-know-ho… *** Chinese Bitcoin exchange shutters, taking £2.5 MEEELION *** --------------------------------------------- Another one Bits the dust... Chinese Bitcoin exchange GBL has shut down, taking with it over 25 million yuan ($US4.1m) of investors´ money, in another warning to those who don't look before they leap with the digital currency. --------------------------------------------- http://www.theregister.co.uk/2013/11/12/bitcoin_gbl_hong_kong_collapse/ MSRT November 2013 - Napolar --------------------------------------------- We first noticed the new family we named Win32/Napolar being distributed in the wild in early August this year. It quickly became a big problem on our customers´ machines. Napolar is one of two families targeted by the Malicious Software Removal Tool (MSRT) this month. The other is the bitcoin mining family Win32/Deminnix. --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2013/11/12/msrt-november-2013-napol… *** GCHQ Used Fake LinkedIn Pages to Target Engineers *** --------------------------------------------- The Belgacom employees probably thought nothing was amiss when they pulled up their profiles on LinkedIn, the professional networking site. The pages looked the way they always did, and they didnt take any longer than usual to load. --------------------------------------------- http://www.spiegel.de/international/world/ghcq-targets-engineers-with-fake-… *** Smartphone PIN revealed by camera and microphone *** --------------------------------------------- The PIN for a smartphone can be revealed by its camera and microphone, researchers have warned. Using a programme called PIN Skimmer a team from the University of Cambridge found that codes entered on a number-only soft keypad could be identified. --------------------------------------------- http://www.bbc.co.uk/news/technology-24897581 *** A Peek Inside a Customer-ized API-enabled DIY Online Lab for Generating Multi-OS Mobile Malware *** --------------------------------------------- The exponential growth of mobile malware over the last couple of years, can be attributed to a variety of growth factors, the majority of which continue playing an inseparable role in the overall success and growth of the cybercrime ecosystem in general. --------------------------------------------- http://ddanchev.blogspot.co.uk/2013/11/a-peek-inside-customer-ized-api-enab… *** Cyber Attack on Finland is a Warning for the EU *** --------------------------------------------- A highly sophisticated multi-year cyber attack targeting Finland´s diplomatic communications is likely to have been replicated against other EU and Western countries. --------------------------------------------- http://www.chathamhouse.org/media/comment/view/195392? *** Selfish Miners Could Exploit P2P Nature of Bitcoin Network *** --------------------------------------------- While researchers and academics are just at the beginning of the process of trying to judge the value of a recent paper on a vulnerability in the Bitcoin protocol, some are arguing that there is a smaller point that´s being missed in all of the back and forth: There is a problem with the peer-to-peer set-up of the Bitcoin network that could be exploited for profit. --------------------------------------------- http://threatpost.com/selfish-miners-could-exploit-p2p-nature-of-bitcoin-ne… *** Vuln: strongSwan CVE-2013-6075 Authorization Security Bypass and Denial of Service Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63489 *** FOSCAM IP-Cameras SSID cross-site scripting *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/88629 *** Belkin NetCam Wifi Camera Hardcoded Credentials *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110079 *** WordPress Curvo Themes - Arbitrary code execution *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110081

1 0

Tageszusammenfassung - Montag 11-11-2013
by Daily end-of-shift report 11 Nov '13

11 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 08-11-2013 18:00 − Montag 11-11-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** New IE Zero-Day found in Watering Hole Attack *** --------------------------------------------- FireEye Labs has identified a new IE zero-day exploit hosted on a breached website based in the U.S. It´s a brand new IE zero-day that compromises anyone visiting a malicious website; classic drive-by download attack. The exploit leverages a new information leakage vulnerability and an IE out-of-bounds memory access vulnerability to achieve code execution. --------------------------------------------- http://www.fireeye.com/blog/technical/2013/11/new-ie-zero-day-found-in-wate… FOLLOW-UP: *** Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method *** --------------------------------------------- Recently, we discovered a new IE zero-day exploit in the wild, which has been used in a strategic Web compromise. Specifically, the attackers inserted this zero-day exploit into a strategically important website, known to draw visitors that are likely interested in national and international security policy. --------------------------------------------- http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephe… *** No Patch Tuesday update for Microsoft zero-day vulnerability *** --------------------------------------------- Microsoft is preparing eight fixes for next weeks upcoming Nov. 12 Patch Tuesday, but an update to a recently discovered zero-day vulnerability is not one of them. --------------------------------------------- http://www.scmagazine.com/no-patch-tuesday-update-for-microsoft-zero-day-vu… *** Case Study: Analyzing a WordPress Attack - Dissecting the webr00t cgi shell - Part I *** --------------------------------------------- November 1st started like any other day on the web. Billions of requests were being shot virtually between servers in safe and not so safe attempts to access information. After months of waiting, finally one of those not so safe request hit one of our honeypots. --------------------------------------------- http://blog.sucuri.net/2013/11/case-study-analyzing-a-wordpress-attack-diss… *** CryptoLocker Emergence Connected to Blackhole Exploit Kit Arrest *** --------------------------------------------- The past few weeks have seen the ransomware CryptoLocker emerge as a significant threat for many users. Our monitoring of this threat has revealed details on how it spreads, specifically its connection to spam and ZeuS. However, it looks there is more to the emergence of this thread than initially discovered. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/cryptolocker-eme… *** October 2013 virus activity overview *** --------------------------------------------- November 5, 2013 Mid-autumn 2013 was marked by an upsurge in the number of encryption Trojans: hundreds of users whose systems were compromised by encoders contacted Doctor Webs support service in October. Also discovered were new malicious programs for Android, which has long been targeted by intruders. Viruses Statistics collected in October by Dr.Web CureIt! indicate that the downloader Trojan.LoadMoney.1 tops the list of detected threats. --------------------------------------------- http://news.drweb.com/show/?i=4052&lng=en&c=9 *** Supertrojaner BadBIOS: Unwahrscheinlich, aber möglich *** --------------------------------------------- Der Sicherheitsforscher Dragos Ruiu behauptet, auf seinen Rechnern wüte ein im BIOS verankerter Supertrojaner, der auch ohne Netzanschluss kommuniziert. Es mehren sich skeptische Stimmen - technisch unmöglich ist Malware wie BadBIOS jedoch nicht. --------------------------------------------- http://www.heise.de/security/meldung/Supertrojaner-BadBIOS-Unwahrscheinlich… *** Hintergrund: ENISA-Empfehlungen zu Krypto-Verfahren *** --------------------------------------------- Die oberste, europäische Sicherheitsbehörde, die ENISA gibt Empfehlungen zu Algorithmen und Schlüssellängen. --------------------------------------------- http://www.heise.de/security/artikel/ENISA-Empfehlungen-zu-Krypto-Verfahren… *** Learn to Pentest SAP with Metasploit As ERP Attacks Go Mainstream *** --------------------------------------------- This month, a security researcher disclosed that a version of the old banking Trojan 'Trojan.ibank' has been modified to look for SAP GUI installations, a concerning sign that SAP system hacking has gone into mainstream cybercrime. --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2013/11/11/learn-to-… *** Erweiterungen für Googles Webbrowser Chrome nur noch aus offiziellem Store *** --------------------------------------------- Google will Windows-Anwender besser vor Malware schützen. Chrome-Versionen für andere Plattformen sind von der Maßnahme nicht betroffen. --------------------------------------------- http://www.heise.de/security/meldung/Erweiterungen-fuer-Googles-Webbrowser-… *** Horde Groupware Web Mail Edition 5.1.2 - CSRF Vulnerability *** --------------------------------------------- http://www.exploit-db.com/exploits/29519 *** Debian Security Advisory DSA-2793 libav *** --------------------------------------------- http://www.debian.org/security/2013/dsa-2793 *** Redaxo 4.5 CMS Vulnerabilities *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110070 *** Bugtraq: Belkin WiFi NetCam video stream backdoor with unchangeable admin/admin credentials *** --------------------------------------------- http://www.securityfocus.com/archive/1/529722 *** D-Link Router 2760N Multiple XSS *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110075 *** Security Bulletin: IBM WebSphere Portal vulnerable to URL Manipulation CVE-2013-5454 PM99205 *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** Security Bulletin: Multiple vulnerabilities in Security AppScan Enterprise (CVE-2013-5453, CVE-2013-5450) *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul…

1 0

Tageszusammenfassung - Freitag 8-11-2013
by Daily end-of-shift report 08 Nov '13

08 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 07-11-2013 18:00 − Freitag 08-11-2013 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Advance Notification for November 2013 - Version: 1.0 *** --------------------------------------------- This is an advance notification of security bulletins that Microsoft is intending to release on November 12, 2013. --------------------------------------------- http://technet.microsoft.com/en-us/security/bulletin/ms13-nov *** Clarification on Security Advisory 2896666 and the ANS for the November 2013 Security Bulletin Release *** --------------------------------------------- Today, we're providing advance notification for the release of eight bulletins, three Critical and five Important, for November 2013. The Critical updates address vulnerabilities in Internet Explorer and Microsoft Windows, and the Important updates address issues in Windows and Office. While this release won't include an update for the issue first described in Security Advisory 2896666, we'd like to tell you a bit more about it. We're working to develop a security update... --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2013/11/07/clarification-on-securit… *** Exploits of critical Microsoft zero day more widespread than thought *** --------------------------------------------- At least two hacker gangs exploit TIFF vulnerability to hijack users computers. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/6hCE3JS8yQI/story01… *** Despite patches, Supermicros IPMI firmware is far from secure, researchers say *** --------------------------------------------- The IPMI in Supermicro motherboards has vulnerabilities that can give attackers unuathorized access to servers, Rapid7 researchers said --------------------------------------------- http://www.csoonline.com/article/742836/despite-patches-supermicro-39-s-ipm… *** PCI council publishes updated payment security standards *** --------------------------------------------- Version 3.0 of the PCI Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS) became available today. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/Ktdq0wWA1L8/ *** VU#274923: Dual_EC_DRBG output using untrusted curve constants may be predictable *** --------------------------------------------- Vulnerability Note VU#274923 Dual_EC_DRBG output using untrusted curve constants may be predictable Original Release date: 07 Nov 2013 | Last revised: 07 Nov 2013 Overview Output of the Dual Elliptic Curve Deterministic Random Bit Generator (DUAL_EC_DRBG) algorithm may be predictable by an attacker who has chosen elliptic curve parameters in advance. Description NIST SP 800-90A defines three elliptic curves for use in Dual_EC_DBRG but does not describe the provenance of the parameters used --------------------------------------------- http://www.kb.cert.org/vuls/id/274923 *** Source code for proprietary spam bot offered for sale, acts as force multiplier for cybercrime-friendly activity *** --------------------------------------------- In a professional cybercrime ecosystem, largely resembling that of a legitimate economy, market participants constantly strive to optimize their campaigns, achieve stolen assets liquidity, and most importantly, aim to reach a degree of efficiency that would help them gain market share. Thus, help them secure multiple revenue streams. Despite the increased transparency on the Russian/Easter European underground market - largely thanks to improved social networking courtesy of the... --------------------------------------------- http://www.webroot.com/blog/2013/11/07/source-code-proprietary-spam-bot-off… *** Security Bulletin: Vulnerabilities in Sametime Enterprise Meeting Server (CVE-2013-3044, CVE-2013-3045, CVE-2013-0537, CVE-2013-3985) *** --------------------------------------------- The security bulletin addresses various vulnerabilities found in the Sametime Enterprise Meeting Server regarding spoofing and domain cookies. CVE(s): and CVE-2013-3044, CVE-2013-3045, CVE-2013-0537, CVE-2013-3985 Affected product(s) and affected version(s): IBM Lotus Sametime WebPlayer versions 8.5.2 and 8.5.2.1 Refer to the following reference URLs for remediation and additional vulnerability details. Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21654355 X-Force --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_vul… *** Security Bulletin: IBM Lotus Sametime WebPlayer Denial-of-Service (CVE-2013-3986) *** --------------------------------------------- An attacker participating in a Sametime Audio Visual (AV) session may be able to crash the IBM Sametime WebPlayer extension (Firefox extension) session of other users. CVE(s): and CVE-2013-3986 Affected product(s) and affected version(s): IBM Lotus Sametime WebPlayer versions 8.5.2 and 8.5.2.1 Refer to the following reference URLs for remediation and additional vulnerability details. Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21654041 X-Force Database: --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** Security Bulletin: For safer administration of IBM Domino server, use Domino Administrator client instead of Domino Web Administrator *** --------------------------------------------- IBM Domino Web Administrator (webadmin.nsf) has two cross-site scripting vulnerabilities and one cross-site request forgery of low CVSS score. These vulnerabilities do not exist in the Domino Administrator client. To prevent the potential for these attacks, use the Domino Administrator client or mitigations listed below. Domino Web Administrator is deprecated. CVE(s): CVE-2013-4051, CVE-2013-4055, CVE-2013-4050.. --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_for… *** IBM WebSphere Real Time Java Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55618 *** CTF365: A New Capture The Flag Platform for Ongoing Competitions *** --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2013/11/08/ctf365--i… *** OpenSSH Security Advisory: gcmrekey.adv *** --------------------------------------------- A memory corruption vulnerability exists in the post-authentication sshd process when an AES-GCM cipher (aes128-gcm(a)openssh.com or aes256-gcm(a)openssh.com) is selected during kex exchange. --------------------------------------------- http://www.openssh.org/txt/gcmrekey.adv

1 0

Tageszusammenfassung - Donnerstag 7-11-2013
by Daily end-of-shift report 07 Nov '13

07 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 06-11-2013 18:00 − Donnerstag 07-11-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** The Dual Use Exploit: CVE-2013-3906 Used in Both Targeted Attacks and Crimeware Campaigns *** --------------------------------------------- A zero-day vulnerability was recently discovered that exploits a Microsoft graphics component using malicious Word documents as the initial infection vector. Microsoft has confirmed that this exploit has been used in "attacks observed are very limited and carefully carried out... --------------------------------------------- http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/the-dual-use-e… *** Analysis: Spam in Q3 2013 *** --------------------------------------------- The percentage of spam in total email traffic decreased by 2.4% from the second quarter of 2013 and came to 68.3%. --------------------------------------------- http://www.securelist.com/en/analysis/204792311/Spam_in_Q3_2013 *** Blackhat SEO and ASP Sites *** --------------------------------------------- It's all too easy to scream and holler at PHP based websites and the various malware variants associate with the technology, but perhaps we're a bit too biased. Here is a quick post on ASP variant. Thought we'd give you Microsoft types some love too. Today we found this nice BlackHat SEO attack: Finding it... --------------------------------------------- http://blog.sucuri.net/2013/11/blackhat-seo-and-asp-sites.html *** Bugtraq: CVE-2013-4425: Private key disclosure, Osirix (lite, 64bit and FDA cleader version) (Medical Application) *** --------------------------------------------- http://www.securityfocus.com/archive/1/529659 *** Vuln: Imperva SecureSphere Web Application Firewall Search Field SQL Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/62948 *** Security Bulletin: Multiple vulnerabilities in current releases of the IBM SDK, Java Technology Edition *** --------------------------------------------- Issues disclosed in the Oracle October 2013 Java SE Critical Patch Update, plus 6 additional vulnerabilities --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21655201 *** [20131103] Joomla! Core XSS Vulnerability *** --------------------------------------------- Inadequate filtering leads to XSS vulnerability in com_contact. --------------------------------------------- http://developer.joomla.org/security/572-core-xss-20131103.html *** Vuln: Google Android Signature Verification Security Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63547 *** SA-CONTRIB-2013-089 - Node Access Keys - Access Bypass *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2013-089Project: Node Access Keys (third-party module)Version: 7.xDate: 2013-November-06Security risk: Moderately criticalExploitable from: RemoteVulnerability: Access bypassDescriptionNode Access Keys helps to grant users temporary view permissions to selected content types on a per user role basis. However, it only implements hook_node_access() and not hook_query_alter(), which means any listing of nodes does not respect the node view access.CVE identifier(s)... --------------------------------------------- https://drupal.org/node/2129379 *** SA-CONTRIB-2013-088 - Secure Pages - Missing Encryption of Sensitive Data *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2013-088Project: Secure Pages (third-party module)Version: 6.xDate: 2013-November-06Security risk: Less criticalExploitable from: RemoteVulnerability: Missing Encryption of Sensitive DataDescriptionThe Secure Pages module manages redirects between HTTP and HTTPS pages.A flaw in the URL path matching could lead some pages and forms to be transmitted via plain HTTP, even if the administrator intended those pages to use HTTPS. This flaw may surface either due to a... --------------------------------------------- https://drupal.org/node/2129381 *** SA-CONTRIB-2013-087 - Payment for Webform - Access Bypass *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2013-087Project: Payment for Webform (third-party module)Version: 7.xDate: 2013-November-06Security risk: Not criticalExploitable from: RemoteVulnerability: Access bypassDescriptionThis module enables you to ask for or require payments before users can submit webforms. It previously allowed anonymous users to sometimes use other anonymous users payments when submitting a form. Payment for Webform never supported anonymous users, but there was also nothing that... --------------------------------------------- https://drupal.org/node/2129373

1 0

Tageszusammenfassung - Mittwoch 6-11-2013
by Daily end-of-shift report 06 Nov '13

06 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 05-11-2013 18:00 − Mittwoch 06-11-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** Attacks on New Microsoft Zero Day Using Multi-Stage Malware *** --------------------------------------------- Attackers exploiting the Microsoft Windows and Office zero day revealed yesterday are using an exploit that includes a malicious RAR file as well as a fake Office document as the lure, and are installing a wide variety of malicious components on newly infected systems. The attacks seen thus far are mainly centered in Pakistan. The... --------------------------------------------- http://threatpost.com/attacks-on-new-microsoft-zero-day-using-multi-stage-m… *** Malicious PDF Analysis Evasion Techniques *** --------------------------------------------- In many exploit kits, malicious PDF files are some of the most common threats used to try to infect users with various malicious files. Naturally, security vendors invest in efforts to detect these files properly - and their creators invest in efforts to evade those vendors. Using feedback provided by the Smart Protection Network, we... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/XOJob_q_Zag/ *** Asus fixt schwerwiegende Sicherheitslücke in WebStorage *** --------------------------------------------- Die Client-Software WebStorage gehört zu einer Reihe von Apps, die Asus auf seinen Android-Geräten ab Werk installiert. heise netze hatte bei Routine-Kontrollen einen Implementierungsfehler aufgedeckt. --------------------------------------------- http://www.heise.de/security/meldung/Asus-fixt-schwerwiegende-Sicherheitslu… *** Google Bots Doing SQL Injection Attacks *** --------------------------------------------- One of the things we have to be very sensitive about when writing rules for our CloudProxy Website Firewall is to never block any major search engine bot (ie., Google, Bing, Yahoo, etc..). To date, we've been pretty good about this, but every now and then you come across unique scenarios like the one in this post, that make you scratch your head and think, what if a legitimate search engine bot was being used to attack the site? Should we still allow the attack to go through? --------------------------------------------- http://blog.sucuri.net/2013/11/google-bots-doing-sql-injection-attacks.html *** Security Bulletin: IBM Sterling Certificate Wizard Shared Memory Permission Vulnerability (CVE-2013-1500) *** --------------------------------------------- The IBM Sterling Certificate Wizard is susceptible to a shared memory permission vulnerability. CVE(s): CVE-2013-1500 Affected product(s) and affected version(s): IBM Sterling Certificate Wizard: 1.3, 1.4 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** Security Bulletin: Potential security vulnerability exist in the IBM Java SDKs TLS implementation that is shipped with Tivoli Netcool/OMNIbus Web GUI (CVE-2012-5081) *** --------------------------------------------- The JDKs TLS implementation does not strictly check the TLS vector length as set out in the latest RFC 5246. CVE(s): CVE-2012-5081 Affected product(s) and affected version(s): Tivoli Netcool/OMNIbus Web GUI: 7.3.0, 7.3.1, 7.4.0 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_pot… *** Security Bulletin: IBM Sterling Connect:Enterprise Secure Client Shared Memory Permission Vulnerability (CVE-2013-1500) *** --------------------------------------------- The IBM Sterling Connect:Enterprise Secure Client is susceptible to a shared memory permission vulnerability. CVE(s): CVE-2013-1500 Affected product(s) and affected version(s): IBM Sterling Secure Client: 1.3, 1.4 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** Vivotek IP Cameras RTSP Authentication Bypass *** --------------------------------------------- Topic: Vivotek IP Cameras RTSP Authentication Bypass Risk: High Text:Core Security - Corelabs Advisory http://corelabs.coresecurity.com Vivotek IP Cameras RTSP Authentication Bypass 1. *A... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110038 *** Bugtraq: Open-Xchange Security Advisory 2013-11-06 *** --------------------------------------------- http://www.securityfocus.com/archive/1/529635 *** Kerberos Multi-realm KDC NULL Pointer Dereference Denial of Service Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55588 *** Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco WAAS Mobile Remote Code Execution Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco TelePresence VX Clinical Assistant Administrative Password Reset Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Tweetbot for Mac / for iOS Cross-Site Request Forgery Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55462 *** Arbor Peakflow X Security Bypass and Cross-Site Scripting Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55536

1 0

Tageszusammenfassung - Dienstag 5-11-2013
by Daily end-of-shift report 05 Nov '13

05 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 04-11-2013 18:00 − Dienstag 05-11-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** Switzerland to set up Swiss cloud free of NSA, GCHQ snooping (it hopes) *** --------------------------------------------- Gnomes of Zurich want spook-immune system Swisscom, the Swiss telco thats majority owned by its government, will set up a "Swiss cloud" hosted entirely in the land of cuckoo clocks and fine chocolate - and try to make the service impervious to malware and uninvited spooks. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2013/11/04/switzerland… *** Is your vacuum cleaner sending spam?, (Tue, Nov 5th) *** --------------------------------------------- Past week, a story in a Saint Petersburg (the icy one, not the beach) newspaper caught quite some attention, and was picked up by The Register [1]. The story claimed that appliances like tea kettles, vacuum cleaners and iron(y|ing) irons shipped from China and sold in Russia were discovered to contain rogue, WiFi enabled chip sets. As soon as power was applied, the vacuum cleaner began trolling for open WiFi access points, and if it found one, it would hook up to a spam relay and start ... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16958 *** When attackers use your DNS to check for the sites you are visiting, (Mon, Nov 4th) *** --------------------------------------------- Nowadays, attackers are definitely interested in checking what sites you are visiting. Depending on that information, they can setup attacks like the following: Phising websites and e-mail scams targeted to specific people so they leave their private information. Network spoofing with tools like dsniff, where attackers can tell computers that the sites they want to visit are located somewhere else, therefore enabling them to interact with victims posing like the original site. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16955 *** Manifest: Bei XMPP/Jabber soll Verschlüsselung zur Pflicht werden *** --------------------------------------------- Entwickler und Betreiber von XMPP-/Jabber-Software und -Diensten, darunter auch der Jabber-Erfinder Jeremie Miller, wollen es zur Pflicht machen, die Kommunikation über XMPP in Zukunft zu verschlüsseln. --------------------------------------------- http://www.golem.de/news/manifest-bei-xmpp-jabber-soll-verschluesselung-zur… *** Biggest Risks in IPv6 Security Today *** --------------------------------------------- Although IPv6 packets have started to flow, network engineers still tread lightly because of lingering security concerns. Here are the top six security risks in IPv6 network security today as voted by gogoNET members, a community of 95,000 network professionals. --------------------------------------------- http://www.cio.com/article/742652/Biggest_Risks_in_IPv6_Security_Today *** WhatsApp-Backup speichert Klartext bei Apple *** --------------------------------------------- Die eingebaute Backup-Funktion des beliebten Messaging-Programms speichert auf dem iPhone alle Texte und Bilder bei Apples iCloud - und zwar völlig unverschlüsselt. --------------------------------------------- http://www.heise.de/security/meldung/WhatsApp-Backup-speichert-Klartext-bei… *** Cisco Security Notices *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… *** Vuln: Cisco Prime Central for Hosted Collaboration Solution CVE-2013-5564 Denial of Service Vulnerability *** --------------------------------------------- Cisco Prime Central for Hosted Collaboration Solution CVE-2013-5564 Denial of Service Vulnerability --------------------------------------------- http://www.securityfocus.com/bid/63490 *** Bugtraq: ESA-2013-070: EMC Documentum Cross Site Scripting Vulnerability. *** --------------------------------------------- http://www.securityfocus.com/archive/1/529620 *** Bugtraq: ESA-2013-073: EMC Documentum eRoom Multiple Cross Site Scripting Vulnerabilities. *** --------------------------------------------- http://www.securityfocus.com/archive/1/529621 *** VU#436214: Attachmate Verastream Host Integrator Vulnerable to Arbitrary File Uploads *** --------------------------------------------- Vulnerability Note VU#436214 Attachmate Verastream Host Integrator Vulnerable to Arbitrary File Uploads Original Release date: 04 Nov 2013 | Last revised: 04 Nov 2013 Overview The Attachmate Verastream Host Integrator (VHI) is vulnerable to arbitrary file uploads. --------------------------------------------- http://www.kb.cert.org/vuls/id/436214 *** GitLab Remote code execution vulnerability in the code search feature *** --------------------------------------------- Topic: GitLab Remote code execution vulnerability in the code search feature Risk: High Text:Remote code execution vulnerability in the code search feature of GitLab There is a remote code execution vulnerability in t... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110026 *** GitLab Remote code execution vulnerability in the SSH key upload *** --------------------------------------------- Topic: GitLab Remote code execution vulnerability in the SSH key upload Risk: High Text:# Remote code execution vulnerability in the SSH key upload feature of GitLab There is a remote code execution vulnerability... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110025

1 0

Tageszusammenfassung - Montag 4-11-2013
by Daily end-of-shift report 04 Nov '13

04 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 31-10-2013 18:00 − Montag 04-11-2013 18:00 Handler: Otmar Lendl Co-Handler: Stephan Richter *** Top three recommendations for securing your personal data using cryptography, by EU cyber security Agency ENISA in new report *** --------------------------------------------- ENISA, the European Union's "cyber security" Agency today launched a report that all authorities should better promote cryptographic measure to safeguard personal data. --------------------------------------------- http://www.enisa.europa.eu/media/press-releases/top-three-recommendations-f… *** Know Your Enemy: Tracking A Rapidly Evolving APT Actor *** --------------------------------------------- Between Oct. 24-25 FireEye detected two spear-phishing attacks attributed a threat actor we have previously dubbed admin(a)338.[1] The newly discovered attacks targeted a number of organizations and were apparently focused on gathering data related to international trade, finance and economic... --------------------------------------------- http://www.fireeye.com/blog/technical/2013/10/know-your-enemy-tracking-a-ra… *** How To Avoid CryptoLocker Ransomware *** --------------------------------------------- Over the past several weeks, a handful of frantic Microsoft Windows users have written in to ask what they might do to recover from PC infections from "CryptoLocker," the generic name for an increasingly prevalent and nasty strain of malicious software that encrypts your files until you pay a ransom. Unfortunately, the answer for these folks is usually either to pay up or suck it up. This post offers a few pointers to help readers avoid becoming the next victim. --------------------------------------------- http://krebsonsecurity.com/2013/11/how-to-avoid-cryptolocker-ransomware/ *** Why Motivated Attackers Often Get What They Want *** --------------------------------------------- Do you work for a company possessing information which could be of financial value to people outside the organization? Or, perhaps even a foreign state would find it useful to gain access to the documents youre storing on that shared network drive? Yes? Then congratulations, you may already be the target of a persistent and motivated attacker (who sometimes, but rarely, is also advanced).According to this CERT-FI presentation, even Finland has seen nearly a decade of these attacks. Nowadays, --------------------------------------------- http://www.f-secure.com/weblog/archives/00002632.html *** Google-dorks based mass Web site hacking/SQL injecting tool helps facilitate malicious online activity *** --------------------------------------------- Among the most common misconceptions regarding the exploitation (hacking) of Web sites, is that no one would exclusively target *your* Web site, given that the there are so many high profile Web sites to hack into. In reality though, thanks to the public/commercial availability of tools relying on the exploitation of remote Web application vulnerabilities, the insecurely configured Web sites/forums/blogs, as well as the millions of malware-infected hosts internationally, virtually every Web --------------------------------------------- http://www.webroot.com/blog/2013/11/01/peek-inside-google-dorks-based-mass-… *** Secunias PSI Country Report - Q3 2013, (Fri, Nov 1st) *** --------------------------------------------- On the heels of discussing Microsofts Security Intelligence Report v15 wherein the obvious takeaway is "Windows XP be gone!", Secunias just-released PSI Country Report - Q3 2013 is an interesting supplemental read. Here are the summary details: Programs Installed: 75, from 25 different vendors 40% (30 of 75) of these programs are Microsoft programs 60% (45 of 75) of these programs are from third-party vendors Users with unpatched Operating Systems: 14.6% (WinXP, Win7, Win8, --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16943&rss *** July-September 2013 *** --------------------------------------------- NOTE 1: The "ICS-CERT Monitor" newsletter offers a means of promoting preparedness, information sharing, and collaboration with the 16 critical infrastructure sectors. ICS-CERT accomplishes this on a day-to-day basis through sector briefings, meetings, conferences, and information product releases. --------------------------------------------- http://ics-cert.us-cert.gov/monitors/ICS-MM201310 *** SOHO Router Horror Stories: German Webcast with Mike Messner *** --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2013/11/04/soho-rout… *** Nordex NC2 - Cross-Site Scripting Vulnerability *** --------------------------------------------- NCCIC/ICS-CERT is aware of a public report of a Cross-Site Scripting vulnerability affecting the Nordex Control 2 (NC2) application, a supervisory control and data acquisition/human-machine interface (SCADA/HMI) product. According to this report, the vulnerability is exploitable by allowing a specially crafted request that could execute arbitrary script code. This report was released without coordination with either the vendor or NCCIC/ICS-CERT. NCCIC/ICS-CERT is attempting to... --------------------------------------------- http://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-304-01 *** VU#450646: Tiki Wiki CMS Groupware version 11.0 contains a cross-site scripting (XSS) vulnerability *** --------------------------------------------- Vulnerability Note VU#450646 Tiki Wiki CMS Groupware version 11.0 contains a cross-site scripting (XSS) vulnerability Original Release date: 31 Oct 2013 | Last revised: 31 Oct 2013 Overview Tiki Wiki CMS Groupware version 11.0 and possibly earlier versions contain a cross-site scripting (XSS) vulnerability (CWE-79). Description CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)Tiki Wiki CMS Groupware version 11.0 and possibly earlier versions contain a --------------------------------------------- http://www.kb.cert.org/vuls/id/450646 *** VMSA-2013-0009.2 *** --------------------------------------------- VMware vSphere, ESX and ESXi updates to third party libraries --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2013-0009.html *** TP-Link Cross Site Request Forgery Vulnerability *** --------------------------------------------- Topic: TP-Link Cross Site Request Forgery Vulnerability Risk: Medium Text:I. Introduction Today the majority of wired Internet connections is used with an embedded NAT router, which allows using ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100223 *** Zend Framework Proxied Request Processing IP Spoofing Weakness *** --------------------------------------------- https://secunia.com/advisories/55529 *** Novell ZENworks Configuration Management Directory Traversal Flaw Lets Remote Users Obtain Files *** --------------------------------------------- http://www.securitytracker.com/id/1029289 *** Security Bulletins for multiple HP Products *** --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** Security Bulletins for multiple IBM Products *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_inf… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_pot… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul… http://www.securityfocus.com/bid/62018

1 0

Tageszusammenfassung - Donnerstag 31-10-2013
by Daily end-of-shift report 31 Oct '13

31 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 30-10-2013 18:00 − Donnerstag 31-10-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** VU#326830: NAS4Free version 9.1.0.1 contains a remote command execution vulnerability *** --------------------------------------------- NAS4Free version 9.1.0.1.804 and possibly earlier versions contain a remote code execution vulnerability. NAS4Free allows an authenticated user to post PHP code to an HTTP script and have the code executed remotely. By default, NAS4Free runs with root privileges. A remotely authenticated attacker can send an HTTP POST request that contains a malicious PHP file which can cause the script to run directly on the machine. --------------------------------------------- http://www.kb.cert.org/vuls/id/326830 *** Mozilla Fixes 10 Vulnerabilities with Firefox 25 *** --------------------------------------------- Mozilla released Firefox 25 yesterday, fixing 10 vulnerabilities, five of them critical. --------------------------------------------- http://threatpost.com/mozilla-fixes-10-vulnerabilities-with-firefox-25/1027… *** A New Wave of WIN32/CAPHAW Attacks - A ThreatLabZ Analysis *** --------------------------------------------- Introduction and setting the context Over the last month, the ThreatLabZ researchers have been actively monitoring a recent uptick in the numbers of Win32/Caphaw (henceforward known as Caphaw) infections that have been actively targeting users bank accounts since 2011. --------------------------------------------- http://research.zscaler.com/2013/09/a-new-wave-of-win32caphaw-attacks.html *** Silent Circle and Lavabit launch 'DarkMail Alliance' to thwart e-mail spying *** --------------------------------------------- Silent Circle CTO: "What we're getting rid of is SMTP." --------------------------------------------- http://arstechnica.com/business/2013/10/silent-circle-and-lavabit-launch-da… *** MS Security Intelligence Report Volume 15: January 2013 to June 2013 *** --------------------------------------------- The Microsoft Security Intelligence Report (SIR) analyzes the threat landscape of exploits, vulnerabilities, and malware using data from Internet services and over 600 million computers worldwide. Threat awareness can help you protect your organization, software, and people. --------------------------------------------- http://download.microsoft.com/download/5/0/3/50310CCE-8AF5-4FB4-83E2-03F1DA… *** Meet 'badBIOS', the mysterious Mac and PC malware that jumps airgaps *** --------------------------------------------- Like a super strain of bacteria, the rookkit plaguing Dragos Ruiu is omnipotent. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/jeFXBU0x_Vc/story01… *** Compliance Checklist: Cloud Encryption Best Practices for Banks and Insurance Companies *** --------------------------------------------- For industries whose handling of sensitive consumer data renders them subject to strict regulations, the cloud is anything but a simple choice. Before you can commit to the cloud, you'll have to understand exactly what cloud information protection measures you must take to remain in regulatory compliance. --------------------------------------------- http://blog.ciphercloud.com/compliance-checklist-cloud-encryption-practices… *** Weekly Update: Exploiting (Kind of) Popular FOSS Apps *** --------------------------------------------- - Moodle Remote Command Execution - vTigerCRM v5.4.0/v5.3.0 Authenticated Remote Code Execution - Zabbix Authenticated Remote Command Execution - Mac OS X Persistent Payload Installer - Persistent Payload in Windows Volume Shadow Copy - and many more --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2013/10/30/weekly-up… *** Cisco IOS XE Multiple Bugs Let Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1029277 *** Moodle Remote Command Execution *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100211 *** D-Link Backdoor Czechr Exploit *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100219 *** ISPConfig Authenticated Arbitrary PHP Code Execution *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100215

1 0

Tageszusammenfassung - Mittwoch 30-10-2013
by Daily end-of-shift report 30 Oct '13

30 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 29-10-2013 18:00 − Mittwoch 30-10-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** Nuclear Exploit Pack Getting More Aggresive *** --------------------------------------------- Churning through our logs, we recently observed a significant rise in the number of transactions involving the Nuclear Exploit Pack, which has been in the news for quite some time now. In the past week, we stumbled upon thousands of transactions involving the Nuclear Exploit Pack infestation. --------------------------------------------- http://research.zscaler.com/2013/10/nuclear-exploit-pack-getting-more.html *** A Tour Through The Chinese Underground *** --------------------------------------------- The Chinese underground has played host to many cybercriminals over the years. In the research brief titled Beyond Online Gaming Cybercrime: Revisiting the Chinese Underground Market, we provide some details of the current state of the Chinese underground economy. Last year, we looked into this underground sector, and this brief is a continuation of those efforts. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/a-tour-through-t… *** Major Corporations Fail to Defend Against Social Engineering *** --------------------------------------------- Companies such as Apple and General Motors gave up crucial company information to social engineers during the annual Capture the Flag contest at Def Con. --------------------------------------------- http://threatpost.com/major-corporations-fail-to-defend-against-social-engi… *** iOS apps can be hijacked to show fraudulent content and intercept data *** --------------------------------------------- A large number of apps for iPhones and iPads are susceptible to hacks that cause them to surreptitiously send and receive data to and from malicious servers instead of the legitimate ones they were designed to connect to, security researchers said on Tuesday. --------------------------------------------- http://arstechnica.com/security/2013/10/ios-apps-can-be-hijacked-to-show-fr… *** New Injection Campaign Peddling Rogue Software Downloads *** --------------------------------------------- A mass injection campaign surfaced over the last two weeks that´s already compromised at least 40,000 web pages worldwide and is tricking victims into downloading rogue, unwanted software to their computer. --------------------------------------------- http://threatpost.com/new-injection-campaign-peddling-rogue-software-downlo… *** Defending Against CryptoLocker *** --------------------------------------------- CryptoLocker infections were found across different regions, including North America, Europe Middle East and the Asia Pacific. Almost two-thirds of the affected victims - 64% - were from the US. Other affected countries include the UK and Canada, with 11% and 6% of global victims, respectively. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/defending-agains… *** Analysis: Kaspersky Lab Report: Java under attack - the evolution of exploits in 2012-2013 *** --------------------------------------------- One of the biggest problems facing the IT security industry is the use of vulnerabilities in legitimate software to launch malware attacks. Malicious programs can use these vulnerabilities to infect a computer without attracting the attention of the user and, in some cases, without triggering an alert from security software. --------------------------------------------- http://www.securelist.com/en/analysis/204792310/Kaspersky_Lab_Report_Java_u… *** Microsoft sieht Rückgang der Virengefahr, aber steigende Infektionen *** --------------------------------------------- In fast allen großen Ländern habe die Zahl der 'Begegnungen mit Schad-Software' deutlich abgenommen, konstatiert der aktuelle Microsoft Security Intelligence Report. Für Entwarnung ist es jedoch zu früh - denn die Zahl der Infektionen nimmt trotzdem zu. --------------------------------------------- http://www.heise.de/security/meldung/Microsoft-sieht-Rueckgang-der-Virengef… *** Joomla! Media Manager allows arbitrary file upload and execution *** --------------------------------------------- A vulnerability has been discovered in older versions of the Joomla! content management software that allow an authenticated attacker to upload active content through the media manager form ('administrator/components/com_media/helpers/media.php'). Joomla! allows files with a trailing '.' to pass the upload checks. --------------------------------------------- http://www.kb.cert.org/vuls/id/639620 *** Apples Siri is helping users bypass iOS security *** --------------------------------------------- Siri was designed to be an effective personal assistant, but since the release of iOS 7, the artificial intelligence is bringing the bad with the good. --------------------------------------------- http://www.scmagazine.com/apples-siri-is-helping-users-bypass-ios-security/… *** [remote] - Apache / PHP 5.x Remote Code Execution Exploit *** --------------------------------------------- +++ Betrifft veraltete Versionen +++ Unaffected versions are patched by CVE-2012-1823. --------------------------------------------- http://www.exploit-db.com/exploits/29290 *** Vuln: Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-5599 Remote Memory Corruption Vulnerability *** --------------------------------------------- +++ Betrifft veraltete Versionen +++ --------------------------------------------- http://www.securityfocus.com/bid/63423 *** ASUS RT-N13U Backdoor Account *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100206 *** Vuln: XAMPP for Windows Multiple Cross Site Scripting and SQL Injection Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/53979 *** Citrix XenDesktop Upgrade Feature Bug Lets Remote Authenticated Users Bypass Policy Controls *** --------------------------------------------- http://www.securitytracker.com/id/1029263 *** WordPress MoneyTheme Cross Site Scripting / Shell Upload *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100199 *** WordPress Curvo Shell Upload *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100197 *** Google Play Billing Bypass *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100203 *** sup Remote Command Execution *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100202

1 0

Tageszusammenfassung - Dienstag 29-10-2013
by Daily end-of-shift report 29 Oct '13

29 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 28-10-2013 18:00 − Dienstag 29-10-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** Hintergrund: iOS-Virenscanner mit zweifelhaftem Nutzen *** --------------------------------------------- Avira hat eine Virenschutz-App für iOS herausgegeben, die vor schadhaften Prozessen schützen soll. Welche das sind und wie diese erkannt werden, verrät das Unternehmen nicht. --------------------------------------------- http://www.heise.de/security/artikel/iOS-Virenscanner-mit-zweifelhaftem-Nut… *** Exploit cocktail (Struts, Java, Windows) going after 3-month old vulnerabilities *** --------------------------------------------- When ISC reader Yin reported earlier today that one of their servers had been hacked via the Apache Struts remote command execution vulnerability (CVE-2013-2251), at first this was flagged as "business as usual". Said vulnerability, after all, is known since July, and weve been seeing exploit attempts since early August (diary here). --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16913 *** ATM malware Ploutus updated with English-language version *** --------------------------------------------- The Spanish-language ATM malware, which allowed attackers in Mexico to force ATMs to spit out cash, now has an updated English-language version. --------------------------------------------- http://www.scmagazine.com//atm-malware-ploutus-updated-with-english-languag… *** Adobe Breach Impacted At Least 38 Million Users *** --------------------------------------------- The recent data breach at Adobe that exposed user account information and prompted a flurry of password reset emails impacted at least 38 million users, the company now says. It also appears that the already massive source code leak at Adobe is broadening to include the companys Photoshop family of graphical design products. --------------------------------------------- http://krebsonsecurity.com/2013/10/adobe-breach-impacted-at-least-38-millio… *** Analysis: Spam in September 2013 *** --------------------------------------------- In September, the proportion of world spam in mail traffic continued to decline and reached 66%. As always the spammers focused on advertising seasonal goods and services. For example, the number of offers related to energy saving and insulating buildings increased significantly. --------------------------------------------- http://www.securelist.com/en/analysis/204792309/Spam_in_September_2013 *** Routerpwn *** --------------------------------------------- Routerpwn is a web application that helps you in the exploitation of vulnerabilities in residential routers. It is a compilation of ready to run local and remote web exploits. --------------------------------------------- http://www.routerpwn.com/ *** Windows XP ist und bleibt ein hochriskantes System *** --------------------------------------------- Im aktuellen Security Intelligence Report (SIR) warnt Microsoft erneut vor Windows XP. Sicherheits-Chef Tim Rains verteidigt die Entscheidung, den Support einzustellen. --------------------------------------------- http://futurezone.at/digital-life/windows-xp-ist-und-bleibt-ein-hochriskant… *** Internet Safety - Tips for Parents *** --------------------------------------------- Internet basics can be as straightforward as pushing buttons or clicking a mouse. Understanding how youth use the Internet, however, can be an overwhelming task, especially for adults who don't spend much time online. --------------------------------------------- http://bc.rcmp-grc.gc.ca/ViewPage.action?siteNodeId=87&languageId=1&content… *** Cyber Security Assesment Netherlands *** --------------------------------------------- Cybercrime and digital espionage remain the biggest threats to both governments and the business community. The threat of disruption of online services has increased. Clearly visible in the past year has been the rise of the criminal cyber services sector. Cyber-attack tools are made commercially available through `cybercrime as a service´. --------------------------------------------- https://www.ncsc.nl/english/current-topics/news/cyber-security-assesment-ne… *** Social media and digital identity. Prevention and incident response *** --------------------------------------------- The hack of a social media account is a common incident that could have a serious impact of our digital identity. How to prevent it? What to do in case of hack? --------------------------------------------- http://securityaffairs.co/wordpress/19143/cyber-crime/social-media-security… *** Angebliches Fritzbox-Fax entpuppt sich als Trojaner *** --------------------------------------------- Schadhafte E-Mails, die sich als Fax-Benachrichtigungen einer Fritzbox tarnen, verbreiten sich momentan rapide. In dem beigefügten Zip-Archiv befindet sich nicht etwa ein Fax, sondern ein Trojaner. --------------------------------------------- http://www.heise.de/security/meldung/Angebliches-Fritzbox-Fax-entpuppt-sich… *** Facebook Android Flaws Enable Any App to Get User's Access Tokens *** --------------------------------------------- A researcher has discovered serious vulnerabilities in the main Facebook and Facebook Messenger apps for Android that enable any other app on a device to access the user's Facebook access token and take over her account. --------------------------------------------- http://threatpost.com/facebook-android-flaws-enable-any-app-to-get-users-ac… *** [webapps] - Pirelli Discus DRG A125g - Password Disclosure Vulnerability. *** --------------------------------------------- http://www.exploit-db.com/exploits/29262 *** DSA-2786 icu *** --------------------------------------------- http://www.debian.org/security/2013/dsa-2786 *** vBulletin 4.1.x / 5.x.x Administrative User Injection *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100192 *** MobileIron 4.5.4 Cross Site Scripting *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100190 *** SAP Financial Services Statutory Reporting for Insurance (FS-SR) Unspecified Flaw Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1029256

1 0

Tageszusammenfassung - Montag 28-10-2013
by Daily end-of-shift report 28 Oct '13

28 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 25-10-2013 18:00 − Montag 28-10-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** Email contains phishing scam, not iPhone 5S *** --------------------------------------------- A new phishing email circulating the globe is preying on Apple fans who cant wait to get their hands on the coming iPhone 5S and iPhone 5c devices. --------------------------------------------- http://www.scmagazine.com/email-contains-phishing-scam-not-iphone-5s/articl… *** Blog: Cryptolocker Wants Your Money! *** --------------------------------------------- A new ransomware Trojan is on the loose. The attackers give you roughly three days to pay them, otherwise your data is gone forever. --------------------------------------------- http://www.securelist.com/en/blog/208214109/Cryptolocker_Wants_Your_Money *** Blog-Software Wordpress 3.7 aktualisiert sich selbst *** --------------------------------------------- In der neuen Version 3.7 hält sich die Blog-Software Wordpress selbst aktuell: Sicherheitsupdates werden künftig im Hintergrund automatisch eingespielt, wenn die Konfiguration das zulässt. Weitere Neuerungen dienen ebenfalls vorrangig der Sicherheit. --------------------------------------------- http://www.heise.de/security/meldung/Blog-Software-Wordpress-3-7-aktualisie… *** Periodic Connections to Control Server Offer New Way to Detect Botnets *** --------------------------------------------- A number of recent botnets and advanced threats use HTTP as their primary communications channel with their control servers. McAfee Labs research during the last couple of years reveals that more than 60 percent of the top botnet families depend on HTTP. These numbers have increased significantly over the last few quarters. --------------------------------------------- http://blogs.mcafee.com/mcafee-labs/periodic-links-to-control-server-offer-… *** Improving Hadoop Security with Host Intrusion Detection (Part 2) *** --------------------------------------------- This is a continuation of our previous post on Hadoop security. As we mentioned in our earlier post, we can use OSSEC to monitor for the file integrity of these existing Hadoop and HBase systems. OSSEC creates logs which a system administrator can use to check for various system events. It´s worth noting that big data systems ... --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/improving-hadoop… *** Active Perl/Shellbot Trojan *** --------------------------------------------- ISC received a submission from Zach of a Perl/Shellbot.B trojan served by fallencrafts[.]info/download/himad.png. The trojan has limited detection on Virustotal and the script contains a 'hostauth' of sosick[.]net[3] and the IRC server where the compromised systems are connecting to is located at 89.248.172.144. What we have so far, it appears it is exploiting older version of Plesk. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16907&rss *** LinkedIn kann Mails mitlesen *** --------------------------------------------- Die kürzlich eingeführte Intro-Technik für iOS bringt dem Berufsnetzwerk Kritik ein: Sie sei ein Traum für Angreifer und Sicherheitsdienste. Die Firma verteidigt sich: Alles sei sicher und man respektiere die Privatsphäre der Nutzer. --------------------------------------------- http://www.heise.de/security/meldung/LinkedIn-kann-Mails-mitlesen-2034490.h… *** Einbruch bei Buffer *** --------------------------------------------- Der Social-Media-Dienst wurde gestern gehackt. Laut Unternehmensblog sollen weder Passwörter noch Kreditkarteninformationen abhanden gekommen sein. --------------------------------------------- http://www.heise.de/security/meldung/Einbruch-bei-Buffer-2034519.html *** Storewize: IBM warnt vor Sicherheitslücke in Storage-Systemen *** --------------------------------------------- In den SAN-Controllern der Serie Storewize von IBM steckt eine Lücke, mit der ein Angreifer die Konfiguration ändern und auch Daten löschen kann. Abhilfe schafft ein Firmware-Update, das schon bereitsteht. (IBM, Netzwerk) --------------------------------------------- http://www.golem.de/news/storewize-ibm-warnt-vor-sicherheitsluecke-in-stora… *** End User Devices Security and Configuration Guidance *** --------------------------------------------- UK Gov Configuration guidance for the following platforms: End User Devices Security Guidance: Windows Phone 8 End User Devices Security Guidance: Android 4.2 End User Devices Security Guidance: Windows 7 and Windows 8 End User Devices Security Guidance: Ubuntu 12.04 End User Devices Security Guidance: Windows 8 RT ... --------------------------------------------- https://www.gov.uk/government/collections/end-user-devices-security-guidanc… *** Bypassing security scanners by changing the system language *** --------------------------------------------- Luiz Eduardo and Joaquim Espinhara´s found that the majority of pentesting tools analyze specific problems in web applications - such as SQL injection - via the return messages that are provided by the application, and not by the error code that is reported by the database management system. So, what would happen if the setup language was not English, but Chinese or Portuguese? As their research showed, if the target SQL server doesnt use English by default, the scanners wont be able to --------------------------------------------- http://www.net-security.org/secworld.php?id=15832 *** Cisco Identity Services Engine contains an input validation vulnerability *** --------------------------------------------- Vulnerability Note VU#952422 Cisco Identity Services Engine contains an input validation vulnerability Original Release date: 28 Oct 2013 | Last revised: 28 Oct 2013 Overview Cisco Identity Services Engine contains an input validation vulnerability (CWE-20). Description CWE-20: Improper Input ValidationCisco Identity Services Engine (ISE) contains an input validation vulnerability. --------------------------------------------- http://www.kb.cert.org/vuls/id/952422 *** I challenged hackers to investigate me and what they found out is chilling *** --------------------------------------------- It´s my first class of the semester at New York University. I´m discussing the evils of plagiarism and falsifying sources with 11 graduate journalism students when, without warning, my computer freezes. I fruitlessly tap on the keyboard as my laptop takes on a life of its own and reboots. Seconds later the screen flashes a message. --------------------------------------------- http://pandodaily.com/2013/10/26/i-challenged-hackers-to-investigate-me-and… *** Spam-Versender. Schauen Sie doch mal bitte in Ihren Junk-Ordner *** --------------------------------------------- Werbefilter funktionieren inzwischen ziemlich zuverlässig. Das wissen auch die Spam-Versender. Deshalb schicken sie noch eine zweite Nachricht hinterher. --------------------------------------------- http://www.heise.de/security/meldung/Spam-Versender-Schauen-Sie-doch-mal-bi… *** Scan Shows 65% of ReadyNAS Boxes on Web Vulnerable to Critical Bug *** --------------------------------------------- It´s been known for some time now several months, in fact that there is a critical, remotely exploitable vulnerability in some of Netgear´s ReadyNAS storage boxes, and a patch has been available since July. However, many of the boxes exposed to the Web are still vulnerable, and a recent scan by HD Moore of Rapid7 found that ... --------------------------------------------- http://threatpost.com/scan-shows-65-of-readynas-boxes-on-web-vulnerable-to-… *** Vuln: Cisco Catalyst 3750 Series Switches Default Credentials Security Bypass Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/63342 *** Bugtraq: Multiple CSRF Horde Groupware Web mail Edition 5.1.2 *** --------------------------------------------- http://www.securityfocus.com/archive/1/529466 *** Bugtraq: DD-WRT v24-sp2 Command Injection *** --------------------------------------------- http://www.securityfocus.com/archive/1/529463 *** Apache Struts2 showcase multiple XSS *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100185 *** DSA-2787 roundcube *** --------------------------------------------- http://www.debian.org/security/2013/dsa-2787 *** Woltlab Burning Board Regenbogenwiese 2007 Addon SQL Injection Exploit. *** --------------------------------------------- http://www.exploit-db.com/exploits/29023 *** GnuPG Side-Channel Attack Lets Local Users Recover RSA Secret Keys *** --------------------------------------------- http://www.securitytracker.com/id/1029242 *** DSA-2785 chromium-browser *** --------------------------------------------- http://www.debian.org/security/2013/dsa-2785

1 0

Tageszusammenfassung - Freitag 25-10-2013
by Daily end-of-shift report 25 Oct '13

25 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 24-10-2013 18:00 − Freitag 25-10-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** Periodic Links to Control Server Offer New Way to Detect Botnets *** --------------------------------------------- A number of recent botnets and advanced threats use HTTP as their primary communications channel with their control servers. McAfee Labs research during the last couple of years reveals that more than 60 percent of the top botnet families depend on HTTP. These numbers have increased significantly over the last few quarters. The following pie […] --------------------------------------------- http://blogs.mcafee.com/mcafee-labs/periodic-links-to-control-server-offer-… *** DDoS mitigation firm notes dramatic increase in reflection attack style *** --------------------------------------------- Between Q3 2012 and Q3 2013, distributed reflection denial-of-service (DrDoS) attacks increased 265 percent, a global attack report found. --------------------------------------------- http://www.scmagazine.com/ddos-mitigation-firm-notes-dramatic-increase-in-r… *** LinkedIn Intro App Equivalent to Man in the Middle Attack, Experts Say *** --------------------------------------------- LinkedIn’s release of its Intro app yesterday for Apple iOS mobile devices raised more than a few eyebrows for behaviors that are tantamount to a man-in-the-middle attack, experts said. --------------------------------------------- http://threatpost.com/linkedin-intro-app-equivalent-to-man-in-the-middle-at… *** Evasive Tactics: Terminator RAT *** --------------------------------------------- FireEye Labs has been tracking a variety of APT threat actors that have been slightly changing their tools, techniques and procedures (TTPs) in order to evade network defenses. Earlier, we documented changes to Aumlib, the malware used in the attack... --------------------------------------------- http://www.fireeye.com/blog/technical/malware-research/2013/10/evasive-tact… *** Cybercriminals release new commercially available Android/BlackBerry supporting mobile malware bot *** --------------------------------------------- Thanks to the growing adoption of mobile banking, in combination with the utilization of mobile devices to conduct financial transactions, opportunistic cybercriminals are quickly capitalizing on this emerging market segment. Made evident by the release of Android/BlackBerry compatible mobile malware bots. This site is empowering potential cybercriminals with the necessary ‘know-how’ when it comes to ‘cashing out’ compromised accounts of E-banking victims who have... --------------------------------------------- http://www.webroot.com/blog/2013/10/25/cybercriminals-release-new-commercia… *** OSX/Leverage.a Analysis *** --------------------------------------------- A few days ago, a new OSX malware was detected in the wild. It looks like a picture and behaves like it when you click on it. Everything looks fine when the clicked picture is opened on the screen, but the malware also performs some other actions. After the first look, we saw that the malware copies itself to /Users/Shared/UserEvent.app with the ditto command, and creates a LaunchAgent to load itself when the computer starts with these shell commands: mkdir ~/Library/LaunchAgents echo --------------------------------------------- http://www.alienvault.com/open-threat-exchange/blog/osx-leveragea-analysis *** PHP.net zur Verbreitung von Malware missbraucht *** --------------------------------------------- Entgegen früherer Aussagen der Administratoren wurde die Projektseite von PHP doch Opfer eines Hackerangriffs. Zwei Server wurden gekapert und zur Verteilung von Schadcode eingesetzt. --------------------------------------------- http://www.heise.de/security/meldung/PHP-net-zur-Verbreitung-von-Malware-mi… *** ProSoft Technology RadioLinx ControlScape PRNG Vulnerability *** --------------------------------------------- RadioLinx ControlScape is prone to a predictable random number generator weakness. Attackers can leverage this weakness to aid in brute-force attacks. Other attacks are also possible. --------------------------------------------- http://www.securityfocus.com/bid/62238/ http://ics-cert.us-cert.gov/advisories/ICSA-13-248-01 *** Vuln: OpenStack Keystone Tokens Validation CVE-2013-4222 Security Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/61725 *** Vuln: OpenStack Nova CVE-2013-4261 Denial of Service Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/62200 *** Vuln: OpenStack Nova CVE-2013-4278 Security Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/62016 *** CA SiteMinder Input Validation Flaw Permits Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1029237 *** libvirt API Access Control Flaw Lets Remote Authenticated Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1029241 *** Vuln: GnuTLS CVE-2013-4466 libdane/dane.c Remote Buffer Overflow Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63326 *** Vuln: VICIDIAL manager_send.php CVE-2013-4468 Command Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63288 *** Security Bulletin: Tivoli Netcool/OMNIbus Web GUI - IBM WebSphere Application Server PM44303 security bypass (CVE-2012-3325) and Hash denial of service (CVE-2011-4858) *** --------------------------------------------- CVE-2012-3325: After installing an Interim Fix for PM44303 or a Fix Pack containing PM44303, there is a potential security exposure with IBM WebSphere Application Server. CVE-2011-4858: Potential Denial of Service (DoS) security exposure when using web-based applications due to Java HashTable implementation vulnerability. --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_tiv…

1 0

Tageszusammenfassung - Donnerstag 24-10-2013
by Daily end-of-shift report 24 Oct '13

24 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 23-10-2013 18:00 − Donnerstag 24-10-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** Neutrino: Caught in the Act *** --------------------------------------------- Last week, we got a tip from Kafeine about hacked sites serving injected iframes leading to an exploit kit. We thought it was quite interesting so we looked at one of the infected websites and found this sneaky piece of code: The deobfuscated code shows the location from where the... --------------------------------------------- http://www.f-secure.com/weblog/archives/00002626.html *** Neue und alte Router-Lücken bei Netgear, Tenda und DrayTek *** --------------------------------------------- Sicherheitsexperten haben eine Hintertür in Routern der WNDR-Reihe von Netgear gefunden, die ohne Passwort-Abfrage vollen Zugrif auf das Gerät erlaubt. Bei Modellen der Firmen Tenda und DrayTek kann man Schadcode ausführen, ohne sich einloggen zu müssen. --------------------------------------------- http://www.heise.de/security/meldung/Neue-und-alte-Router-Luecken-bei-Netge… *** Industrial software flaw could allow manipulation of energy processes *** --------------------------------------------- The vulnerability lies in industrial automation software that uses a weak encryption algorithm for user authentication, researchers at IOActive found. --------------------------------------------- http://www.scmagazine.com/industrial-software-flaw-could-allow-manipulation… *** Bugtraq: ESA-2013-067: RSA® Authentication Agent for Web for Internet Information Services (IIS) Security Controls Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/529394 *** Bugtraq: RPS/APS vulnerability in snom/yealink and others *** --------------------------------------------- http://www.securityfocus.com/archive/1/529397 *** Security Bulletin: IBM Flex System Manger expired USERID password vulnerability (CVE-2013-5424) *** --------------------------------------------- Security Bulletin: IBM Flex System Manger expired USERID password vulnerability (CVE-2013-5424) Affected product(s) and affected version(s): IBM Flex System Manager Node, Types 7955, 8731, 8734 all models, Version 1.3.0 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** Cisco IOS XR Software Route Processor Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Multiple Vulnerabilities in Cisco Identity Services Engine *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Secure ACS Distributed Deployment Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… *** Vuln: Multiple Cisco Appliances CVE-2013-5537 Denial of Service Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63280 *** Vuln: Joomla! Maian15 Component name Parameter Arbitrary Shell Upload Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63287 *** Vuln: Drupal Spaces Module Access Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63305 *** WordPress Blue Wrench Video Widget Plugin Cross-Site Request Forgery Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55456

1 0

Tageszusammenfassung - Mittwoch 23-10-2013
by Daily end-of-shift report 23 Oct '13

23 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 22-10-2013 18:00 − Mittwoch 23-10-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** WellinTech KingView ActiveX Vulnerabilities *** --------------------------------------------- OVERVIEW: This advisory is a follow-up to the alert titled ICS-ALERT-13-256-01 WellinTech KingView ActiveX Vulnerabilitiesa that was published September 13, 2013, on the NCCIC/ICS-CERT Web site. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-295-01 *** Apache Fixes Information Disclosure Vulnerability in Shindig *** --------------------------------------------- The Apache Software Foundation released a new version of Shindig, a framework for web applications, yesterday, fixing what the collective has deemed an important information disclosure vulnerability. --------------------------------------------- http://threatpost.com/apache-fixes-information-disclosure-vulnerability-in-… *** Xerox WorkCentre and ColorQube Let Remote Users Gain Unauthorized Access *** --------------------------------------------- A vulnerability was reported in Xerox WorkCentre and ColorQube. A remote user can gain unauthorized access. --------------------------------------------- http://www.securitytracker.com/id/1029224 *** Security Bulletins: Vulnerability in XenDesktop 7.0 upgrade could result in policy bypass *** --------------------------------------------- A vulnerability has been identified in Citrix XenDesktop 7.0 that could prevent policy rules from being correctly applied following an upgrade from earlier versions of Citrix XenDesktop. --------------------------------------------- http://support.citrix.com/article/CTX138627 *** MantisBT 1.2.15 XSS vulnerability *** --------------------------------------------- Topic: MantisBT 1.2.15 XSS vulnerability Risk: Low Text:Greetings Roland Becker (MantisBT developer) discovered and fixed [1] an XSS vulnerability issue affecting MantisBT releases... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100159 *** Fixes from Apple (iOS 7.0.3, OS X Mavericks v10.9, Safari 6.1, Keynote 6.0, OS X Server 3.0, Remote Desktop, iTunes 11.1.2) *** --------------------------------------------- http://prod.lists.apple.com/archives/security-announce/2013/Oct/msg00002.ht… http://prod.lists.apple.com/archives/security-announce/2013/Oct/msg00003.ht… http://prod.lists.apple.com/archives/security-announce/2013/Oct/msg00004.ht… http://prod.lists.apple.com/archives/security-announce/2013/Oct/msg00005.ht… http://prod.lists.apple.com/archives/security-announce/2013/Oct/msg00006.ht… http://prod.lists.apple.com/archives/security-announce/2013/Oct/msg00007.ht… http://prod.lists.apple.com/archives/security-announce/2013/Oct/msg00008.ht… http://prod.lists.apple.com/archives/security-announce/2013/Oct/msg00009.ht…

1 0

Tageszusammenfassung - Dienstag 22-10-2013
by Daily end-of-shift report 22 Oct '13

22 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 21-10-2013 18:00 − Dienstag 22-10-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** Fake Dropbox Password Reset Spam Leads to Malware *** --------------------------------------------- A new spam campaign has been circulating over the last few weeks in hopes of duping users of the popular cloud storage service Dropbox. The e-mails purport to come from the service but instead lead those who click through to a malware landing page. --------------------------------------------- http://threatpost.com/fake-dropbox-password-reset-spam-leads-to-malware/102… *** New DIY compromised hosts/proxies syndicating tool spotted in the wild *** --------------------------------------------- Compromised, hacked hosts and PCs are a commodity in underground markets today. More cybercriminals are populating the market segment with services tailored to fellow cybercriminals looking for access to freshly compromised PCs to be later abused in a variety of fraudulent/malicious ways, all the while taking advantage of their clean IP reputation. Naturally, once the commoditization took place, cybercriminals quickly realized that the supply of such hosts also shaped several different market... --------------------------------------------- http://www.webroot.com/blog/2013/10/21/new-diy-compromised-hostsproxies-syn… *** Cryptolocker Update, Request for Info, (Tue, Oct 22nd) *** --------------------------------------------- It was briefly mentioned in a previous posting, but the Cryptolocker ransomware is still going strong. In essence, post infection is encrypts all of your "document" files based on file extension and then gives the user 72 hours to pay the ransom ($300 USD or 2 BTC). It is one f the few pieces of ransomware that does encryption right so at present, short of paying the ransom, there is no other means to decrypt. Bleeping Computer has a good write up, but below are the TL;DR highlights. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16871&rss *** Touch ID: Biometrics Dont Make For Good Passwords *** --------------------------------------------- Theres an Apple event scheduled for tomorrow which will showcase this years iPad lineup. Among the more credible rumors is that at least one version of the iPad will include Apples Touch ID, its fingerprint identity sensor.And so it seems somewhat inevitable that all of our "smart" devices will soon include fingerprint readers.That being the case, we strongly recommend the following by @dustinkirkland: • Fingerprints are Usernames, not PasswordsWe welcome intelligent use of --------------------------------------------- http://www.f-secure.com/weblog/archives/00002624.html *** Defending Against Crypto Backdoors *** --------------------------------------------- We already know the NSA wants to eavesdrop on the Internet. It has secret agreements with telcos to get direct access to bulk Internet traffic. It has massive systems like TUMULT, TURMOIL, and TURBULENCE to sift through it all. And it can identify ciphertext -- encrypted information -- and figure out which programs could have created it. But what the... --------------------------------------------- https://www.schneier.com/blog/archives/2013/10/defending_again_1.html *** Security Bulletins: Citrix XenServer Multiple Security Updates *** --------------------------------------------- A number of security vulnerabilities have been identified in Citrix XenServer. These vulnerabilities affect all currently supported versions of Citrix XenServer up to and including version 6.2. --------------------------------------------- http://support.citrix.com/article/CTX139295 *** Vuln: 7T Interactive Graphical SCADA System Multiple Security Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/46936 *** WordPress Portable phpMyAdmin Plugin Security Bypass Security Issue *** --------------------------------------------- https://secunia.com/advisories/55270 *** WatchGuard Extensible Threat Management and System Manager Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55388 *** Vuln: D-Link DIR-605L CAPTCHA Data Stack Based Buffer Overflow Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/56330 *** Bugtraq: [CVE-2013-2751, CVE-2013-2752] NETGEAR ReadyNAS Remote Root *** --------------------------------------------- http://www.securityfocus.com/archive/1/529364 *** Cisco ASA VPN Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the VPN authentication code that handles parsing of the username from the certificate on the Cisco ASA firewall could allow an unauthenticated, remote attacker to cause a reload of the affected device. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… *** Security Bulletin: IBM SONAS fix available for Cross Frame Scripting vulnerability via Graphical User Interface (CVE-2013-5376) *** --------------------------------------------- An issue in IBM SONAS allows remote attackers to access the system as an authorized administrative user. --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** Security Bulletin: IBM SONAS Fix Available for SONAS Cross Protocol Vulnerability (CVE-2013-0500) *** --------------------------------------------- IBM SONAS includes a flaw in the handling of special files created by an NFS client resulting in a vulnerability reported against IBM SONAS. --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** IBM WebSphere Message Broker and IBM Integration Bus Security Vulnerability: XML4J denial of service attack (CVE-2013-5372) *** --------------------------------------------- XML4J is vulnerable to a denial of service attack triggered by a specially crafted XML document --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21653087 *** IBM Domino / iNotes Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55405 https://secunia.com/advisories/55409 *** IBM WebSphere DataPower XC10 Two Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55402 *** F5 BIG-IP Traffic Management Microkernel Component Lets Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1029220

1 0

Tageszusammenfassung - Montag 21-10-2013
by Daily end-of-shift report 21 Oct '13

21 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 18-10-2013 18:00 − Montag 21-10-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** Card Data Siphon with Google Analytics *** --------------------------------------------- The introduction of EMV (Chip & Pin) payment devices in 2003 resulted in a rapid decline in physical credit card cloning in Europe. EMV technology has also led to an increase in attacks on e-commerce systems targeting cardholder data. Each year, Trustwave SpiderLabs investigates hundreds of incidents of data compromise. I work on some of these investigations and occasionally get to evaluate some rather unusual attack vectors. This blog post details a novel data extraction technique using... --------------------------------------------- http://blog.spiderlabs.com/2013/10/card-data-siphon-with-google-analytics.h… *** New tricks that may bring DNS spoofing back or: "Why you should enable DNSSEC even if it is a pain to do", (Mon, Oct 21st) *** --------------------------------------------- Recently, two papers independently outlined new attacks against DNS, undermining some of the security features protecting us from DNS spoofing. As Dan Kaminsky showed [1], 16 bit query IDs are an insufficient protection against DNS spoofing. As a result, DNS servers started to randomize the source port of DNS queries in order to make DNS spoofing harder. This was never meant to "fix" DNS spoofing, but worked well enough for DNSSEC to be pushed back yet again. Overall, to --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16859&rss *** Darkleech in Europe, Middle East and Africa *** --------------------------------------------- In a previous blog post, we discussed how Darkleech-related malware wound up on a FireEye partner’s website. We followed up with a post detailing a major wave of Darkleech activity linked to a major global malvertising campaign. In this post,... --------------------------------------------- http://www.fireeye.com/blog/corporate/2013/10/darkleech-in-europe-middle-ea… *** Threatpost News Wrap, October 18, 2013 *** --------------------------------------------- Dennis Fisher and Mike Mimoso discuss the big stories of the last couple of weeks, including the grassroots effort to audit the TrueCrypt source code, the Apple iMessage security model and Yahoo enabling SSL by default. --------------------------------------------- http://threatpost.com/threatpost-news-wrap-october-18-2013/102624 *** Bugtraq: OWASP Vulnerable Web Applications Directory Project *** --------------------------------------------- The OWASP Vulnerable Web Applications Directory (VWAD) Project is a comprehensive and well maintained registry of all known vulnerable web applications currently available. These vulnerable web applications can be used by web developers, security auditors and penetration testers to put in practice their knowledge and skills during training... --------------------------------------------- http://www.securityfocus.com/archive/1/529293 *** DNP3 Implementation Vulnerability *** --------------------------------------------- OVERVIEW: Adam Crain of Automatak and independent researcher Chris Sistrunk reported an improper input validation vulnerability to NCCIC/ICS-CERT that was evident in numerous slave and/or master station software products. The researchers emphasize that the vulnerability is not with the DNP3 stack but with the implementation. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-291-01 *** Yet Another WHMCS SQL Injection Exploit, (Sat, Oct 19th) *** --------------------------------------------- WHMCS, a popular billing/support/customer management system, is still suffering from critical SQL injection issues. Today, yet another vulnerability, including exploit was released... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16853&rss *** Vuln: WordPress Quick Paypal Payments Plugin Multiple HTML Injection Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/63213 *** Wordpress WooCommerce Plugin 2.0.17 Cross-Site Scripting Vulnerability *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100127 *** Wordpress spreadsheet Plugin Cross site scripting *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100130 *** Cisco Unified Computing System Bugs Let Remote Users Conduct Man-in-the-Middle Attacks and Obtain Information and Let Local Users View Files *** --------------------------------------------- http://www.securitytracker.com/id/1029209 *** Vuln: OpenLDAP rwm_conn_destroy Denial of Service Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63190 *** IBM WebSphere Partner Gateway Java Spoofing and Denial of Service Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55406 *** Vulnerability Note VU#303900 - SAP Sybase Adaptive Server Enterprise vulnerable to XML injection *** --------------------------------------------- SAP Sybase Adaptive Server Enterprise Version 15.7 ESD 2 and possibly earlier versions contains an XML injection vulnerability (CWE-91). --------------------------------------------- http://www.kb.cert.org/vuls/id/303900

1 0

Tageszusammenfassung - Freitag 18-10-2013
by Daily end-of-shift report 18 Oct '13

18 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 17-10-2013 18:00 − Freitag 18-10-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** You´re infected - if you want to see your data again, pay us $300 in Bitcoins *** --------------------------------------------- Ransomware comes of age with unbreakable crypto, anonymous payments. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/VLDxuwIP36Q/story01… *** DNS-Experten diskutieren Risiken neuer Angriffsszenarien *** --------------------------------------------- Forscher beschreiben Angriffsszenarien auf das Domain Name System, bei dem die Fragmentierung von IP-Paketen ausgenutzt wird. --------------------------------------------- http://www.heise.de/security/meldung/DNS-Experten-diskutieren-Risiken-neuer… *** Kankan - eine chinesische Trojaner-Geschichte *** --------------------------------------------- Die Analysten von Eset haben eine mysteriöse Geschichte über einen Trojaner zusammengetragen, der vor allem in China Verbreitung fand. Die Bestandteile: infizierte PCs und Smartphones, ein reumütiger Software-Hersteller und mehrere offene Rätsel. --------------------------------------------- http://www.heise.de/security/meldung/Kankan-eine-chinesische-Trojaner-Gesch… *** Got a mobile phone? Then youve got a Trojan problem too *** --------------------------------------------- This time it´s personal Something wonderful has happened: phones have got smart, but the bad news is they may open the door to those you don´t want to let in. --------------------------------------------- http://www.theregister.co.uk/2013/10/18/feature_mobile_security_malware/ *** VMware Release Multiple Security Updates *** --------------------------------------------- VMware released the following security updates. The first one is VMSA-2013-0012 which address multiple vulnerabilities in vCenter Server, vSphere Update Manager, ESXi and ESX. The second is VMSA-2013-0006.1 which address multiple vulnerabilities in vCenter Server Appliances and vCenter Server running on Windows. The last is VMSA-2013-0009.1 which address multiple vulnerabilities in vCenter Server, ESX and ESXi that updates third party libraries. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16847&rss *** Fiendish CryptoLocker ransomware: Whatever you do, dont PAY *** --------------------------------------------- Create remote backups before infection, advise infosec bods Vid A fiendishly nasty strain of Windows malware that uses advanced encryption to lock up user files before demanding a ransom is doing the rounds. --------------------------------------------- http://www.theregister.co.uk/2013/10/18/cryptolocker_ransmware/ *** Sybase Adaptive Server Enterprise XML injection *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/88105 *** cPanel CloudFlare Plugin Unspecified Privilege Escalation Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55273 *** osCommerce Flaws Permit Cross-Site Scripting and Cross-Site Request Forgery Attacks to Create New Admin Accounts *** --------------------------------------------- http://www.securitytracker.com/id/1029189 *** Level One Enterprise Access Points Password Disclosure *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100123 *** Bugtraq: CSRF vulnerability in LinkedIn *** --------------------------------------------- http://www.securityfocus.com/archive/1/529270 *** Summary for October 2013 - Version: 1.1 *** --------------------------------------------- http://technet.microsoft.com/en-za/security/bulletin/ms13-oct

1 0

Tageszusammenfassung - Donnerstag 17-10-2013
by Daily end-of-shift report 17 Oct '13

17 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 16-10-2013 18:00 − Donnerstag 17-10-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** Bug Hunters Find 25 ICS, SCADA Vulnerabilities *** --------------------------------------------- A trio of researchers have uncovered 25 security vulnerabilities in various supervisory control and data acquisition (SCADA) and industrial control system (ICS) protocols. --------------------------------------------- http://threatpost.com/bug-hunters-find-25-ics-scada-vulnerabilities/102599 *** Researchers uncover holes that open power stations to hacking *** --------------------------------------------- Hacks could cause power outages and dont need physical access to substations. --------------------------------------------- http://arstechnica.com/security/2013/10/researchers-uncover-holes-that-open… *** Raising awareness quickly: A look at basic password hygiene *** --------------------------------------------- Rapid7s tips for strengthing your first line of defense --------------------------------------------- http://www.csoonline.com/article/741540/raising-awareness-quickly-a-look-at… *** Mass iFrame injection campaign leads to Adobe Flash exploits *** --------------------------------------------- We´ve intercepted an ongoing malicious campaign, relying on injected/embedded iFrames at Web sites acting as intermediaries for a successful client-side exploits to take place. Let´s dissect the campaign, expose the malicious domains portfolio/infrastructure it relies on, as well as directly connect it with historical malicious activity, in this particular case, a social engineering campaign pushing fake browser updates. --------------------------------------------- http://www.webroot.com/blog/2013/10/17/mass-iframe-injection-campaign-leads… *** Top 20 Free Digital Forensic Investigation Tools for SysAdmins *** --------------------------------------------- Here are 20 of the best free tools that will help you conduct a digital forensic investigation. Whether it´s for an internal human resources case, an investigation into unauthorized access to a server, or if you just want to learn a new skill, these suites and utilities will help you conduct memory forensic analysis, hard drive forensic analysis, forensic image exploration, forensic imaging and mobile forensics. --------------------------------------------- http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-fo… *** Hintergrund: Standardpasswörter kein Sicherheitsrisiko? *** --------------------------------------------- Das ICS-CERT, zuständig für kritische Infrastruktur wie Staudämme und Atomkraftwerke, sagt Standardpasswörter stellen kein Sicherheitsrisiko dar solange sie gut dokumentiert und änderbar sind. Ist das wirklich so? --------------------------------------------- http://www.heise.de/security/artikel/Standardpasswoerter-kein-Sicherheitsri… *** Apple iMessage Open to Man in the Middle, Spoofing Attacks *** --------------------------------------------- The Apple iMessage protocol has been shrouded in secrecy for years now, but a pair of security researchers have reverse-engineered the protocol and found that Apple controls the encryption key infrastructure for the system and therefore has the ability to read users´ text messages or decrypt them and hand them over at the order of a government agency. --------------------------------------------- http://threatpost.com/apple-imessage-open-to-man-in-the-middle-spoofing-att… *** IBM Storwize V7000 Unified Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55247 *** Bugtraq: PayPal Inc Bug Bounty #61 - Persistent Mail Encoding Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/529250 *** Puppet Enterprise Dashboard Report YAML Handling Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55362 *** Drupal Context Mulitple Vulnerabilities *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100111 *** Drupal Simplenews Cross Site Scripting *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100112 *** Vuln: Cisco Identity Services Engine CVE-2013-5539 Arbitrary File Upload Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63031 *** Bugtraq: Security Advisory for Bugzilla 4.4.1, 4.2.7 and 4.0.11 *** --------------------------------------------- http://www.securityfocus.com/archive/1/529262 *** Panda Security for Business Pagent.exe code execution *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/88091

1 0

Tageszusammenfassung - Mittwoch 16-10-2013
by Daily end-of-shift report 16 Oct '13

16 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 15-10-2013 18:00 − Mittwoch 16-10-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** ORACLE Critical Patch Update - October 2013 *** --------------------------------------------- Critical Patch Update - October 2013 --------------------------------------------- http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html ** Follow-up ** *** Critical Java Update Plugs 51 Security Holes *** --------------------------------------------- Oracle has released a critical security update that fixes at least 51 security vulnerabilities in its Java software. Patches are available for Linux, Mac OS X, Solaris and Windows versions of the software. --------------------------------------------- http://krebsonsecurity.com/2013/10/java-update-plugs-51-security-holes/ *** Android-Verschlüsselung wurde verschlimbessert *** --------------------------------------------- Android bevorzugt offenbar seit einigen Jahren für Internet-Verbindungen Verschlüsselungsverfahren, die eigentlich als geknackt gelten. Die Motivation dahinter ist unklar. --------------------------------------------- http://www.heise.de/security/meldung/Android-Verschluesselung-wurde-verschl… *** Google Fixes Three High-Risk Flaws in Chrome *** --------------------------------------------- There is a trio of high-risk security vulnerabilities in Google Chrome that have been patched in a new version of the browser released on Tuesday. The vulnerabilities all are use-after-free bugs, and Google paid a total of $5,000 in rewards to researchers who discovered and reported them. --------------------------------------------- http://threatpost.com/google-fixes-three-high-risk-flaws-in-chrome/102586 *** Registrar in Metasploit DNS Hijacking Not Duped by Fax *** --------------------------------------------- Rapid7 said today that an employee at its registrar, Register.com, was duped out of their credentials leading to a DNS hijacking attack against the Rapid7 and Metasploit websites. --------------------------------------------- http://threatpost.com/registrar-in-metasploit-dns-hijacking-not-duped-by-fa… *** How Vulnerable Are Your Phishing Targets? *** --------------------------------------------- How Vulnerable Are Your Phishing Targets? --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2013/10/16/how-vulne… *** ASLR Bypass Apocalypse in Lately Zero-Day Exploits *** --------------------------------------------- ASLR (Address Space Layout Randomization) is one of the most effective protection mechanisms in the modern operation system. However, there were many innovative ASLR bypass techniques used in recent APT attacks. --------------------------------------------- http://www.fireeye.com/blog/technical/cyber-exploits/2013/10/aslr-bypass-ap… *** Vulnerabilities Discovered in Global Vessel Tracking Systems *** --------------------------------------------- Text by Marco Balduzzi and Kyle Wilhoit Trend Micro researchers have discovered that flaws in the AIS vessel tracking system can allow attackers to hijack communications of existing vessels, create fake vessels, trigger false SOS or collision alerts and even permanently disable AIS tracking on any vessel. Figure 1. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-… *** Blog: Under Pressure *** --------------------------------------------- Any online project - be it a long-lost blog, or a new start-up's web app - has a very important performance feature called a "maximum load". This indicator makes itself known when a web app either partially or fully fails to perform its assigned functions to process user requests. --------------------------------------------- http://www.securelist.com/en/blog/8136/Under_Pressure *** Yet another Bitcoin accepting E-shop offering access to thousands of hacked PCs spotted in the wild *** --------------------------------------------- The never-ending supply of access to compromised/hacked PCs - the direct result of the general availability of DIY/cracked/leaked malware/botnet generating tools - continues to grow in terms of the number and variety of such type of underground market propositions. --------------------------------------------- http://www.webroot.com/blog/2013/10/16/yet-another-bitcoin-accepting-e-shop… *** Honeydroid: Android-Handy wird zur Hackerfalle *** --------------------------------------------- Experten der Deutschen Telekom machen aus Android-Smartphones mobile Honeypots. So haben sie in drei Monaten über 10.000 Angriffe auf ein einzelnes Gerät im Mobilnetz protokollieren können. --------------------------------------------- http://www.heise.de/security/meldung/Honeydroid-Android-Handy-wird-zur-Hack… *** Convincing "Urgent Windows Error Fix" phishing email doing rounds *** --------------------------------------------- A pretty convincing email phishing campaign is targeting one of the largest user bases out there - those who use Microsofts Windows OS - by taking advantage of the recent problems that the company has been having with updates. --------------------------------------------- http://www.net-security.org/secworld.php?id=15779 *** HP Service Manager Bugs Permit Cross-Site Scripting, Information Disclosure, and Code Injection Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1029180 *** UbiDisk File Manager v2.0 iOS - Multiple Web Vulnerabilities *** --------------------------------------------- http://www.exploit-db.com/exploits/28977 *** Apple iOS 7.0.2 SIM Lock Screen Display Bypass *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100103

1 0

Tageszusammenfassung - Dienstag 15-10-2013
by Daily end-of-shift report 15 Oct '13

15 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 14-10-2013 18:00 − Dienstag 15-10-2013 18:00 Handler: Matthias Fraidl Co-Handler: Robert Waldner *** Fingerprinting Ubuntu OS Versions using OpenSSH *** --------------------------------------------- Over the past couples weeks, I’ve been working on enhancing the operating system detection logic in the TrustKeeper Scan Engine. Having the capability to detect a target’s operating system can be very useful. Whether you’re performing a simple asset identification scan or doing an in depth review, this information helps you make more informed decisions. In this blog post, I’ll be talking about a technique that that you can use to fingerprint a server operating system --------------------------------------------- http://feedproxy.google.com/~r/SpiderlabsAnterior/~3/e7s2jWmx7bU/fingerprin… *** October 2013 Security Bulletin Webcast, Q&A, and Slide Deck *** --------------------------------------------- Today we’re publishing the October 2013 Security Bulletin Webcast Questions & Answers page. We fielded 11 questions during the webcast, with specific bulletin questions focusing primarily on the SharePoint (MS13-084) and Kernel-Mode Drivers (MS13-081) bulletins. There was one additional question that we were unable to answer on air, and we have included a response to that question on the Q&A page. We invite our customers to join us for the next public webcast on Wednesday, --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2013/10/14/october-2013-security-bu… *** Vuln: osCommerce products_id Parameter HTML Injection Vulnerability *** --------------------------------------------- osCommerce is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input. Hostile HTML and script code may be injected into vulnerable sections of the application. When an unsuspecting user visits the affected site and views the affected section, the attacker-supplied code is rendered in the user's browser in the context of that site. osCommerce 2.3.3 is vulnerable. Other versions may also be affected. --------------------------------------------- http://www.securityfocus.com/bid/62997 *** Insecurities in the Linux /dev/random *** --------------------------------------------- New paper: "Security Analysis of Pseudo-Random Number Generators with Input: /dev/random is not Robust, by Yevgeniy Dodis, David Pointcheval, Sylvain Ruhault, Damien Vergnaud, and Daniel Wichs. Abstract: A pseudo-random number generator (PRNG) is a deterministic algorithm that produces numbers whose distribution is indistinguishable from uniform. A formal security model for PRNGs with input was proposed in 2005 by Barak and... --------------------------------------------- https://www.schneier.com/blog/archives/2013/10/insecurities_in.html *** Thousands of Sites Hacked Via vBulletin Hole *** --------------------------------------------- Attackers appear to have compromised tens of thousands of Web sites using a security weakness in sites powered by the forum software vBulletin, security experts warn. --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/Mc94cSf4_Mc/ *** Juniper Junos SRX Series Gateway Buffer Overflow in Telnet Firewall Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- Juniper Junos SRX Series Gateway Buffer Overflow in Telnet Firewall Lets Remote Users Execute Arbitrary Code --------------------------------------------- http://www.securitytracker.com/id/1029175 *** Sensoren verraten Identität des Smartphones *** --------------------------------------------- Die Messwerte eines Smartphones können den Benutzer wie ein digitaler Fingerabdruck verraten. Das haben Forscher der US-Universität Stanford nachgewiesen. --------------------------------------------- http://futurezone.at/digital-life/sensoren-verraten-identitaet-des-smartpho… *** Steam-Client verhilft Angreifern zu Systemrechten *** --------------------------------------------- Die Windows-Version der Spieleplattform Steam enthält eine Schwachstelle, die es einem Angreifer ermöglicht, Schadcode mit Systemrechten auszuführen. Valve schweigt zu der Lücke. --------------------------------------------- http://www.heise.de/security/meldung/Steam-Client-verhilft-Angreifern-zu-Sy… *** We scanned the Internet for port 22 *** --------------------------------------------- We scanned the entire Internet for port 22 - the port reserved for SSH, the protocol used by sysadmins to remotely log into machines. Unlike our normal scans of port 80 or 443, this generated a lot more abuse complaints, so I thought Id explain the scan. --------------------------------------------- http://blog.erratasec.com/2013/09/we-scanned-internet-for-port-22.html *** Blog: Pharmaceutical ‘phishing’ *** --------------------------------------------- Adverts for medication to improve male sex drive are a staple of spam mailings. Like any other unsolicited messages, emails of this nature have evolved with time and today’s versions no longer merely contain promises of enahnced potency and a link to a site selling pills. In August and September we noted a series of mailings that used the names of well-known companies, that looked just like typical phishing messages. However, instead of a phishing site the links they contained led to an advert for “male medication”. --------------------------------------------- http://www.securelist.com/en/blog/8135/Pharmaceutical_phishing *** Cisco Video Surveillance 4000 Series IP Camera Analytics Page Hardcoded Credentials Security Issue *** --------------------------------------------- A security issue has been reported in Cisco Video Surveillance 4000 Series IP Camera, which can be exploited by malicious people to bypass certain security restrictions. The security issue is caused due to the device allowing access to the analytics page using hardcoded credentials, which can be exploited to gain access to an otherwise restricted video feed. The security issue is reported in versions 2.4(0.1) and 3.1(0.52). --------------------------------------------- https://secunia.com/advisories/55283 *** [2013-10-15] Multiple critical vulnerabilities in SpamTitan *** --------------------------------------------- SpamTitan suffers from multiple critical vulnerabilities. Unauthenticated attackers are able to completely compromise the system and extract or manipulate database contents. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2013… *** WordPress security threats, protection tips and tricks *** --------------------------------------------- To start off with, there are some things that you can do just once to improve the security of your WordPress blog or website, but you still have to always follow a number of rules while using WordPress. By following such rules you will be safe from most of the automated targeted WordPress attacks which typically spread like wild fires ... --------------------------------------------- http://www.net-security.org/article.php?id=1895 *** D-link to Padlock Router Backdoor By Halloween *** --------------------------------------------- D-Link will address by the end of October a security issue in some of its routers that could allow attackers to change the device settings without requiring a username and password.The issue consists of a backdoor-type function built into the firmware of some D-Link routers that can be used to bypass the normal authentication procedure on their Web-based user interfaces. --------------------------------------------- http://www.cio.com/article/741414/D_link_to_Padlock_Router_Backdoor_By_Hall…

1 0

Tageszusammenfassung - Montag 14-10-2013
by Daily end-of-shift report 14 Oct '13

14 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 11-10-2013 18:00 − Montag 14-10-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** 2013-10 Security Bulletin: Junos: GNU libc glob(3) GLOB_LIMIT Remote Denial of Service Vulnerability (CVE-2010-2632) *** --------------------------------------------- The glob implementation in libc allows authenticated remote users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames. This vulnerability can be exploited against a device running Junos OS with FTP services enabled to launch a high CPU utilization partial denial of service attack. --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10598 *** Top sites (and maybe the NSA) track users with 'device fingerprinting' *** --------------------------------------------- May make it easier to follow privacy-minded users on the darknet. --------------------------------------------- http://arstechnica.com/security/2013/10/top-sites-and-maybe-the-nsa-track-u… *** Threat Refinement Ensues with Crypto Locker, SHOTODOR Backdoor *** --------------------------------------------- In our 2013 Security Predictions, we anticipated that cybercriminals would focus on refining existing tools, instead of creating new threats. Two threats that both represent refinements of previously known threats show this effectively. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/threat-refinemen… *** Critical Patch Update - October 2013 - Pre-Release Announcement *** --------------------------------------------- Critical Patch Update - October 2013 - Pre-Release Announcement --------------------------------------------- http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html *** Blackhole, Supreme No More *** --------------------------------------------- Blackhole exploit kit has always been a favorite example when discussing the impact of kits to internet users. Weve previously mentioned in our posts how fast it was in supporting new vulnerabilities, how it was related to Cool, and that it was the leading kit in our telemetry data. Blackhole and Cool almost always had special mentions in our Threat Reports. --------------------------------------------- http://www.f-secure.com/weblog/archives/00002622.html *** Debian Security Advisory DSA-2776 drupal6 *** --------------------------------------------- several vulnerabilities --------------------------------------------- http://www.debian.org/security/2013/dsa-2776 *** Debian Security Advisory DSA-2777 systemd *** --------------------------------------------- several vulnerabilities --------------------------------------------- http://www.debian.org/security/2013/dsa-2777 *** Stabiles Debian 7.2 behebt Fehler und löst Sicherheitsprobleme *** --------------------------------------------- Das Debian-Projekt aktualisiert die Linux-Distribution Debian 7 (Wheezy) auf Version 7.2 und behebt dabei eine lange Liste von Fehlern und schließt Sicherheitslöcher. --------------------------------------------- http://www.heise.de/newsticker/meldung/Stabiles-Debian-7-2-behebt-Fehler-un… *** Google Chrome speichert Kreditkarten-Daten als Klartext *** --------------------------------------------- Der Google-Browser Chrome ist einmal mehr unter Beschuss von Sicherheitsexperten. Diese kritisieren, dass Chrome sensible Daten als Klartext auf der Festplatte speichert. --------------------------------------------- http://futurezone.at/produkte/google-chrome-speichert-kreditkarten-daten-al… *** Security Bulletin: WebSphere eXtreme Scale Monitoring Console Web Vulnerabilities (CVE-2013-5390, CVE-2013-5393, CVE-2013-5394) *** --------------------------------------------- Three web security vulnerabilities were identified in the WebSphere eXtreme Scale monitoring console, those being a cross site scripting vulnerability, a log-off processing weakness, and vulnerability to a phishing attack. --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_web… *** Back door found in D-Link routers *** --------------------------------------------- D-secret is D-logon string allowing access to everything A group of embedded device hackers has turned up a vulnerability in D-Link consumer-level devices that provides unauthenticated access to the units admin interfaces. --------------------------------------------- http://www.theregister.co.uk/2013/10/13/dlink_routers_have_admin_backdoor/ *** Spamvertised T-Mobile 'Picture ID Type:MMS' themed emails lead to malware *** --------------------------------------------- The cybercriminals behind last week's profiled fake T-Mobile themed email campaign have resumed operations, and have just spamvertised another round of tens of thousands of malicious emails impersonating the company, in order to trick its customers into executing the malicious attachment, which in this case is once again supposedly a legitimate MMS notification message. --------------------------------------------- http://www.webroot.com/blog/2013/10/14/spamvertised-t-mobile-picture-id-typ… *** Captain, Where Is Your Ship Compromising Vessel Tracking Systems *** --------------------------------------------- In recent years, automated identification systems (AIS) have been introduced to enhance ship tracking and provide extra safety to marine traffic, on top of conventional radar installations. AIS is currently mandatory for all passenger ships and commercial (non-fishing) ships over 300 metric tons. It works by acquiring GPS coordinates and exchanging vessel's position, course and ... --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/captain-where-is… *** WordPress Cart66 Lite Plugin Cross-Site Request Forgery Vulnerability *** --------------------------------------------- WordPress Cart66 Lite Plugin Cross-Site Request Forgery Vulnerability --------------------------------------------- https://secunia.com/advisories/55265 *** End User Devices Security Guidance: Windows 7 and Windows 8 *** --------------------------------------------- This guidance is applicable to devices running Enterprise versions of Windows 7 and Windows 8, acting as client operating systems, which include BitLocker Drive Encryption, AppLocker and Windows VPN features. --------------------------------------------- https://www.gov.uk/government/publications/end-user-devices-security-guidan…

1 0

Tageszusammenfassung - Freitag 11-10-2013
by Daily end-of-shift report 11 Oct '13

11 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 10-10-2013 18:00 − Freitag 11-10-2013 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** WhatsApp Crypto Error Exposes Messages *** --------------------------------------------- WhatsApp, a popular mobile message application, suffers from crypto implementation vulnerability that leaves messages exposed. Thijs Alkemade, a computer science student at Utrecht University in The Netherlands who works on the open source Adium instant messaging project, disclosed a serious issue this week with the encryption used to secure WhatsApp messages, namely that the same... --------------------------------------------- http://threatpost.com/whatsapp-crypto-error-exposes-messages/102565 *** Some Bing Ads Redirecting To Malware *** --------------------------------------------- An anonymous reader writes "Security firm ThreatTrack Security Labs today spotted that certain Bing ads are linking to sites that infect users with malware. Those who click are redirected to a dynamic DNS service subdomain which in turns serves the Sirefef malware from 109(dot)236(dot)81(dot)176. ThreatTrack notes that the scammers could of course be targeting other keywords aside from YouTube. The more popular the keywords, the bigger the potential for infection." Read more of --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/7RRrvRPB5JM/story01.htm *** Top 15 Indicators Of Compromise *** --------------------------------------------- In the quest to detect data breaches more quickly, indicators of compromise can act as important breadcrumbs for security pros watching their IT environments. Unusual activity on the network or odd clues on systems can frequently help organizations spot attacker activity on systems more quickly so that they can either prevent an eventual breach from happening -- or at least stop it in its earliest stages. --------------------------------------------- http://www.darkreading.com/attacks-breaches/top-15-indicators-of-compromise… *** Vuln: libtar th_read() Function Multiple Heap Buffer Overflow Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/62922 *** libtar "tar_extract_glob()" and "tar_extract_all()" Directory Traversal Vulnerabilities *** --------------------------------------------- libtar "tar_extract_glob()" and "tar_extract_all()" Directory Traversal Vulnerabilities --------------------------------------------- https://secunia.com/advisories/55138 *** Bugtraq: [security bulletin] HPSBMU02901 rev.1 - HP Business Process Monitor running on Windows, Remote Execution of Arbitrary Code and Disclosure of Information *** --------------------------------------------- http://www.securityfocus.com/archive/1/529117 *** Juniper Junos TCP Packet Handling Denial of Service Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55218 *** Juniper Junos Telnet Messages Handling Buffer Overflow Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55109 *** Hitachi JP1/VERITAS Backup Exec Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55261 *** Cisco Unified IP Phones 9900 Series webapp Interface Buffer Overflow Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55275 *** Dropbear SSH Server User Enumeration Weakness and Denial of Service Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55173 *** Network Security Services (NSS) Uninitialized Memory Read Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55050 *** InduSoft Thin Client ActiveX control buffer overflow *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/87788 *** Security Bulletin: IBM InfoSphere Information Server Data Quality Console and Information Analyzer are vulnerable to cross-site request forgery attacks (CVE-2013-4056) *** --------------------------------------------- A cross-site request forgery vulnerability exists in IBM InfoSphere Information Server Data Quality Console and Information Analyzer which can allow an attacker to trick a legitimate user into opening a URL that results in an action being taken as that user, potentially without the knowledge of that user. Any actions taken require the user being tricked to either be previously authenticated or to authenticate as part of the attack. --------------------------------------------- https://www-304.ibm.com/support/docview.wss?uid=swg21652413 *** IBM WebSphere Message Broker and IBM Integration Bus Security Vulnerability: Multiple security vulnerabilities in IBM JREs 5 & 7 *** --------------------------------------------- Multiple security vulnerabilities exist in the IBM Java Runtime Environment component of WebSphere Message Broker for IBM JRE 5.0 SR16-FP3 (and earlier) and the IBM Java Runtime Environment component of IBM Integration Bus for JRE 7.0 SR5 (and earlier). --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_websphere_message…

1 0

Tageszusammenfassung - Donnerstag 10-10-2013
by Daily end-of-shift report 10 Oct '13

10 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 09-10-2013 18:00 − Donnerstag 10-10-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** BlackBerry Fixes Remote Code Vulnerability in BES10 *** --------------------------------------------- Blackberry added to Patch Tuesdays patches with an update for its BlackBerry Enterprise Service 10 mobile device management product, fixing a remote code execution vulnerability. --------------------------------------------- http://threatpost.com/blackberry-fixes-remote-code-vulnerability-in-bes10/1… *** Unexpected IE Zero Day Used in Banking, Gaming Attacks *** --------------------------------------------- Microsoft released a patch for a second zero-day vulnerability in Internet Explorer yesterday, one that caught administrators off-guard. --------------------------------------------- http://threatpost.com/unexpected-ie-zero-day-used-in-banking-gaming-attacks… *** vBulletin vuln opens backdoor to rogue accounts *** --------------------------------------------- The workaround is easy, though The widespread vBulletin CMS has a vulnerability that allows remote attackers to create new administrative accounts. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2013/10/10/vbulletin_v… *** Invensys Wonderware InTouch Improper Input Validation Vulnerability *** --------------------------------------------- OVERVIEW: This advisory was originally posted to the US-CERT secure Portal library on October 03, 2013, and is now being released to the NCCIC/ICS-CERT-Web page. This advisory provides mitigation details for a vulnerability that impacts the Invensys Wonderware InTouch application. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-276-01 *** Quassel IRC SQL injection *** --------------------------------------------- Topic: Quassel IRC SQL injection Risk: Medium Text: Please assign a CVE to the following issue: Quassel IRC is vulnerable to SQL injection on all current versions (0.9.0 being... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100064 *** McAfee Web Reporter Servlet Access Control Flaw Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1029154 *** MyBB Session Hijacking and Security Bypass Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/54994 *** OXID eShop "searchrecomm" Cross-Site Scripting Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55193 *** Security Bulletin: Multiple IBM Eclipse Help System (IEHS) vulnerabilities used in IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed (CVE-2013-0599, CVE-2013-0464, CVE-2013-0467) *** --------------------------------------------- IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed ships with IBM Eclipse Help System (IEHS). The IBM Eclipse Help System (IEHS) is vulnerable to: a XSS attacks, reading source code via a crafted URL and reading the debug information associated with the 500 HTTP status... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21651947 *** Multiple Vulnerabilities in Cisco ASA Software *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Multiple Vulnerabilities in Cisco Firewall Services Module Software *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** HP Intelligent Management Center Unspecified Flaws Let Remote Users Execute Arbitrary Code and Obtain Information *** --------------------------------------------- http://www.securitytracker.com/id/1029164 *** HP Intelligent Management Center Multiple Flaws Lets Remote Users Bypass Authentication, Gain Unauthorized Acess, Inject SQL Commands, and Obtain Information *** --------------------------------------------- http://www.securitytracker.com/id/1029165

1 0

Tageszusammenfassung - Mittwoch 9-10-2013
by Daily end-of-shift report 09 Oct '13

09 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 08-10-2013 18:00 − Mittwoch 09-10-2013 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** WhatsApp-Verschlüsselung ruft Zweifel hervor *** --------------------------------------------- Dem Chefentwickler des IM-Clients Adium zufolge müssen WhatsApp-Nutzer alle bisher versandten Nachrichten als entschlüsselbar betrachten. --------------------------------------------- http://www.heise.de/security/meldung/WhatsApp-Verschluesselung-ruft-Zweifel… *** The October 2013 security updates *** --------------------------------------------- This month we release eight bulletins - four Critical and four Important - which address 26 unique CVEs in Microsoft Windows, Internet Explorer, SharePoint, .NET Framework, Office, and Silverlight. For those who need to prioritize their deployment planning, we recommend focusing on MS13-080, MS13-081, and MS13-083. Our Bulletin Deployment Priority graph provides an overview of this month's priority releases... --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2013/10/08/the-october-2013-securit… *** Other Patch Tuesday Updates (Adobe, Apple), (Wed, Oct 9th) *** --------------------------------------------- Adobe released two bulletins today: APSB13-24: Security update for RoboHelp http://www.adobe.com/support/security/bulletins/apsb13-24.html I dont remember seeing a pre-anouncement for this one. The update fixes an arbitrary code execution vulnerability (CVE-2013-5327) . Robohelp is only available for Window. APSB13-25: Security update for Adobe Acrobat and Adobe Reader http://www.adobe.com/support/security/bulletins/apsb13-25.html This update fixes a problem that was introduced in a recent --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16763&rss *** September 2013 Virus Activity Overview *** --------------------------------------------- October 1, 2013 The first autumn month in 2013 was marked by a number of important events that could have a profound impact on IT security in the future. In particular, in early September a dangerous backdoor that can execute commands from a remote server was discovered, and a bit later Doctor Webs analysts identified the largest known botnet comprised of more than 200,000 infected devices running Android. Overall, numerous malignant programs for this platform were found in September. Viruses --------------------------------------------- http://news.drweb.com/show/?i=3962&lng=en&c=9 *** ENISA - Can we learn from SCADA security incidents - White Paper *** --------------------------------------------- Security experts across the world continue to sound the alarm bells about the security of Industrial Control Systems (ICS). Industrial Control Systems look more and more like consumer PCs. They are used everywhere and involve a considerable amount of software, often outdated and unpatched. Recent security incidents in the context of SCADA and Industrial Control Systems emphasise greatly the importance of good governance and control of SCADA infrastructures. --------------------------------------------- https://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrast… *** Staying Stealthy: Passive Network Discovery with Metasploit *** --------------------------------------------- One of the first steps in your penetration test is to map out the network, which is usually done with an active scan. In situations where you need to be stealthy or where active scanning may cause instability in the target network, such as in SCADA environments, you can run a passive network scan to avoid detection and reduce disruptions. A passive network scan stealthily... --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2013/10/09/passive-n… *** Twitter Malware *** --------------------------------------------- NCC Group has observed a sharp rise in threats using Twitter direct messages (often abbreviated to DMs) as a method of delivery over the last few months. These threats originate from compromised Twitter accounts. These accounts, once compromised, send direct messages to their followers. If received by email,... --------------------------------------------- http://www.nccgroup.com/en/blog/2013/10/twitter-malware/ *** Alstom e-Terracontrol DNP3 Master Improper Input Validation *** --------------------------------------------- OVERVIEW: Adam Crain of Automatak and independent researcher Chris Sistrunk have identified an improper input validation in the Alstom e-terracontrol software. Alstom has produced a patch that mitigates this vulnerability. Adam Crain and Chris Sistrunk have tested the patch to validate that it resolves the vulnerability. This vulnerability could be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-282-01

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily