=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 17-11-2015 18:00 − Mittwoch 18-11-2015 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Adobe releases out-of-band security patches - amazingly not for Flash ***
---------------------------------------------
ColdFusion, LiveCycle and Premiere get fixed ... Adobe says that it hasnt seen any evidence that these flaws are being exploited in the wild, but that users should patch anyway, just to be on the safe side - certainly before hackers reverse-engineer the updates and start abusing the bugs...
---------------------------------------------
http://www.theregister.co.uk/2015/11/17/adobe_releases_outofband_security_p…
*** Introducing Chuckle and the importance of SMB signing ***
---------------------------------------------
Digital signing is a feature of SMB designed to allow a recipient to confirm the authenticity of SMB packets and to prevent tampering during transit - this feature was first made available back in Windows NT 4.0 Service Pack 3. By default, only domain controllers require packets to be signed and this default behavior is usually seen in most corporate networks.
---------------------------------------------
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/novem…
*** Team Cymru: Free tools for incident response ***
---------------------------------------------
We at Team Cymru would like to be helpful to incident response vendors in implementing the USG's growing security strategy. To that end, we have identified a few of our free community resources (and one commercial service) that would be most useful to IR.
---------------------------------------------
https://blog.team-cymru.org/2015/11/free-tools-for-incident-response-and-a-…
*** How two seconds become two days ***
---------------------------------------------
At 3:37PM PST, we had a power blip in one of our datacenters. In those two seconds, over 1,000 systems blinked offline. As a non-profit, we don't have all of those niceties such as hot-hot datacenters or those new fangled UPSes. Instead, we do it the old fashioned way, which means we are susceptible to...
---------------------------------------------
http://blog.shadowserver.org/2015/11/17/how-two-seconds-become-two-days/
*** A flaw in D-Link Switches opens corporate networks to hack ***
---------------------------------------------
A flaw in certain D-Link switches can be exploited by remote attackers to access configuration data and hack corporate networks. The independent security researcher Varang Amin and the chief architect at Elastica's Cloud Threat Labs Aditya Sood have discovered a vulnerability in the D-Link Switches belonging to the DGS-1210 Series Gigabit Smart Switches. The security experts revealed...
---------------------------------------------
http://securityaffairs.co/wordpress/42054/hacking/d-link-switches-flaw.html
*** Blast from the Past: Blackhole Exploit Kit Resurfaces in Live Attacks ***
---------------------------------------------
The year is 2015 and a threat actor is using the defunct Blackhole exploit kit in active drive-by download campaigns via compromised websites.Categories: ExploitsTags: drive-by downloadsexploitexploit kitwebsite(Read more...)
---------------------------------------------
https://blog.malwarebytes.org/exploits-2/2015/11/blast-from-the-past-blackh…
*** Google VirusTotal - now with autoanalysis of OS X malware ***
---------------------------------------------
Google just announced that its virus classification and auto-analysis service, VirusTotal, is now officially interested in OS X malware.
---------------------------------------------
http://feedproxy.google.com/~r/nakedsecurity/~3/buCfkbvoJqQ/
*** Nishang: A Post-Exploitation Framework ***
---------------------------------------------
Introduction I was recently doing an external penetration test for one of our clients, where I got shell access to Windows Server 2012(Internal WebServer sitting behind an IPS) with Administrative Privileges. It also appears to have an Antivirus installed on the system as everything I was uploading on to the machine was being deleted on...
---------------------------------------------
http://resources.infosecinstitute.com/nishang-a-post-exploitation-framework/
*** 10 dumb security mistakes sys admins make ***
---------------------------------------------
Security isn't merely a technical problem -- its a people problem. There's only so much technology you can throw at a network before dumb human mistakes trip you up.But guess what? Those mistakes are often committed by the very people who should know better: system administrators and other IT staff.[ Also on InfoWorld: 10 security mistakes that will get you fired. | Deep Dive: How to rethink security for the new world of IT. | Discover how to secure your systems with InfoWorlds...
---------------------------------------------
http://www.cio.com/article/3006147/security/10-dumb-security-mistakes-sys-a…
*** SANS Pentest Sumit: Evil DNS tricks by Ron Bowes - slide deck ***
---------------------------------------------
Things Im gonna talk about: * How to use DNS in pentesting * How to use DNSs indirect nature * DNS tunnelling (dnscat2)
---------------------------------------------
https://docs.google.com/presentation/d/1Jxh6PPO9JbUqXwOCTQFyA00uQoFMDBh-1Pe…
*** Cyber Security Assessment Netherlands 2015: cross-border cyber security approach necessary ***
---------------------------------------------
The CSAN has five Core Findings: * Cryptoware and other ransomware constitute the preferred business model for cyber criminals * Geopolitical tensions manifest themselves increasingly often in (impending) digital security breaches * Phishing is often used in targeted attacks and can barely be recognised by users * Availability becomes more important as alternatives to IT systems are disappearing * Vulnerabilities in software are still the Achilles heel of digital security
---------------------------------------------
https://www.ncsc.nl/english/current-topics/Cyber+Security+Assessment+Nether…
*** Inside the Conficker-Infected Police Body Cameras ***
---------------------------------------------
A Florida integrator who discovered the Conficker worm lurking in body cameras meant for police use takes Threatpost inside the story, including a frustrating disclosure with a disbelieving manufacturer.
---------------------------------------------
http://threatpost.com/inside-the-conficker-infected-police-body-cameras/115…
*** EMC VPLEX GeoSynchrony Default Log Level Lets Local Users View Passwords ***
---------------------------------------------
http://www.securitytracker.com/id/1034169
*** F5 security advisory: NTP vulnerability CVE-2015-5300 ***
---------------------------------------------
A man-in-the-middle attacker able to intercept network time protocol (NTP) traffic between a connecting client and an NTP server could use this flaw to force that client to make multiple steps larger than the panic threshold, effectively changing the time to an arbitrary value at any time.
---------------------------------------------
https://support.f5.com/kb/en-us/solutions/public/k/10/sol10600056.html?ref=…
*** Atlassian Hipchat XSS to RCE ***
---------------------------------------------
Topic: Atlassian Hipchat XSS to RCE Risk: Medium Text:Two issues exist in Atlassian’s HipChat desktop client that allow an attacker to retrieve files or execute remote code when a...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2015110164
*** [HTB23272]: RCE and SQL injection via CSRF in Horde Groupware ***
---------------------------------------------
Product: Horde Groupware v5.2.10 Vulnerability Type: Cross-Site Request Forgery [CWE-352]Risk level: High Creater: http://www.horde.orgAdvisory Publication: September 30, 2015 [without technical details]Public Disclosure: November 18, 2015 CVE Reference: CVE-2015-7984 CVSSv2 Base Score: 8.3 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H] Vulnerability Details: High-Tech Bridge Security Research Lab discovered three Cross-Site Request Forgery (CSRF) vulnerabilities in a popular collaboration...
---------------------------------------------
https://www.htbridge.com/advisory/HTB23272
*** Security Advisory - Information Leak Vulnerability in Huawei DSM Product ***
---------------------------------------------
There is a information leak vulnerability in DSM (Document Security Management) Product. The DSM does not clear the clipboard after data in a secure file opened using the DSM is copied and the secure file is closed. Data in the clipboard can be copied in common documents that do not use the DSM, leading to information leaks. (Vulnerability ID: HWPSIRT-2015-09009) Huawei has released software updates to fix these vulnerabilities.
---------------------------------------------
http://www1.huawei.com/en/security/psirt/security-bulletins/security-adviso…
*** Symantec Endpoint Protection Elevation of Privilege Issues SYM15-011 ***
---------------------------------------------
11/16/2015 - Assigned a new CVE ID, CVE-2015-8113 and Bugtraq ID 77585, to the SEP Client Binary Planting Partial Fix to differentiate between the original fix released in 12.1-RU6-MP1 and the updated issue and fix released in 12.1-RU6-MP3
---------------------------------------------
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se…
*** Cisco Security Advisories ***
---------------------------------------------
*** Cisco Firepower 9000 USB Kernel Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Firepower 9000 Command Injection at Management I/O Command-Line Interface Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Firepower 9000 Persistent Cross-Site Scripting Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Firepower 9000 Cross-Site Request Forgery Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Firepower 9000 Series Switch Clickjacking Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Firepower 9000 Arbitrary File Read Access Script Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-4852) ***
http://www.ibm.com/support/docview.wss?uid=swg21970575
---------------------------------------------
*** IBM Security Bulletin: IBM Sterling B2B Integrator has Cross Site Scripting vulnerabilities in Queue Watcher (CVE-2015-7431) ***
http://www.ibm.com/support/docview.wss?uid=swg21970676
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 1.5.0 and 1.7.0 affect IBM Flex System Manager (FSM) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022835
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK 7 affect IBM Systems Director Storage Control (CVE-2015-2613 CVE-2015-2601 CVE-2015-2625 CVE-2015-1931 ) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022936
---------------------------------------------
*** IBM Security Bulletin: IBM Tivoli Monitoring (CVE-2015-1829, CVE-2015-3183, CVE-2015-1283, CVE-2015-4947, CVE-2015-2808) ***
http://www.ibm.com/support/docview.wss?uid=swg21970056
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 1.5.0 and 1.7.0 affect IBM Flex System Manager (FSM) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022820
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 16-11-2015 18:00 − Dienstag 17-11-2015 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Cyber crooks actively hijacking servers with unpatched vBulletin installations ***
---------------------------------------------
Administrators of vBulletin installations would do well to install the latest vBulletin Connect updates as soon as possible, as cyber crooks are actively searching for servers running vulnerable versi...
---------------------------------------------
http://www.net-security.org/secworld.php?id=19113
*** Windows driver signing bypass by Derusbi ***
---------------------------------------------
Derusbi is an infamous piece of malware. The oldest identified version was compiled in 2008. It was used on well-known hacks such as the Mitsubishi Heavy Industries hack discovered in October 2011 or the Anthem hack discovered in 2015.
---------------------------------------------
http://www.sekoia.fr/blog/windows-driver-signing-bypass-by-derusbi/
*** Developers Are (still) From Mars, Infosec People (still) From Venus ***
---------------------------------------------
In March 2011, Brian Honan contributed to an issue of the INSECURE magazine with an article called "Management are from Mars, information security professional are from Venus". This title comes from the John Gray's worldwide bestseller where he presents the relations between men and women. Still today, we can reuse this subject for many purposes. Last week, I...
---------------------------------------------
https://blog.rootshell.be/2015/11/17/developers-mars-infosec-people-venus/
*** Why Algebraic Eraser may be the riskiest cryptosystem you've never heard of ***
---------------------------------------------
Researchers say there's a fatal flaw in proposed "Internet of things" standard.
---------------------------------------------
http://arstechnica.com/security/2015/11/why-algebraic-eraser-may-be-the-mos…
*** Cyber Security Assessment Netherlands 2015: cross-border cyber security approach necessary ***
---------------------------------------------
Cybercrime and digital espionage remain the largest threat to digital security in the Netherlands. Geopolitical developments like international conflicts and political sensitivities have a major impact on the scope of this threat. These are key findings from the Cyber Security Assessment Netherlands (CSAN), presented to the House of Representatives by State Secretary Dijkhoff in October, and now available in English.
---------------------------------------------
https://www.ncsc.nl/english/current-topics/news/cyber-security-assessment-n…
*** Gas- und Öl-Industrie: Leichte Ziele für Hacker ***
---------------------------------------------
Sicherheitsforscher warnen davor, dass Cyber-Kriminelle mit vergleichsweise einfachen Methoden einen Großteil der weltweiten Öl-Produktion kontrollieren könnten.
---------------------------------------------
http://heise.de/-2922912
*** Bugtraq: Open-Xchange Security Advisory 2015-11-17 ***
---------------------------------------------
PGP public keys allow to specify arbitrary "User ID" information that gets encoded to the public key and is presented to OX Guard users at "Guard PGP Settings". Public keys containing such content are still valid. Therefor they can be distributed and in case the uid field contains javascript code, they can be used to inject code.
---------------------------------------------
http://www.securityfocus.com/archive/1/536923
*** Cisco Firepower 9000 Unauthenticated File Access Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** D-Link DIR-645 UPNP Buffer Overflow ***
---------------------------------------------
Topic: D-Link DIR-645 UPNP Buffer Overflow Risk: High Text:## Advisory Information Title: Dlink DIR-645 UPNP Buffer Overflow Vendors contacted: William Brown <william.brown(a)dlink.com...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2015110133
*** D-Link DIR-815 Buffer Overflow / Command Injection ***
---------------------------------------------
Topic: D-Link DIR-815 Buffer Overflow / Command Injection Risk: High Text:## Advisory Information Title: DIR-815 Buffer overflows and Command injection in authentication and HNAP functionalities Ve...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2015110135
*** Huawei Security Notice - Statement on Seclists.org Revealing Security Vulnerability in Huawei P8 Smart Phone ***
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-notices…
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 13-11-2015 18:00 − Montag 16-11-2015 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** BitLocker encryption can be defeated with trivial Windows authentication bypass ***
---------------------------------------------
Companies relying on Microsoft BitLocker to encrypt the drives of their employees computers should install the latest Windows patches immediately. A researcher disclosed a trivial Windows authentication bypass, fixed earlier this week, that puts data on BitLocker-encrypted drives at risk.Ian Haken, a researcher with software security testing firm Synopsys, demonstrated the attack Friday at the Black Hat Europe security conference in Amsterdam. The issue affects Windows computers that are part...
---------------------------------------------
http://www.cio.com/article/3005178/bitlocker-encryption-can-be-defeated-wit…
*** The November 2015 issue of our SWITCH Security Report is available! ***
---------------------------------------------
Dear Reader! A new issue of our monthly SWITCH Security Report has just been released. The topics covered in this report are: No safe harbour in the Land of the Free - EU Court of Justice restricts data transfer to...
---------------------------------------------
http://securityblog.switch.ch/2015/11/13/the-november-2015-issue-of-our-swi…
*** Websicherheit: Datenleck durch dynamische Skripte ***
---------------------------------------------
Moderne Webseiten erstellen häufig dynamischen Javascript-Code. Wenn darin private Daten enthalten sind, können fremde Webseiten diese auslesen. Bei einer Untersuchung von Sicherheitsforschern war ein Drittel der untersuchten Webseiten von diesem Problem betroffen.
---------------------------------------------
http://www.golem.de/news/websicherheit-datenleck-durch-dynamische-skripte-1…
*** Op-ed: (How) did they break Diffie-Hellman? ***
---------------------------------------------
Relax - its not true that researchers have broken the Diffie-Hellman key exchange protocol.
---------------------------------------------
http://arstechnica.com/security/2015/11/op-ed-how-did-they-break-diffie-hel…
*** More POS malware, just in time for Christmas ***
---------------------------------------------
VXers stuff evidence-purging malware in retailer stockings. Threat researchers are warning of two pieces of point of sales malware that have gone largely undetected during years of retail wrecking and now appear likely to earn VXers a haul over the coming festive break.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2015/11/16/more_pos_ma…
*** Black Hat Europe 2015 slides ***
---------------------------------------------
briefings - november 12-13
---------------------------------------------
https://www.blackhat.com/eu-15/briefings.html
*** Choosing the Right Cryptography Library for your PHP Project: A Guide ***
---------------------------------------------
... conventional wisdom states that you almost certainly should not try to design your own cryptography. Instead, you should use an existing cryptography library. Okay, great. So which PHP cryptography library should I use? That depends on your exact requirements. Lets look at some good choices. (We wont cover any terrible choices.)
---------------------------------------------
https://paragonie.com/blog/2015/11/choosing-right-cryptography-library-for-…
*** Apple OS X authentication issue when recovering from sleep mode ***
---------------------------------------------
When Apple Remote Desktop is used in full screen mode and the remote connection is alive upon entering sleep mode, the text entered in the dialog box upon recovering from sleep mode is sent to the remotely connected host instead of the local host. This may result in command execution at the remote host.
---------------------------------------------
http://jvn.jp/en/jp/JVN56210048/index.html
*** Programmbibliothek libpng verlangt nach Sicherheitsupdates ***
---------------------------------------------
Eine Schwachstelle in libpng kann als Einfallstor für Angreifer dienen, um Anwendungen zum Absturz zu bringen.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Programmbibliothek-libpng-verlangt-n…
*** Container: CoreOS gibt CVE-Service als Open Source frei ***
---------------------------------------------
Der Linux-Distributor CoreOS hat sein Container-Security-Werkzeug Clair als Open-Source-Software freigegeben. Das Tool ist in der Lage, jede einzelne Containerschicht nach Schwachstellen zu durchforsten und im Falle eines Fundes eine Meldung über die Art der Bedrohung zu übermitteln. Hierfür greift Clair auf die CVE-Datenbank (Common Vulnerabilities and Exposures) und ähnliche Ressourcen von Red Hat, Ubuntu, und Debian zurück. Clair hilft allerdings nicht, die...
---------------------------------------------
http://www.heise.de/newsticker/meldung/Container-CoreOS-gibt-CVE-Service-al…
*** LiME - Linux Memory Extractor ***
---------------------------------------------
Features Full Android memory acquisition Acquisition over network interface Minimal process footprint
---------------------------------------------
http://www.kitploit.com/2015/11/lime-linux-memory-extractor.html
*** DD4BC / Armada Collective: Erpressung mittels DDoS ***
---------------------------------------------
DD4BC / Armada Collective: Erpressung mittels DDoS16. November 2015Das ist mal wieder nichts wirklich Neues. Distributed Denial of Service Angriffe gibt es schon lange, das mag mit Turf-Fights in der Rotlicht-Szene angefangen haben, der Angriff auf Estland 2007 hat das Thema groß in die Presse gebracht, und spätestens seit den Angriffen der "Anonymous"-Bewegung sollte das Problem allgemein bekannt sein. Dazu gibt es auch einen Abschnitt in unserem letzten...
---------------------------------------------
http://www.cert.at/services/blog/20151116114639-1627.html
*** BlackBerry Enterprise Server Input Validation Flaw in Management Console Lets Remote Conduct Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1034154
*** D-link wireless router DIR-816L Cross-Site Request Forgery (CSRF) vulnerability ***
---------------------------------------------
Cross-Site Request Forgery (CSRF) vulnerability in the DIR-816L wireless router enables an attacker to perform an unwanted action on a wireless router for which the user/admin is currently authenticated.
---------------------------------------------
http://www.securityfocus.com/archive/1/536886
*** Debian: strongswan security update ***
---------------------------------------------
Tobias Brunner found an authentication bypass vulnerability in strongSwan, an IKE/IPsec suite. Due to insufficient validation of its local state the server implementation of the EAP-MSCHAPv2 protocol in the eap-mschapv2 plugin can be tricked into successfully concluding the authentication without providing valid credentials.
---------------------------------------------
https://lists.debian.org/debian-security-announce/2015/msg00303.html
*** Cisco Security Advisories ***
---------------------------------------------
*** Cisco Videoscape Distribution Suite Service Manager Information Disclosure Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco IOS Software Virtual PPP Interfaces Security Bypass Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco FireSIGHT Management Center Certificate Validation Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Prime Collaboration Assurance Cross-Site Request Forgery Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** Apache Commons Vulnerability for handling Java object deserialization ***
http://www.ibm.com/support/docview.wss?uid=swg21970575
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in GSKit affects IBM DataPower Gateways (CVE-2015-1788) ***
http://www.ibm.com/support/docview.wss?uid=swg21969271
---------------------------------------------
*** IBM Security Bulletin: Certain cookies missing Secure attribute in IBM DataPower Gateways (CVE-2015-7427) ***
http://www.ibm.com/support/docview.wss?uid=swg21969342
---------------------------------------------
*** Security Bulletin: Vulnerabilities in OpenSSL affect IBM System Networking RackSwitch (CVE-2015-1788, CVE-2015-1789, CVE-2015-1792) ***
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098801
---------------------------------------------
*** IBM Security Bulletin: IBM Cúram Social Program Management contains an Apache Batik Vulnerability (CVE-2015-0250) ***
http://www.ibm.com/support/docview.wss?uid=swg21970112
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in current releases of the IBM SDK, Java Technology Edition ***
http://www.ibm.com/support/docview.wss?uid=swg21969225
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in qemu-kvm affects IBM SmartCloud Provisioning for IBM Software Virtual Appliance ***
http://www.ibm.com/support/docview.wss?uid=swg21968929
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in FUSE affects PowerKVM (CVE-2015-3202) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022878
---------------------------------------------
*** IBM Security Bulletin: Lotus Protector for Mail Security affected by Opensource PHP Vulnerabilities (CVE-2015-6836 CVE-2015-6837 CVE-2015-6838) ***
http://www.ibm.com/support/docview.wss?uid=swg21968353
---------------------------------------------
*** IBM Security Bulletin: GPFS security vulnerabilities in IBM SONAS (CVE-2015-4974 and CVE-2015-4981) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005425
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Mozilla gdk-pixbuf2 affects PowerKVM (CVE-2015-4491) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022833
---------------------------------------------
*** Vulnerability in bind affects AIX (CVE-2015-5722) ***
http://www.ibm.com/support/
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 12-11-2015 18:00 − Freitag 13-11-2015 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Using Facebook to log in - safe or not? ***
---------------------------------------------
Open up your favorite web site and you can see what this is about right away. There are in many cases two options, an ordinary log-in and "Log in with Facebook". Have you been using the Facebook option? It is quite convenient, isn't it? I was talking to a journalist about privacy a while ago...
---------------------------------------------
http://safeandsavvy.f-secure.com/2015/11/12/using-facebook-to-log-in-safe-o…
*** MIG Mozilla InvestiGator ***
---------------------------------------------
Search through your infrastructure in real-time from the command line
---------------------------------------------
https://jve.linuxwall.info/ressources/taf/LISA15/
*** ZipInputStream Armageddon ***
---------------------------------------------
Again, again, again .. and again these bugs are turning up because of the general lack of validation occurring on the ZIP contents. In most cases this is probably due to the fact that developers are making assumptions that these ZIP files are not being tampered with, and therefore dont really consider the ramifications.
---------------------------------------------
http://rotlogix.com/2015/11/12/zipinputstream-armageddon/
*** botfrei.de: Werbeblocker-Sanktionen "der falsche Weg" ***
---------------------------------------------
Das "Anti-Botnet Beratungszentrums" botfrei.de und der Betreiber, der eco Verband der Internetwirtschaft, halten Online-Werbung für wichtig. Sanktionen gegen Werbeblocker würden aber wichtige Nutzerinteressen unberücksichtigt lassen.
---------------------------------------------
http://heise.de/-2920022
*** One BadBarcode Spoils Whole Bunch ***
---------------------------------------------
At PacSec 2015, researchers demonstrated attacks using poisoned barcodes scanned by numerous keyboard wedge barcode scanners to open a shell on a machine and virtually type control commands.
---------------------------------------------
http://threatpost.com/one-badbarcode-spoils-whole-bunch/115362/
*** Google Reconnaissance, Sprinter-style, (Fri, Nov 13th) ***
---------------------------------------------
When doing security assessments or penetration tests, theres a significant amount of findings that you can get from search engines. For instance, if a client has sensitive information or any number of common vulnerabilities, you can often find those with a Google or Bing search, without sending a single packet to the clients infrastructure. This concept is called google dorking, and was pioneered by Johnny Long back in the day (he has since moved on to other projects see...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20375&rss
*** Researchers Discover Two New Strains of POS Malware ***
---------------------------------------------
Two new and different strains of point of sale malware have come to light, including one that's gone largely undetected for the past five years.
---------------------------------------------
http://threatpost.com/researchers-discover-two-new-strains-of-pos-malware/1…
*** Spring Social Core Vulnerability Disclosure ***
---------------------------------------------
Today we would like to announce the discovery of a vulnerability in the Spring Social Core library. Spring Social provides Java bindings to popular service provider APIs like GitHub, Facebook, Twitter, etc., and is widely used by developers. All current versions (1.0.0.RELEASE to 1.1.2.RELEASE) of the library are affected by this vulnerability.
---------------------------------------------
https://blog.srcclr.com/spring-social-core-vulnerability-disclosure/
*** Unitronics VisiLogic OPLC IDE Vulnerabilities ***
---------------------------------------------
This advisory was originally posted to the US-CERT secure Portal library on November 3, 2015, and is being released to the NCCIC/ICS-CERT web site. This advisory provides mitigation details for vulnerabilities in Unitronics VisiLogic OPLC IDE.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-274-02
*** Security Advisory - App Validity Check Bypass Vulnerability in Huawei P7 Smartphone ***
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor…
*** Security Notice - Statement on Black Hat Europe 2015 Revealing Security Vulnerability in Huawei P7 Smart Phone ***
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-notices…
*** DFN-CERT-2015-1761: Jenkins: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2015-1761/
*** Cisco AnyConnect Secure Mobility Client Arbitrary File Move Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco IOS Software Tunnel Interfaces Security Bypass Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Aironet 1800 Series Access Point SSHv2 Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 11-11-2015 18:00 − Donnerstag 12-11-2015 18:01
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Distributed Vulnerability Search - Told via Access Logs ***
---------------------------------------------
Sometimes just a few lines of access logs can tell a whole story: Many ongoing attacks against WordPress and Joomla sites use a collection of known vulnerabilities in many different plugins, themes and components. This helps hackers maximize the number of sites they can compromise. Google Dorks Do you ever think about how hackers find...
---------------------------------------------
https://blog.sucuri.net/2015/11/distributed-vulnerability-search-told-via-a…
*** Latest Android phones hijacked with tidy one-stop-Chrome-pop ***
---------------------------------------------
Chinese researcher burns exploit for ski trip. PacSec: Googles Chrome for Android has been popped in a single exploit that could lead to the compromise of any handset.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2015/11/12/mobile_pwn2…
*** Samsung S6 calls open to man-in-the-middle base station snooping ***
---------------------------------------------
Their cheap man-in-the-middle attack requires an OpenBTS base station to be established and located near target handsets. Handsets will automatically connect to the bogus station. The malicious base station then pushes firmware to the phones baseband processor (the chip that handles voice calls, and which isnt directly accessible to end users). ... The Register would speculate that since the Qualcomm silicon in question isnt unique to Samsung kit, other researchers are probably setting to work...
---------------------------------------------
http://www.theregister.co.uk/2015/11/12/mobile_pwn2own1/
*** Geschäftsgeheimnisse: Sicherheitsforscher warnt vor TTIP ***
---------------------------------------------
Das Freihandelsabkommmen TTIP hat eine weitere Gegnergruppe: IT-Sicherheitsforscher. Das jedenfalls sagt René Pfeiffer, Organisator der Deepsec in Wien. Er fürchtet, dass Informationen über Sicherheitsrisiken damit noch stärker unterbunden werden.
---------------------------------------------
http://www.golem.de/news/geschaeftsgeheimnisse-sicherheitsforscher-warnt-vo…
*** Outlook-Probleme: Microsoft fixt Sicherheits-Update für Windows ***
---------------------------------------------
Microsoft hat ein fehlerhaftes Update zurückgezogen und durch eine gefixte Version ersetzt. Nach der Installation soll Outlook nicht mehr abstürzen. Doch es gibt noch weitere Probleme.
---------------------------------------------
http://heise.de/-2919456
*** Pentesting SAP Applications : An Introduction ***
---------------------------------------------
Introduction to SAP SAP (Systems-Applications-Products) is a software suite that offers standard business solutions; it is used by thousands of customers across the globe to manage their business. In other words, SAP systems provide the capability to manage financial, asset, and cost accounting, production operations and materials, personnel and many more tasks. Before we jump...
---------------------------------------------
http://resources.infosecinstitute.com/pen-stesting-sap-applications-part-1/
*** EMV Protocol Fuzzer ***
---------------------------------------------
The world-wide introduction of the Europay, MasterCard and Visa standard (EMV), to facilitate communication between smartcards and EMV-enabled devices, such as point-of-sale (POS) terminals and automatic teller machines (ATMs), has altered the security landscape of the daily markets. Surprisingly limited public research exists addressing security aspects of hardware and software specific implementations. This is something we wanted to put right and therefore started a new research programme to...
---------------------------------------------
https://labs.mwrinfosecurity.com/blog/2015/11/11/emv-protocol-fuzzer/
*** Got a time machine? Good, you can brute-force 2FA ***
---------------------------------------------
Security researcher Gabor Szathmari says the problem is that if your 2FA tokens depend on the network time protocol (NTP), its too easy for a sysadmin to put together an attackable implementation. As he explains in two posts.., if an attacker can trick NTP, they can mount a brute-force attack against the security tokens produced by Google Authenticator (the example in the POC) and a bunch of other Time-based One-time Password Algorithm-based (TOTP) 2FA mechanisms.
---------------------------------------------
http://www.theregister.co.uk/2015/11/12/got_a_time_machine_good_you_can_bru…
*** Spam and phishing in Q3 2015 ***
---------------------------------------------
The dating theme is typical for spam emails, but in the third quarter of 2015 we couldn't help but notice the sheer variety appearing in these types of mailings. We came across some rather interesting attempts to deceive recipients and to bypass filters, as well as new types of spam mailings that were bordering on fraud.
---------------------------------------------
https://securelist.com/analysis/quarterly-spam-reports/72724/spam-and-phish…
*** Oracle WebLogic Server: CVE-2015-4852 patched, (Thu, Nov 12th) ***
---------------------------------------------
Lost in the hoopla around Microsoft and Adobe patch Tuesday was a critical patch released by Oracle which addressed CVE-2015-4852. CVE-2105-4852is a critical vulnerability in Apache Commons which affects Oracle WebLogic Server. This vulnerability permits remote exploitation without authentication and should be patchedas soon as practical. More information can be found at the Oracle Blog. -- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ -...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20369&rss
*** Cisco Cloud Web Security DNS Hijack, (Thu, Nov 12th) ***
---------------------------------------------
We have received a report that a domain critical in delivering the Cisco Cloud Web Security product had for a while earlier today been hijacked. The report indicates thatthe DNS entrys forscansafe.net were hijacked and pointed to 208.91.197.132, a site which both VirusTotal and Web of Trust indicate has a reputation for delivering malware.">Guidance that has been provided to customers is that the issue has been resolved but that the TTL on the DNS entries are 48 hours so it will take a...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20371&rss
*** Volatility 2.5 released ***
---------------------------------------------
This is the first release since the publication of The Art of Memory Forensics! It adds support for Windows 10 (initial), Linux kernels 4.2.3, and Mac OS X El Capitan. Additionally, the unified output rendering gives users the flexibility of asking for results in various formats (html, sqlite, json, xlsx, dot, text, etc.) while simplifying things for plugin developers. In short, less code...
---------------------------------------------
http://www.volatilityfoundation.org/?_escaped_fragment_=25/c1f29
*** Die Apache Software Foundation zu dem Java Commons Collection/Java (De)Serialization Problem ***
---------------------------------------------
Die Apache Software Foundation zu dem Java Commons Collection/Java (De)Serialization Problem12. November 2015Die Apache Software Foundation hat dazu einen ausführlichen Blog-Post verfasst. Die Money Quote daraus: "Even when the classes implementing a certain functionality cannot be blamed for this vulnerability, and fixing the known cases will also not make the usage of serialization in an untrusted context safe, there is still demand to fix at least the known cases, even when this...
---------------------------------------------
http://www.cert.at/services/blog/20151112140918-1625.html
*** R-Scripts VRS 7R Multiple Stored XSS And CSRF Vulnerabilities ***
---------------------------------------------
The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Stored cross-site scripting vulnerabilitity was also discovered. The issue is triggered when input passed via multiple POST parameters is not properly sanitized before being returned to the user. This can be exploited to execute...
---------------------------------------------
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5274.php
*** Cisco FireSight Management Center Web Framework Cross-Site Scripting Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Google Picasa CAMF Section Integer Overflow Vulnerability ***
---------------------------------------------
2) Severity Rating: Highly critical Impact: System Access Where: From remote ... 4) Solution Update to version 3.9.140 Build 259.
---------------------------------------------
http://www.securityfocus.com/archive/1/536878
*** Citrix XenServer Security Update for CVE-2015-5307 and CVE-2015-8104 ***
---------------------------------------------
A security vulnerability has been identified in Citrix XenServer that may allow a malicious administrator of an HVM guest VM to crash the host. This vulnerability affects all currently supported versions of Citrix XenServer up to and including Citrix XenServer 6.5 Service Pack 1.
---------------------------------------------
http://support.citrix.com/article/CTX202583
*** Security Notice - Statement on Security Researchers Revealing a Security Vulnerability in Huawei HG630a&HG630a-50 on Packet Storm Website ***
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-notices…
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 10-11-2015 18:00 − Mittwoch 11-11-2015 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** November 2015 Security Update Release Summary ***
---------------------------------------------
Today we released security updates to provide protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released. More information about this month's security updates and advisories can be found in the Security TechNet Library. MSRC Team
---------------------------------------------
http://blogs.technet.com/b/msrc/archive/2015/11/10/november-2015-security-u…
*** MSRT November 2015: Detection updates ***
---------------------------------------------
The Microsoft Malicious Software Removal Tool (MSRT) is updated monthly with new malware detections - so far this year we have added 29 malware families. This month we are updating our detections for some of the malware families already included in the tool. We choose the malware families we add to the MSRT each month using several criteria. One of the most common reasons is the prevalence of a family in the malware ecosystem. For example, in recent months we focused on...
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2015/11/10/msrt-november-2015-detec…
*** Patchday: Adobe pflegt den Flash-Patienten ***
---------------------------------------------
Flash liegt mal wieder auf dem OP-Tisch und wird geflickt. Nutzer sollten ihren Flash-Patienten zügig behandeln, denn die Lücken gelten als kritisch. Exploits sollen aber noch nicht kursieren.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Patchday-Adobe-pflegt-den-Flash-Pati…
*** What You Should Know about Triangulation Fraud and eBay ***
---------------------------------------------
The increasing phenomenon of triangulation fraud on eBay has led to a published analysis on behalf of the company, as to how buyers should get informed and what they should pay attention to. Over the past few months, a new phenomenon has risen and its proportions have been growing exponentially. It seems that, even if...
---------------------------------------------
http://securityaffairs.co/wordpress/41891/cyber-crime/triangulation-fraud-a…
*** Symantec Endpoint Protection: Alte Sicherheitslücke bricht wieder auf ***
---------------------------------------------
Eine totgeglaubte Schwachstelle ist wieder da, da ein älterer Patch nur Teile des Problems angegangen ist. Das aktuelle Update für Symantecs Endpoint Protection soll es nun richten und noch weitere Schwachstellen abdichten.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Symantec-Endpoint-Protection-Alte-Si…
*** What Happens to Hacked Social Media Accounts ***
---------------------------------------------
This article is going to look at a few reasons why a social media account is hacked. The goal is for you to understand why you will want to better protect your account, regardless of whether or not you see yourself as "important".
---------------------------------------------
http://www.tripwire.com/state-of-security/security-awareness/what-happens-t…
*** InstaAgent: Passwort-sammelnder Instagram-Client fliegt aus App Store und Google Play ***
---------------------------------------------
Die App, die Nutzern verschiedene Zusatzinformationen zu ihrem Profil bei Facebooks populärem Foto-Dienst verspricht, sendete offenbar Instagram-Benutzernamen und Passwort im Klartext an einen Dritt-Server.
---------------------------------------------
http://heise.de/-2917792
*** GasPot Integrated Into Conpot, Contributing to Open Source ICS Research ***
---------------------------------------------
In August of this year, we presented at Blackhat our paper titled The GasPot Experiment: Unexamined Perils in Using Gas-Tank-Monitoring Systems. GasPot was a honeypot designed to mimic the behavior of the Guardian AST gas-tank-monitoring system. It was designed to look like no other existing honeypot, with each instance being unique to make fingerprinting by attackers impossible. These were deployed within networks located in various countries, to give us a complete picture of the attacks...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/4jNwbTj60bk/
*** Questions are the answeres - How to avoid becoming the blamed victim ***
---------------------------------------------
"You have to ask questions", I say. Questions before, during, and after a breach. If you ask the right questions at the right time, you'll be able to make better decisions than the knee-jerk ones you've been making.
---------------------------------------------
https://www.alienvault.com/blogs/security-essentials/questions-are-the-answ…
*** TA15-314A: Web Shells - Threat Awareness and Guidance ***
---------------------------------------------
Original release date: November 10, 2015 Systems Affected Web servers that allow web shells Overview This alert describes the frequent use of web shells as an exploitation vector. Web shells can be used to obtain unauthorized access and can lead to wider network compromise. This alert outlines the threat and provides prevention, detection, and mitigation strategies.Consistent use of web shells by Advanced Persistent Threat (APT) and criminal groups has led to significant cyber incidents.This...
---------------------------------------------
https://www.us-cert.gov/ncas/alerts/TA15-313A
*** Bugtraq: [security bulletin] HPSBGN03507 rev.2 - HP Arcsight Management Center, Arcsight Logger, Remote Cross-Site Scripting (XSS) ***
---------------------------------------------
http://www.securityfocus.com/archive/1/536877
*** Huawei HG630a / HG630a-50 Default SSH Admin Password ***
---------------------------------------------
Topic: Huawei HG630a / HG630a-50 Default SSH Admin Password Risk: High Text:# Exploit Title: Huawei HG630a and HG630a-50 Default SSH Admin Password on Adsl Modems # Date: 10.11.2015 # Exploit Author: M...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2015110087
*** Huawei Security Advisories ***
---------------------------------------------
*** Security Advisory - Input Validation Vulnerability in Huawei VP9660 Products ***
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor…
---------------------------------------------
*** Security Advisory - Directory Traversal Vulnerability in Huawei AR Router ***
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor…
---------------------------------------------
*** Security Advisory - DoS Vulnerability in Huawei U2990 and U2980 ***
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor…
---------------------------------------------
*** Security Advisory - DoS Vulnerability in Huawei eSpace 8950 IP Phone ***
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor…
---------------------------------------------
*** Security Advisory - DoS Vulnerability in Huawei eSpace 7900 IP Phone ***
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor…
---------------------------------------------
*** ZDI-15-549: AlienVault Unified Security Management av-forward Deserialization of Untrusted Data Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of AlienVault Unified Security Management. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/eDK-If3dTI8/
*** ZDI-15-548: AlienVault Unified Security Management Local Privilege Escalation Vulnerability ***
---------------------------------------------
This vulnerability allows local attackers to escalate privileges to root on vulnerable installations of AlienVault Unified Security Management. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/TpChWMSd5n0/
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: IBM FileNet eForms is affected by vulnerabilities in Apache HttpComponents(CVE-2012-6153 and CVE-2014-3577) ***
http://www.ibm.com/support/docview.wss?uid=swg21962659
---------------------------------------------
*** IBM Security Bulletin: IBM Forms Server could be affected by a denial of service attack (CVE-2013-4517) ***
http://www.ibm.com/support/docview.wss?uid=swg21962659
---------------------------------------------
*** IBM Security Bulletin: Fix Available for Denial of Service Vulnerability in IBM WebSphere Portal (CVE-2015-7419) ***
http://www.ibm.com/support/docview.wss?uid=swg21969906
---------------------------------------------
*** IBM Security Bulletin: Additional Password Disclosure via application tracing in FlashCopy Manager on Windows, Data Protection for Exchange, and Data Protection for SQL CVE-2015-7404 ***
http://www.ibm.com/support/docview.wss?uid=swg21969514
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in libuser affect Power Hardware Management Console (CVE-2015-3245 CVE-2015-3246) ***
http://www.ibm.com/support/docview.wss?uid=nas8N1020961
---------------------------------------------
*** IBM Security Bulletin: IBM Cúram Social Program Management is vulnerable to a SQL injection attack ***
http://www.ibm.com/support/docview.wss?uid=swg21967851
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Content Collector and IBM CommonStore for Lotus Domino (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931) ***
http://www.ibm.com/support/docview.wss?uid=swg21969654
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM WebSphere MQ ***
http://www.ibm.com/support/docview.wss?uid=swg21970103
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects IBM Expeditor (CVE-2015-4000) ***
http://www.ibm.com/support/docview.wss?uid=swg21959292
---------------------------------------------
*** Security Bulletin: Multiple vulnerabilities in IBM Java SDK 7 affect IBM Systems Director Storage Control ***
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098822
---------------------------------------------
*** IBM Security Bulletin: IBM FileNet eForms is affected by vulnerabilities in Apache HttpComponents(CVE-2012-6153 and CVE-2014-3577) ***
http://www.ibm.com/support/docview.wss?uid=swg21970090
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 09-11-2015 18:00 − Dienstag 10-11-2015 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** The Internet of Bad Things, Observed ***
---------------------------------------------
In his VB2015 keynote address, Ross Anderson described attacks against EMV cards.The VB2015 opening keynote by Ross Anderson could hardly have been more timely. In his talk "The Internet of Bad Things, Observed", the Cambridge professor looked at various attacks against the EMV standard for payment cards - attacks that have been used to steal real money from real people.Such cards, often called chip-and-PIN or chip-and-signature, are generally seen as better protected against...
---------------------------------------------
http://www.virusbtn.com/blog/2015/11_10.xml?rss
*** Linux.Encoder.1: Ransomware greift Magento-Nutzer an ***
---------------------------------------------
Eine Malware für Linux verschlüsselt zurzeit die Daten von Nutzern des Magento-Shopsystems. Für die Entschlüsselung sollen die Opfer zahlen, doch die Angreifer haben geschlampt: Die Verschlüsselung lässt sich knacken.
---------------------------------------------
http://www.golem.de/news/linux-encoder-1-ransomware-greift-magento-nutzer-a…
*** Comodo fixes bug, revokes banned certificates ***
---------------------------------------------
After reporting last week that it had issued banned certificates that could facilitate man in the middle (MitM) attacks, Comodo has fixed the "subtle bug" that the companys Senior Research and Development Scientist Rob Stradling wrote prompted the problem.
---------------------------------------------
http://www.scmagazine.com/comodo-fixes-bug-revokes-banned-certificates/arti…
*** Proof-of-concept threat is reminder OS X is not immune to crypto ransomware ***
---------------------------------------------
Symantec analysis confirms that in the wrong hands, Mabouia ransomware could be used to attack Macs. Twitter Card Style: summary Analysis by Symantec has confirmed that the proof-of-concept (PoC) threat known as Mabouia works as described and could be used to create functional OS X crypto ransomware if it fell into the wrong hands.read more
---------------------------------------------
http://www.symantec.com/connect/blogs/proof-concept-threat-reminder-os-x-no…
*** Protecting Users and Enterprises from the Mobile Malware Threat, (Mon, Nov 9th) ***
---------------------------------------------
With recent news of mobile malicious adware that roots smartphones, attention is again being paid to mobile security and the malware threat that is posed to it. While mobile ransomware is also a pervasive and growing threat, there are mobile RATs (such as JSocket and OmniRAT) that are also able to take full remote control of mobile devices. Some of the functionality of those tolls includes the ability to use the microphone to listen in on victims and to view whatever is in front of the camera...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20355&rss
*** Cisco Connected Grid Network Management System Privilege Escalation Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Citrix XenServer Security Update for CVE-2015-5307 and CVE-2015-8104 ***
---------------------------------------------
A security vulnerability has been identified in Citrix XenServer that may allow a malicious administrator of an HVM guest VM to crash the host. ...
---------------------------------------------
http://support.citrix.com/article/CTX202583
*** PowerDNS Security Advisory 2015-03: Packet parsing bug can lead to crashes ***
---------------------------------------------
A bug was found using afl-fuzz in our packet parsing code. This bug, when exploited, causes an assertion error and consequent termination of the the pdns_server process, causing a Denial of Service. ... PowerDNS Authoritative Server 3.4.4 - 3.4.6 are affected. No other versions are affected. The PowerDNS Recursor is not affected.
---------------------------------------------
https://doc.powerdns.com/md/security/powerdns-advisory-2015-03/
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 06-11-2015 18:00 − Montag 09-11-2015 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** ICYMI: Widespread Unserialize Vulnerability in Java, (Mon, Nov 9th) ***
---------------------------------------------
On Friday, a blog post from Fox Glove Security was posted that details a widespread Java unserialize vulnerability that affects all the major flavors of middleware (WebSphere, WebLogic, et al). There is a lot of great details, including exploitation instructions for pentesters, in the post so go take a look. It didnt get much press because admittedly its complicated to explain. It also doesnt have a logo.
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20353&rss
*** SSH-Client PuTTY 0.66 schließt Sicherheitslücke ***
---------------------------------------------
Die neue Version des SSH- und Telnet-Clients bringt ein paar kleine Verbesserungen und Fehlerkorrekturen. Zudem wurde eine Sicherheitslücke geschlossen.
---------------------------------------------
http://www.heise.de/newsticker/meldung/SSH-Client-PuTTY-0-66-schliesst-Sich…
*** Gratis-WLAN: Welche Risiken es gibt und wie man sich schützt ***
---------------------------------------------
Ein öffentliches Netzwerk ist praktisch, Nutzer sollten sich aber nicht blindlings einloggen
---------------------------------------------
http://derstandard.at/2000025293625
*** Guide to application whitelisting ***
---------------------------------------------
The National Institute of Standards and Technology (NIST) has published a guide to deploying automated application whitelisting to help thwart malicious software from gaining access to organizations' computer systems.
---------------------------------------------
http://www.net-security.org/secworld.php?id=19079
*** Dangerous bugs leave open doors to SAP HANA systems ***
---------------------------------------------
The most serious software flaws ever have been found in SAPs HANA platform, the in-memory database platform that underpins many of the German companys products used by large companies.Eight of the flaws are ranked critical, the highest severity rating ...
---------------------------------------------
http://www.cio.com/article/3003054/dangerous-bugs-leave-open-doors-to-sap-h…
*** Vbulletin 5.1.X Unserialize Preauth RCE Exploit ***
---------------------------------------------
https://cxsecurity.com/issue/WLB-2015110060
*** Ransomware meets CMS / Linux ***
---------------------------------------------
Ransomware am PC gibt es schon seit Jahren: Die Malware sperrt/verschlüsselt den infizierten PC und verlangt Lösegeld dafür, damit der User weiterarbeiten kann.Dass schlecht gewartete Webseiten mit Joomla, Wordpress, Drupal & co ein Fressen für Hacker sind, ist auch nichts neues. Wir sehen regelmäßig Wellen an Defacements und Exploitpacks, wenn mal wieder jemand das Ausnutzen einer Web-Schwachstelle automatisiert.
---------------------------------------------
http://www.cert.at/services/blog/20151109095947-1618.html
*** Google AdWords API client libraries - XML eXternal Entity Injection (XXE) ***
---------------------------------------------
Confirmed in googleads-php-lib <= 6.2.0 for PHP, AdWords libraries: googleads-java-lib for Java, and googleads-dotnet-lib for .NET are also likely to be affected.
---------------------------------------------
http://legalhackers.com/advisories/Google-AdWords-API-libraries-XXE-Injecti…
*** Closing the Open Door of Java Object Serialization ***
---------------------------------------------
If you can communicate with a JVM using Java object serialization using java.io.ObjectInputStream, then you can send a class that can execute commands against the OS from inside of the readObject method, and thereby get shell access. Once you have shell access, you can modify the Java server however you feel like. This is a class of exploit called 'deserialization of untrusted data', aka CWE-502. It's a class of bug that has been encountered from Python, PHP, and from Rails.
---------------------------------------------
https://tersesystems.com/2015/11/08/closing-the-open-door-of-java-object-se…
*** Protecting Windows Networks - Defeating Pass-the-Hash ***
---------------------------------------------
Pass-the-hash is popular attack technique to move laterally inside the network that relies on two components - the NTLM authentication protocol and ability to gain password hashes. This attack allows you to log in on the systems via stolen hash instead of providing clear text password, so there is no need to crack those hashes. To make use of this attack, attacker already has to have admin rights on the box, which is a plausible scenario in a modern "assume breach" mindset.
---------------------------------------------
https://dfirblog.wordpress.com/2015/11/08/protecting-windows-networks-defea…
*** Security Notice - Statement about Path Traversal Vulnerability in Huawei HG532 Routers Disclosed by CERT/CC ***
---------------------------------------------
It is confirmed that some customized versions of Huawei HG532, HG532e, HG532n, and HG532s have this vulnerability. Huawei has prepared a fixed version for affected carriers and is working with them to release the fixed version.
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-notices…
*** No surprise here: Adobes Flash is a hackers favorite target ***
---------------------------------------------
Adobe Systems Flash plugin gets no love from anyone in the security field these days. A new study released Monday shows just how much it is favored by cybercriminals to sneak their malware onto computers.
---------------------------------------------
http://www.cio.com/article/3002668/no-surprise-here-adobes-flash-is-a-hacke…
*** Joomla CMS - Bad Cryptography - Multiple Vulnerabilities ***
---------------------------------------------
heres a complete enumeration of what Ive found:
- JCrypt: Silent fallback to a weak, userspace PRNG (which is very bad for cryptography purposes)
- JCryptCipherSimple: Homegrown weak cipher (XOR-ECB)
- JCryptCipher: Chosen ciphertext attacks (no authentication)
- JCryptCipher: Data corruption / padding oracle attack
- JCryptCipher: Static IV for CBC mode (stored with JCryptKey under the misnomer property, "public") -- this sort of defeats the purpose of using CBC mode
- JCryptPasswordSimple: PHP Non-Strict Type Comparison (a.k.a. Magic
Hash vulnerability)
---------------------------------------------
http://www.openwall.com/lists/oss-security/2015/11/08/1
*** HTTP Evasions Explained - Part 7 - Lucky Numbers ***
---------------------------------------------
This is part seven in a series which will explain the evasions done by HTTP Evader. This part will be about using the wrong or even invalid status codes to evade the analysis. For 30% of the firewalls in the tests reports Ive got it is enough to use a status code of 100 instead of 200 to bypass analysis and at least Chrome, IE and Edge will download the data even with this wrong status code:
---------------------------------------------
http://noxxi.de/research/http-evader-explained-7-lucky-number.html
*** Security Advisory: Linux kernel vulnerability CVE-2014-9419 ***
---------------------------------------------
F5 Product Development has assigned ID 530413 (BIG-IP), ID 530553 (BIG-IQ), ID 530554 (Enterprise Manager), ID 520651 (FirePass), ID 461496 (ARX), and INSTALLER-1299 (Traffix) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/17000/500/sol17551.htm…
*** IBM Security Bulletins ***
---------------------------------------------
*** Vulnerabilities in Qemu affect PowerKVM (Multiple Vulnerabilities) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022875
---------------------------------------------
*** IBM Smart Analytics System 5600 is affected by vulnerabilities in IBM GPFS (CVE-2015-4974, CVE-2015-4981) ***
http://www.ibm.com/support/docview.wss?uid=swg21969198
---------------------------------------------
*** Authentication Bypass vulnerability found in IBM Sterling B2B Integrator (CVE-2015-5019) ***
http://www.ibm.com/support/docview.wss?uid=swg21967781
---------------------------------------------
*** IBM Smart Analytics System 5600 is affected by a vulnerability in BIND (CVE-2015-5722) ***
http://www.ibm.com/support/docview.wss?uid=swg21964962
---------------------------------------------
*** Vulnerability in Net-SNMP affects PowerKVM (CVE-2015-5621) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022903
---------------------------------------------
*** Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management, and IBM Emptoris Services Procurement. ***
http://www.ibm.com/support/docview.wss?uid=swg21969875
---------------------------------------------
*** Multiple OpenSSL Vulnerabilities affect IBM WebSphere MQ 5.3 on HP NonStop (CVE-2015-1788) (CVE-2015-1789) (CVE-2015-1791) ***
http://www.ibm.com/support/docview.wss?uid=swg21966723
---------------------------------------------
*** Multiple vulnerabilities in IBM Java Runtime affect Security Directory Integrator ***
https://www-304.ibm.com/support/docview.wss?uid=swg21969901
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 05-11-2015 18:00 − Freitag 06-11-2015 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** jQuery.min.php Malware Affects Thousands of Websites ***
---------------------------------------------
Fake jQuery injections have been popular among hackers since jQuery itself went mainstream and became one of the most widely adopted JavaScript libraries. Every now and then we write about such attacks. Almost every week we see new fake jQuery domains and scripts that mimic jQuery.
---------------------------------------------
https://blog.sucuri.net/2015/11/jquery-min-php-malware-affects-thousands-of…
*** OmniRAT malware scurrying into Android, PC, Mac, Linux systems ***
---------------------------------------------
Leverages Stagefright scare for installs As police across Europe crack down on the use of the DroidJack malware, a similar software nasty has emerged that can control not just Android, but also Windows, Mac, and Linux systems and is being sold openly at a fraction of the cost.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2015/11/06/omnirat_mal…
*** Check Point Discovers Critical vBulletin 0-Day ***
---------------------------------------------
As widely reported, the main vBulletin.org forum was compromised earlier this week and an exploit for a vBulletin 0-day was up for sale in online markets. A patch later released by vBulletin fixes the vulnerability reported, but fails to neither credit any reporting nor mention the appropriate CVE number. As the vulnerability is now fixed and an exploit exists in the wild with public analyses, we follow with the technical description as submitted to vBulletin.
---------------------------------------------
http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulle…
*** Peter Kieseberg @ 5th KIRAS Fachtagung ***
---------------------------------------------
Today Peter Kieseberg (SBA Research) presented the results of the SCUDO-Project together with Alexander Szönyi (Thales Austria) and Wolfgang Rosenkranz (Repuco) at the 5th 'KIRAS Fachtagung' in the Austria Trend Hotel Savoyen Vienna. This project was focused on the development of a training process for defence simulation trainings in the area of critical infrastructures ...
---------------------------------------------
https://www.sba-research.org/2015/11/05/peter-kieseberg-5th-kiras-fachtagun…
*** Bundestag will Mitarbeitern Flash verbieten ***
---------------------------------------------
Nach dem schweren Hackerangriff vor rund sechs Monaten will der Deutsche Bundestag mit einigen Maßnahmen die IT-Sicherheit erhöhen. Mitarbeiter und Abgeordnete sollen zu längeren Passwörtern und PINs mit mindestens acht Zeichen verpflichtet werden, außerdem werden Flash und andere Browsererweiterungen von den Rechnern verbannt, wie Spiegel Online unter Berufung auf ein internes Dokument der Bundestagsverwaltung berichtet.
---------------------------------------------
http://www.golem.de/news/nach-hackerangriff-bundestag-will-flash-verbieten-…
*** Slides from RUXCON, Oct. 24-25, Melbourne ***
---------------------------------------------
* DNS as a Defense Vector, Paul Vixie
* High Performance Fuzzing, Richard Johnson
* MalwAirDrop: Compromising iDevices via AirDrop, Mark Dowd
* Broadcasting Your Attack: Security Testing DAB Radio In Cars, Andy Davis
* Windows 10: 2 Steps Forward, 1 Step Back, James Forshaw
...
---------------------------------------------
https://ruxcon.org.au/slides/?year=2015
*** Tracking HTTP POST data with ELK, (Fri, Nov 6th) ***
---------------------------------------------
The Apache webserver has a very modular logging system. It is possible to customize what to log and how. But it lacks in logging data submitted to the server via POST HTTP requests. Recently, I had to investigate suspicious HTTP traffic and one of the requirements was to analyze POST data. If you already have a solution which performs full packet capture, youre lucky but it could quickly become a pain to search for information across gigabytes of PCAP files.
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20345&rss
*** Encryption ransomware threatens Linux users ***
---------------------------------------------
November 6, 2015 Doctor Web warns users about new encryption ransomware targeting Linux operating systems. Judging from the directories in which the Trojan encrypts files, one can draw a conclusion that the main target of cybercriminals is website administrators whose machines have web servers deployed on. Doctor Web security researchers presume that at least tens of users have already fallen victim to this Trojan.
---------------------------------------------
http://news.drweb.com/show/?i=9686&lng=en&c=9
*** Advantech EKI Hard-coded SSH Keys Vulnerability ***
---------------------------------------------
This advisory provides mitigation details for a hard-coded SSH key vulnerability in Advantech's EKI-122X series products.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-309-01
*** ICIT Brief: Know Your Enemies - A Primer on Advanced Persistent Threat Groups ***
---------------------------------------------
This primer provides an overview of the threat landscape, attack vectors, size and sophistication of threat actors. Some of the Groups and Platforms include: The Elderwood Platform, Topsec, Axiom, Hidden Lynx, Deep Panda, PLA Unit 61398, Putter Panda, Tarh Andishan, Ajax, Bureau 121, Energetic Bear, Uroburos, APT 28, Hammertoss, CrazyDuke, Sandworm, Syrian Electronic Army, Anonymous and Butterfly Group among others.
---------------------------------------------
http://icitech.org/icit-brief-know-your-enemies-a-primer-on-advanced-persis…
*** Security Advisory: NTP vulnerability CVE-2015-7704 ***
---------------------------------------------
An off-path attacker can send a crafted Kiss of Death (KoD) packet to the client, which will increase the client's polling interval to a large value and effectively disable synchronization with the server.
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/17000/500/sol17566.htm…
*** Security Advisory - DoS Vulnerability in GPU Driver of Huawei Products ***
---------------------------------------------
Some Huawei products have a DoS vulnerability. An attacker may trick a user into installing a malicious application and use it to input invalid parameters into the GPU driver program of the products, which can crash the system of the device. (Vulnerability ID: HWPSIRT-2015-09017)
This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2015-7740.
Huawei has released software updates to fix these vulnerabilities.
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor…
*** Security Advisory - DoS Vulnerability in Camera Driver of Huawei Products ***
---------------------------------------------
Some Huawei products have a DoS vulnerability. An attacker who has the system or camera permission can input invalid parameters into the camera driver program to crash the system. (Vulnerability ID: HWPSIRT-2015-09013)
Huawei has released software updates to fix these vulnerabilities.
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 04-11-2015 18:00 − Donnerstag 05-11-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** A Technical Look At Dyreza ***
---------------------------------------------
Inside the core of Dyreza - a look at its malicious functions and their implementation.Categories: Malware AnalysisTags: dyrezamalware(Read more...)
---------------------------------------------
https://blog.malwarebytes.org/intelligence/2015/11/a-technical-look-at-dyre…
*** Malicious spam with links to CryptoWall 3.0 - Subject: Domain [name] Suspension Notice, (Thu, Nov 5th) ***
---------------------------------------------
Introduction Since Monday 2015-10-26, weve noticed a particular campaign sending malicious spam (malspam) with links to download CryptoWall 3.0 ransomware. This campaign has been impersonating domain registrars. Conrad Longmore blogged about it last week [1], and Techhelplist.com has a good write-up on the campaign [2]. Several other sources have also discussed this wave of malspam [3, 4, 5, 6, 7, 8 to name a few]. For this diary, well take a closer look at the emails and associated CryptoWall
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20333&rss
*** CryptoWall 4.0 Released with a New Look and Several New Features ***
---------------------------------------------
The fourth member of the CryptoWall family of ransomware, CryptoWall 4.0, has just been released, complete with new features and a brand new look. We recently reported that CryptoWall 3.0 has allegedly caused over $325 million in annual damages. CryptoWall first emerged in April 2014. Its first major upgrade was dubbed CryptoWall 2.0, and first emerged in October...
---------------------------------------------
http://securityaffairs.co/wordpress/41718/cyber-crime/cryptowall-4-0-releas…
*** SSL-Zertifikate: Microsoft will sich schon nächstes Jahr von SHA-1 trennen ***
---------------------------------------------
Die Firma überlegt ob der neuen Qualität von Angriffen auf den Hash-Algorithmus, diesen schon Mitte 2016 auf die verbotene Liste zu setzen. Google und Mozilla gehen ähnliche Wege.
---------------------------------------------
http://heise.de/-2880134
*** Mabouia: The first ransomware in the world targeting MAC OS X ***
---------------------------------------------
Rafael Salema Marques, a Brazilian researcher, published a PoC about the existence of Mabouia ransomware, the first ransomware that targets MAC OS X. Imagine this scenario: You received a ransom warning on your computer stating that all your personal files had been locked. In order to unlock the files, you would have to pay $500.
---------------------------------------------
http://securityaffairs.co/wordpress/41755/cyber-crime/mabouia-ransomware-ma…
*** Meet the Android rooting adware that cannot be removed ***
---------------------------------------------
Researchers have identified a new strain of malicious adware that is impossible for affected Android device owners to uninstall.
---------------------------------------------
http://feedproxy.google.com/~r/SCMagazineHome/~3/Prm6r3X3tzk/
*** No C&C server needed: Russia menaced by offline ransomware ***
---------------------------------------------
Harder to take down, nyet? Miscreants have cooked up a new strain of ransomware that works offline and so might be more resistant to law enforcement takedown efforts as a result.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2015/11/05/offline_ran…
*** Thousands of legitimate iOS apps discovered containing ad library backdoors ***
---------------------------------------------
More than 2,000 iOS apps stocked in Apples legitimate App Store reportedly contained backdoored versions of an ad library, which could have allowed for surveillance without users knowledge.
---------------------------------------------
http://feedproxy.google.com/~r/SCMagazineHome/~3/nxOb5Ac0sYo/
*** The Omnipresence of Ubiquiti Networks Devices on the Public Web ***
---------------------------------------------
There are ongoing in the wild attacks against Ubiquiti Networks devices. Attackers are using default credentials to gain access to the affected devices via SSH. The devices are infected by a botnet client that is able to infect other devices.Further information about these attacks is available at:Krebs on Security: http://krebsonsecurity.com/2015/06/crooks-use-hacked-routers-to-aid-cyberhe… Research: https://www.incapsula.com/blog/ddos-botnet-soho-router.htmlCARISIRT
---------------------------------------------
http://blog.sec-consult.com/2015/11/the-omnipresence-of-ubiquiti-networks.h…
*** vBulletin Exploits in the Wild ***
---------------------------------------------
The vBulletin team patched a serious object injection vulnerability yesterday, that can lead to full command execution on any site running on an out-of-date vBulletin version. The patch supports the latest versions, from 5.1.4 to 5.1.9. The vulnerability is serious and easy to exploit; it was used to hack and deface the main vBulletin.com website. As aRead More The post vBulletin Exploits in the Wild appeared first on Sucuri Blog.
---------------------------------------------
http://feedproxy.google.com/~r/sucuri/blog/~3/NNlPrHaDARs/vbulletin-exploit…
*** TalkTalk, Script Kids & The Quest for "OG" ***
---------------------------------------------
So youve got two-step authentication set up to harden the security of your email account (you do, right?). But when was the last time you took a good look at the security of your inboxs recovery email address? That may well be the weakest link in your email security chain, as evidenced by the following tale of a IT professional who saw two of his linked email accounts recently hijacked in a bid to steal his Twitter identity.Earlier this week, I heard from Chris Blake, a longtime KrebsOnSecurity...
---------------------------------------------
http://feedproxy.google.com/~r/KrebsOnSecurity/~3/im8m6Imwfsk/
*** Connecting the Dots in Cyber Threat Campaigns, Part 2: Passive DNS ***
---------------------------------------------
This is the second part of our series on "connecting the dots", where we investigate ways to link attacks together to gain a better understanding of how they are related. In Part 1, we looked...
---------------------------------------------
http://feedproxy.google.com/~r/PaloAltoNetworks/~3/7x_ynKHJKns/
*** Xen Project 4.5.2 Maintenance Release Available ***
---------------------------------------------
I am pleased to announce the release of Xen 4.5.2. Xen Project Maintenance releases are released roughly every 4 months, in line with our Maintenance Release Policy. We recommend that all users of the 4.5 stable series update to this point release.
---------------------------------------------
https://blog.xenproject.org/2015/11/05/xen-project-4-5-2-maintenance-releas…
*** Open-Xchange Input Validation Flaw in Printing Dialogs Lets Remote Conduct Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1034018
*** Bugtraq: [KIS-2015-10] Piwik <= 2.14.3 (DisplayTopKeywords) PHP Object Injection Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/536839
*** Bugtraq: [KIS-2015-09] Piwik <= 2.14.3 (viewDataTable) Autoloaded File Inclusion Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/536838
*** MIT Kerberos Multiple Bugs Let Remote Users Cause the Target Service to Crash ***
---------------------------------------------
http://www.securitytracker.com/id/1034084
*** [2015-11-05] Insecure default configuration in Ubiquiti Networks products ***
---------------------------------------------
Ubiquiti Networks products have remote administration enabled by default (WAN port). Additionally these products use the same certificates and private keys for administration via HTTPS.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2015…
*** Citrix XenServer Multiple Security Updates ***
---------------------------------------------
A number of security vulnerabilities have been identified in Citrix XenServer that may allow a malicious administrator of a guest VM to compromise ...
---------------------------------------------
http://support.citrix.com/article/CTX202404
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: IBM WebSphere MQ is affected by multiple vulnerabilities in IBM Runtime Environments Java Technology Edition, Versions 5, 6 & 7 ***
http://www.ibm.com/support/docview.wss?uid=swg21968485
---------------------------------------------
*** IBM Security Bulletin: Apache Tomcat as used in IBM QRadar SIEM is vulnerable to Denial of Service Attack. (CVE-2014-0230) ***
http://www.ibm.com/support/docview.wss?uid=swg21970036
---------------------------------------------
*** IBM Security Bulletin: Openstack Nova vulnerability affects IBM Cloud Manager with OpenStack (CVE-2015-2687) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022691
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM DB2 LUW (CVE-2015-0204) ***
http://www.ibm.com/support/docview.wss?uid=swg21968869
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities identified in IBM Java SDK affect WebSphere Service Registry and Repository Studio (CVE-2015-2613 CVE-2015-2601 CVE-2015-2625 CVE-2015-1931) ***
http://www.ibm.com/support/docview.wss?uid=swg21969911
---------------------------------------------
*** PowerHA SystemMirror privilege escalation vulnerability (CVE-2015-5005) ***
http://www.ibm.com/support/
---------------------------------------------
*** IBM Security Bulletin: IBM Maximo Asset Management could allow an authenticated user to change work orders that the user should not have access to change (CVE-2015-7395 ) ***
http://www.ibm.com/support/docview.wss?uid=swg21969072
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in the Linux Kernel affect PowerKVM ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022785
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in Python affect PowerKVM (CVE-2013-5123, CVE-2014-8991) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022786
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSLP affects PowerKVM (CVE-2015-5177) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022876
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Python-httplib2 affects PowerKVM (CVE-2013-2037) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022877
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in lcms affects PowerKVM (CVE-2015-4276) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022834
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Libcrypt++ affects PowerKVM (CVE-2015-2141) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022879
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in lighttpd affects PowerKVM (CVE-2015-3200) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022837
---------------------------------------------
*** IBM Security Bulletin:Vulnerabilities in wpa_supplicant may affect PowerKVM (CVE-2015-1863 and CVE-2015-4142) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022832
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in libXfont affect PowerKVM (CVE-2015-1802, CVE-2015-1803, CVE-2015-1804) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022787
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Mozilla NSS affects PowerKVM (CVE-2015-2730) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022790
---------------------------------------------
*** IBM Security Bulletin: Information disclosure vulnerability could expose user personal data in IBM WebSphere Commerce (CVE-2015-5015) ***
http://www.ibm.com/support/docview.wss?uid=swg21969174
---------------------------------------------
*** IBM Security Bulletin: IBM Flex System Manager is affected by a vulnerability from FSM's use of strongswan: (CVE-2015-4171) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022817
---------------------------------------------
*** IBM Security Bulletin: IBM Netezza Host Management is vulnerable to a BIND 9 utility issue (CVE-2015-5722) ***
http://www.ibm.com/support/docview.wss?uid=swg21966952
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 03-11-2015 18:00 − Mittwoch 04-11-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Return of the EXIF PHP Joomla Backdoor ***
---------------------------------------------
Our Remediation and Research teams are in constant communication and collaboration. It's how we stay ahead of the latest threats, but it also presents an opportunity to identify interesting threats that aren't new but may be reoccuring. Such as today's post, in which we explore a case we shared close to two years ago where...
---------------------------------------------
http://feedproxy.google.com/~r/sucuri/blog/~3/VZAI0vVYGjI/exif-php-joomla-b…
*** Researchers map out hard-to-kill, multi-layered spam botnet ***
---------------------------------------------
A dropper component sent to the Akamai researchers led them to the discovery of a spamming botnet that consists of at least 83,000 compromised systems. The botnet is multi-layered, decentralized, a...
---------------------------------------------
http://feedproxy.google.com/~r/HelpNetSecurity/~3/B72jnhO-1Ds/secworld.php
*** Nach Hack des Support-Forums: Mysteriöser vBulletin-Patch erschienen ***
---------------------------------------------
Nach einem Angriff auf das offizielle Support-Forum der Forensoftware vBulletin ist ein Sicherheitsupdate erschienen. Ob dies die Lücke stopft, die bei dem Angriff ausgenutzt wurde, ist nicht ganz klar.
---------------------------------------------
http://heise.de/-2869989
*** Internet Wide Scanners Wanted, (Wed, Nov 4th) ***
---------------------------------------------
In our data, we often find researchers performing internet wide scans. To better identify these scans, we would like to add a label to these IPs identifying them as part of a research project. If you are part of such a project, or if you know of a project, please let me know. You can submit any information as a comment or via our contact form. If the IP addresses change often, then a URLs with a parseable list would be appreciated to facilitate automatic updates. --- Johannes B. Ullrich, Ph.D.
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20337&rss
*** GovRAT, the malware-signing-as-a-service platform in the underground ***
---------------------------------------------
Security Experts at InfoArmor discovered GovRAT, a malware-signing-as-a-service platform that is offered to APT groups in the underground. In the past, I have explained why digital certificates are so attractive for crooks and intelligence agencies, one of the most interesting uses is the signature of malware code in order to fool antivirus. Naturally, digital certificates...
---------------------------------------------
http://securityaffairs.co/wordpress/41714/cyber-crime/govrat-platform.html
*** Confusing Convenience for Security: SSH Keys ***
---------------------------------------------
Secure Shell (SSH) keys are a common part of accessing Unix systems, and you need to put some focus specifically on your organization's use of SSH keys.
---------------------------------------------
http://blog.beyondtrust.com/confusing-convenience-for-security-ssh-keys
*** Security Fixes in Firefox 42 ***
---------------------------------------------
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firef…
*** VU#391604: ZTE ZXHN H108N R1A routers contains multiple vulnerabilities ***
---------------------------------------------
Vulnerability Note VU#391604 ZTE ZXHN H108N R1A routers contains multiple vulnerabilities Original Release date: 03 Nov 2015 | Last revised: 03 Nov 2015 Overview ZTE ZXHN H108N R1A router, version ZTE.bhs.ZXHNH108NR1A.h_PE, and ZXV10 W300 router, version W300V1.0.0f_ER1_PE, contain multiple vulnerabilities. Description CWE-200: Information Exposure - CVE-2015-7248 Multiple information exposure vulnerabilities enable an attacker to obtain credentials and other sensitive details about the ZXHN...
---------------------------------------------
http://www.kb.cert.org/vuls/id/391604
*** Alcatel-Lucent Home Device Manager Spoofing ***
---------------------------------------------
Topic: Alcatel-Lucent Home Device Manager Spoofing Risk: Low Text: ## # # SWISSCOM CSIRT ADVISORY - https://www.swisscom.ch/en/about/sustainability/digital- #switze...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2015110029
*** DSA-3391 php-horde - security update ***
---------------------------------------------
It was discovered that the web-based administration interface in theHorde Application Framework did not guard against Cross-Site RequestForgery (CSRF) attacks. As a result, other, malicious web pages couldcause Horde applications to perform actions as the Horde user.
---------------------------------------------
https://www.debian.org/security/2015/dsa-3391
*** DSA-3392 freeimage - security update ***
---------------------------------------------
Pengsu Cheng discovered that FreeImage, a library for graphic imageformats, contained multiple integer underflows that could lead to adenial of service: remote attackers were able to trigger a crash bysupplying a specially crafted image.
---------------------------------------------
https://www.debian.org/security/2015/dsa-3392
*** Bugtraq: [security bulletin] HPSBGN03425 rev.1 - HP ArcSight SmartConnectors, Remote Disclosure of Information, Local Escalation of Privilege ***
---------------------------------------------
http://www.securityfocus.com/archive/1/536827
*** Bugtraq: [security bulletin] HPSBGN03386 rev.2 - HP Central View Fraud Risk Management, Revenue Leakage Control, Dealer Performance Audit, Credit Risk Control, Roaming Fraud Control, Subscription Fraud Prevention, Remote Disclosure of Information, ***
---------------------------------------------
http://www.securityfocus.com/archive/1/536824
*** Security Advisory - Heap Overflow Vulnerability in the HIFI Driver of Huawei Smart Phone ***
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor…
*** Security Notice - Statement on Venustech Revealing Heap Overflow Vulnerability in Huawei Smart Phone ***
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-notices…
*** Bugtraq: FreeBSD Security Advisory FreeBSD-SA-15:25.ntp [REVISED] ***
---------------------------------------------
http://www.securityfocus.com/archive/1/536833
*** Cisco Security Advisories ***
---------------------------------------------
*** Cisco SocialMiner WeChat Page Cross-Site Scripting Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Web Security Appliance Cache Reply Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Mobility Services Engine Static Credential Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco AsyncOS TCP Flood Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Web Security Appliance Range Request Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Mobility Services Engine Privilege Escalation Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Web Security Appliance Certificate Generation Command Injection Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Email Security Appliance Email Scanner Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 02-11-2015 18:00 − Dienstag 03-11-2015 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** UK-US Cyberattack Simulation On Finance Sector Set For This Month ***
---------------------------------------------
US-CERT and CERT-UK putting President and Prime Ministers earlier plans into action.
---------------------------------------------
http://www.darkreading.com/operations/uk-us-cyberattack-simulation-on-finan…
*** Latest Adobe Flash vulnerability now in Angler, Nuclear EKs ***
---------------------------------------------
Malwarebytes is reporting that once again Adobe Flash Player has become a target as the recently patched zero-day exploit that was discovered and patched has become a part of several exploit kits (EK).
---------------------------------------------
http://feedproxy.google.com/~r/SCMagazineHome/~3/s2Q_P9QhW74/
*** WoW! Want to beat Microsofts Windows security defenses? Poke some 32-bit software ***
---------------------------------------------
Compatibility tool hampers EMET anti-malware protections Two chaps claim to have discovered how to trivially circumvent Microsofts Enhanced Mitigation Experience Toolkit (EMET) using Redmonds own compatibility tools.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2015/11/03/32bit_softw…
*** Web server secured? Good, now lets talk about e-mail ***
---------------------------------------------
Its not just Hillary whose servers a spillory While Website owners may have noticed the need to get rid of old, buggy or weak crypto, those operating e-mail servers seem to be operating on autopilot.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2015/11/03/web_server_…
*** Dev to Mozilla: Please dump ancient Windows install processes ***
---------------------------------------------
Old habits die hard Security bod Stefan Kanthak is asking Mozilla to quit using Windows self-extracting installs.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2015/11/03/dev_to_mozi…
*** The official website of the popular vBulletin forum has been hacked ***
---------------------------------------------
The website of the vBulletin forum software is down for maintenance following a data breach that exposed personal information of hundreds of thousands users On Sunday, the vBulletin official website has been hacked by an attacker using the moniker "Coldzer0". The website has been defaced and the vBulletin forum was displaying the message "Hacked by Coldzer0." At the...
---------------------------------------------
http://securityaffairs.co/wordpress/41656/cyber-crime/vbulletin-forum-hacke…
*** Chimera crypto-ransomware is hitting German companies ***
---------------------------------------------
A new piece of crypto-ransomware is targeting German companies: its called Chimera, and the criminals behind the scheme are threatening to release sensitive corporate data on the Internet if the targ...
---------------------------------------------
http://feedproxy.google.com/~r/HelpNetSecurity/~3/D53NfnuVrIM/malware_news.…
*** KeyPass looter: The password plunderer to hose pwned sys admins ***
---------------------------------------------
When youre owned, youre boned. Kiwi hacker Denis Andzakovic has developed an application that steals password vaults from the popular local storage vault KeyPass.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2015/11/03/keypass_loo…
*** Security: Kommandozeilen-Zugriff auf Bankterminal dokumentiert ***
---------------------------------------------
Ein deutscher Sicherheitsforscher hat eine Sicherheitslücke in Geldautomaten-Software gefunden. Die Schwachstelle ermöglichte den Zugriff auf die Kommandozeile des Geräts und das Auslesen zahlreicher kritischer Daten.
---------------------------------------------
http://www.golem.de/news/security-kommandozeilen-zugriff-auf-bankterminal-d…
*** OTA-Patch: Google verteilt Sicherheitsupdate für Android 6.0 ***
---------------------------------------------
Die neue Android-Version 6.0 alias Marshmallow bekommt nach einem Monat ihre erste Sicherheitsaktualisierung. Grund sind insgesamt sieben Bedrohungen, von denen Google zwei als kritisch einstuft.
---------------------------------------------
http://www.golem.de/news/ota-patch-google-verteilt-sicherheitsupdate-fuer-a…
*** Kaspersky DDoS Intelligence Report Q3 2015 ***
---------------------------------------------
In the third quarter of 2015 botnet-assisted DDoS attacks targeted victims in 79 countries around the world; 91.6% of targeted resources were located in 10 countries. The largest numbers of DDoS attacks targeted victims in China, the US and South Korea. The longest DDoS attack in Q3 2015 lasted for 320 hours.
---------------------------------------------
http://securelist.com/analysis/quarterly-malware-reports/72560/kaspersky-dd…
*** Wormhole-Schwachstelle: Backdoor in über 14.000 Android-Apps ***
---------------------------------------------
Das Moplus SDK hält in zahlreichen Apps eine Hintertür für Angreifer auf, sodass diese etwa heimlich Dateien von Android-Gerät abziehen und SMS-Nachrichten versenden können.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Wormhole-Schwachstelle-Backdoor-in-u…
*** A few things about Redis security ***
---------------------------------------------
>From time to time I get security reports about Redis. It's good to get reports, but it's odd that what I get is usually about things like Lua sandbox escaping, insecure temporary file creation, and similar issues, in a software which is designed (as we explain in our security page here http://redis.io/topics/security) to be totally insecure if exposed to the outside world. Yet these bug reports are often useful since there are different levels of security concerning any software in...
---------------------------------------------
http://antirez.com/news/96
*** How Carders Can Use eBay as a Virtual ATM ***
---------------------------------------------
How do fraudsters "cash out" stolen credit card data? Increasingly, they are selling in-demand but underpriced products on eBay that they dont yet own. Once the auction is over, the auction fraudster uses stolen credit card data to buy the merchandise from an e-commerce store and have it shipped to the auction winner. Because the auction winners actually get what they bid on and unwittingly pay the fraudster, very often the only party left to dispute the charge is the legitimate...
---------------------------------------------
http://feedproxy.google.com/~r/KrebsOnSecurity/~3/E4QijbOr8i0/
*** ORX-Locker, a Web Platform to Create Ransomware ***
---------------------------------------------
The only thing more dangerous than cryptolocker-type ransomware in the hands of a highly skilled hacker is the same ransomware offered as a service and made available to the general public. Similar to the private TOX RaaS (Ransomware as a Service) platform discovered in August, ORX-Locker is a free-to-use web platform where anyone can create and download malware that will encrypt a victim's file system and demand payment for recovery. This is one of the first public RaaS sites we've...
---------------------------------------------
https://feeds.feedblitz.com/~/122089935/0/alienvault-blogs~ORXLocker-a-Web-…
*** XcodeGhost S: A New Breed Hits the US ***
---------------------------------------------
https://www.fireeye.com/blog/threat-research/2015/11/xcodeghost_s_a_new.html
*** Enhancing pentesting recon with nmap, (Tue, Nov 3rd) ***
---------------------------------------------
You might have used nmap several times for recon using the conventional portscan functionality (Connect scan, SYN Scan, FIN scan, UDP scan, ...) but for gathering extra info like HTTP directories, DNS host enumeration without performing zone transfer, Microsoft SQL Server enumeration and SMB device info people usually uses additional tools. I will show you how nmap can provide that information without use of extra tools: 1. HTTP Directories The http-enum script is able to test for the existence...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20331&rss
*** VU#316888: MobaXterm server may allow arbitrary command injection due to missing X11 authentication ***
---------------------------------------------
Vulnerability Note VU#316888 MobaXterm server may allow arbitrary command injection due to missing X11 authentication Original Release date: 02 Nov 2015 | Last revised: 02 Nov 2015 Overview The MobaXterm server prior to verion 8.3 is vulnerable to arbitrary command injection over port 6000 when using default X11 settings. Description CWE-306: Missing Authentication for Critical Function - CVE-2015-7244MobaXterm server prior to version 8.3 includes an X11 server listening on all IP addresses...
---------------------------------------------
http://www.kb.cert.org/vuls/id/316888
*** Security Advisory - Local Permission Escalation Vulnerability in GPU of P7 Phones ***
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor…
*** Cisco Unified Computing System Blade Server Information Disclosure Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** F5 Security Advisories ***
---------------------------------------------
*** Security Advisory: NTP vulnerability CVE-2015-7852 ***
https://support.f5.com:443/kb/en-us/solutions/public/17000/500/sol17516.htm…
---------------------------------------------
*** Security Advisory: NTP vulnerability CVE-2015-7850 ***
https://support.f5.com:443/kb/en-us/solutions/public/17000/500/sol17528.htm…
---------------------------------------------
*** Security Advisory: NTP vulnerability CVE-2015-7701 ***
https://support.f5.com:443/kb/en-us/solutions/public/17000/500/sol17517.htm…
---------------------------------------------
*** Security Advisory: NTP vulnerabilities CVE-2015-7704 and CVE-2015-7705 ***
https://support.f5.com:443/kb/en-us/solutions/public/17000/500/sol17527.htm…
---------------------------------------------
*** Security Advisory: NTP vulnerability CVE-2015-7703 ***
https://support.f5.com:443/kb/en-us/solutions/public/17000/500/sol17529.htm…
---------------------------------------------
*** Security Advisory: NTP vulnerability CVE-2015-7848 ***
https://support.f5.com:443/kb/en-us/solutions/public/17000/500/sol17526.htm…
---------------------------------------------
*** Security Advisory: NTP vulnerabilities CVE-2015-7691, CVE-2015-7692, and CVE-2015-7702 ***
https://support.f5.com:443/kb/en-us/solutions/public/17000/500/sol17530.htm…
---------------------------------------------
*** Security Advisory: NTP vulnerability CVE-2015-7871 ***
https://support.f5.com:443/kb/en-us/solutions/public/17000/500/sol17518.htm…
---------------------------------------------
*** Security Advisory: NTP vulnerability CVE-2015-7849 ***
https://support.f5.com:443/kb/en-us/solutions/public/17000/500/sol17521.htm…
---------------------------------------------
*** Security Advisory: NTP vulnerability CVE-2015-7854 ***
https://support.f5.com:443/kb/en-us/solutions/public/17000/500/sol17524.htm…
---------------------------------------------
*** Security Advisory: NTP vulnerability CVE-2015-7853 ***
https://support.f5.com:443/kb/en-us/solutions/public/17000/500/sol17525.htm…
---------------------------------------------
*** Security Advisory: NTP vulnerability CVE-2015-7855 ***
https://support.f5.com:443/kb/en-us/solutions/public/17000/500/sol17515.htm…
---------------------------------------------
*** Security Advisory: NTP vulnerability CVE-2015-7851 ***
https://support.f5.com:443/kb/en-us/solutions/public/17000/500/sol17522.htm…
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 30-10-2015 18:00 − Montag 02-11-2015 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** CoinVault and Bitcryptor Ransomware Victims Can Now Recover Their Files For Free ***
---------------------------------------------
itwbennett writes: Researchers from Kaspersky Lab and the Dutch Public Prosecution Service have obtained the last set of encryption keys from command-and-control servers that were used by CoinVault and Bitcryptor, writes Lucian Constantin. Those keys have been uploaded to Kasperskys ransomware decrypt or service that was originally set up in April with a set of around 750 keys recovered from servers hosted in the Netherlands.
---------------------------------------------
http://yro.slashdot.org/story/15/10/30/2341230/coinvault-and-bitcryptor-ran…
*** Disaster Recovery Starts with a Plan, (Mon, Nov 2nd) ***
---------------------------------------------
One of the security questions being asked of security professionals, by business executives these days, from both internal and external entities, is What is the status of our Disaster Recovery plan? The driving force behind the question varies, from compliance and our business partners are asking to I read an article about an earthquake. A disaster recovery plan is one of those things that you dont want to define the requirements as you go, this is one that is truly about the *plan*.
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20325&rss
*** About Lenovo System Update Vulnerabilities and CVE-2015-6971 ***
---------------------------------------------
Over the past seven months, a number of vulnerabilities in Lenovo System Update software have come to light. Lenovo patched the first of a batch of these vulnerabilities in spring of this year. I decided to take a deeper look...
---------------------------------------------
http://trustwave.com/Resources/SpiderLabs-Blog/About-Lenovo-System-Update-V…
*** Useful tools for malware analysis ***
---------------------------------------------
In early October, the international project 'Cyber Security in the Danube Region' organized training for security teams operating within the region. As sharing of information and knowledge are essential in the field of security, I decided to write a post ...
---------------------------------------------
http://en.blog.nic.cz/2015/10/30/useful-tools-for-malware-analysis/
*** Debian: elasticsearch end-of-life (DSA 3389-1) ***
---------------------------------------------
Security support for elasticsearch in jessie is hereby discontinued. The project no longer releases information on fixed security issues which allow backporting them to released versions of Debian and actively discourages from doing so. elasticsearch will also be removed from Debian stretch (the next stable Debian release), but will continue to remain in unstable and available in jessie-backports.
---------------------------------------------
https://lists.debian.org/debian-security-announce/2015/msg00290.html
*** PageFair: Halloween Security Breach ***
---------------------------------------------
I want to take some time here to describe exactly what happened, how it may have affected some of your visitors, and what we are doing to prevent this from ever happening again.
---------------------------------------------
http://blog.pagefair.com/2015/halloween-security-breach/
*** RWSPS: WPA/2 Cracking Using HashCat ***
---------------------------------------------
We will cover the following topics: WPA/2 Cracking with Dictionary attack using Hashcat. WPA/2 Cracking with Mask attack using Hashcat. WPA/2 Cracking with Hybrid attack using Hashcat. WPA/2 Cracking Pause/resume in Hashcat (One of the best features) WPA/2 Cracking save sessions and restore.
---------------------------------------------
http://www.rootsh3ll.com/2015/10/rwsps-wpa2-cracking-using-hashcat-cloud-ch…
*** Protecting Windows Networks - Local administrative accounts management ***
---------------------------------------------
There is a common problem in all environments with local administrative accounts, such as local Administrator account, root accounts or any kind of application specific built-in admin accounts set to a common password, shared across all systems.
---------------------------------------------
https://dfirblog.wordpress.com/2015/11/01/protecting-windows-networks-local…
*** new Windows 10 cumulative update (3105210) ***
---------------------------------------------
Bulletin revised to announce the release of a new Windows 10 cumulative update (3105210) to address an additional vulnerability, CVE-2015-6045, which has been added to this bulletin. Only customers running Windows 10 systems need to install this new update. Earlier operating systems are either not affected or have received the fix in the original updates of October 13, 2015.
---------------------------------------------
https://technet.microsoft.com/library/security/ms15-106
*** 5 signs your Web application has been hacked ***
---------------------------------------------
When customers interact with your business, they most likely go through a Web application first. It's your company's public face -- and by virtue of that exposure, an obvious point of vulnerability.Most attacks against Web applications are stealthy and hard to spot.
---------------------------------------------
http://www.csoonline.com/article/3000315/application-security/5-signs-your-…
*** How Much is a Zero-Day Exploit for an SCADA/ICS System? ***
---------------------------------------------
Current scenario How much is a zero-day for an industrial control system? Where is it possible to buy them and who are the main buyers of these commodities? I can tell you that there isn't a unique answer to the above questions, but first all let us try to understand the current scenario ...
---------------------------------------------
http://resources.infosecinstitute.com/how-much-is-a-zero-day-exploit-for-an…
*** Cisco Security Advisories ***
---------------------------------------------
*** Multiple Vulnerabilities in ntpd Affecting Cisco Products - October 2015 ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Unified Communications Domain Manager URI Enumeration Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco FireSIGHT Management Center HTML Injection Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco FireSIGHT Management Center Cross-Site Scripting Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco ASR 5500 SAE Gateway BGP Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Prime Service Catalog SQL Injection Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco ASA CX Context-Aware Security Web GUI Unauthorized Access Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Unified Border Element Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Secure Access Control Server Role-Based Access Control Weak Protection Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Secure Access Control Server Reflective Cross-Site Scripting Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Secure Access Control Server Role-Based Access Control URL Lack of Protection Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Secure Access Control Server Dom-Based Cross-Site Scripting Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Secure Access Control Server SQL Injection Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Wireless LAN Controller Client Disconnection Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 29-10-2015 18:00 − Freitag 30-10-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** WPScan Intro: WordPress Vulnerability Scanner ***
---------------------------------------------
Have you ever wanted to run security tests on your WordPress website to see if it could be easily hacked? WPScan is a black box vulnerability scanner for WordPress sponsored by Sucuri and maintained by the WPScan Team, ..
---------------------------------------------
https://blog.sucuri.net/2015/10/install-wpscan-wordpress-vulnerability-scan…
*** Anonymisierungsdienst Tor stellt sicheren Messenger vor ***
---------------------------------------------
Es soll sich um die am einfachsten zu nutzende Verschlüsselungssoftware handeln
---------------------------------------------
http://derstandard.at/2000024778063
*** Advertising Brokers: A Background Information ***
---------------------------------------------
Provides background information about advertisement brokers, the men and women that are in the middle of web advertising between sites and advertisers.
---------------------------------------------
https://blog.malwarebytes.org/privacy-2/2015/10/advertising-brokers-backgro…
*** DSA-3384 virtualbox - security update ***
---------------------------------------------
Two vulnerabilities have been discovered in VirtualBox, an x86virtualisation solution.
---------------------------------------------
https://www.debian.org/security/2015/dsa-3384
*** Bankomat: Diebstahl per USB-Stick ***
---------------------------------------------
Unbekannter konnte in Deutschland mehrere Geräte manipulieren
---------------------------------------------
http://derstandard.at/2000024796664
*** Paper on TLS usage for all email protocols, IPv4-wide is online ***
---------------------------------------------
Today we've published our paper on TLS use in e-mail protocols (SMTP, IMAP, POP..) on the Internet. Our paper and the corresponding dataset are now publicly available, you can find the paper here. Our dataset is published at scans.io. Over the time of ..
---------------------------------------------
https://www.sba-research.org/2015/10/30/paper-on-tls-usage-for-all-email-pr…
*** Weaknesses in the PLAID Protocol ***
---------------------------------------------
In 2009, the Australian government released the Protocol for Lightweight Authentication of Identity (PLAID) protocol. It was recently analyzed (original paper is from 2014, but was just updated), and its a security disaster. Matt ..
---------------------------------------------
https://www.schneier.com/blog/archives/2015/10/weaknesses_in_t.html
*** Pagetable-Sicherheitslücke: Ausbruch aus dem virtuellen Xen-Käfig ***
---------------------------------------------
Eine Lücke im Xen-Hypervisor erlaubt einem Gastsystem, die Kontrolle über das komplette Host-System zu übernehmen. Hierfür wird die Speicherverwaltung ausgetrickst. Die Entwickler der Qubes-Distribution üben heftige Kritik an Xen.
---------------------------------------------
http://www.golem.de/news/pagetable-sicherheitsluecke-ausbruch-aus-dem-virtu…
*** Citrix NetScaler Service Delivery Appliance Multiple Security Updates ***
---------------------------------------------
A number of vulnerabilities have been identified in Citrix Service Delivery Appliance (SDX) that could allow a malicious, unprivileged user to ..
---------------------------------------------
http://support.citrix.com/article/CTX201794
*** Fatale Sicherheitslücken in Zwangsroutern von Vodafone/Kabel Deutschland ***
---------------------------------------------
Bis zu 1,3 Millionen Router im Kabel-Netz von Vodafone sind über WLAN angreifbar. Der Provider verspricht, die Lücken mit Firmware-Updates zu schliessen. Das kann sich jedoch noch bis Jahresende hinziehen.
---------------------------------------------
http://heise.de/-2866037
*** Breaches, traders, plain text passwords, ethical disclosure and 000webhost ***
---------------------------------------------
It's a bit hard to even know where to begin with this one, perhaps at the start and then I'll try and piece all the bits together as best I can. As you may already know if you're familiar with this blog, I run the service Have I been pwned? (HIBP) which allows people to discover where their personal data has been compromised on ..
---------------------------------------------
http://www.troyhunt.com/2015/10/breaches-traders-plain-text-passwords.html
*** VMSA-2015-0003.14 ***
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2015-0003.html
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 28-10-2015 18:00 − Donnerstag 29-10-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Why Is the NSA Moving Away from Elliptic Curve Cryptography? ***
---------------------------------------------
In August, I wrote about the NSAs plans to move to quantum-resistant algorithms for its own cryptographic needs. Cryptographers Neal Koblitz and Alfred Menezes just published a long paper speculating as to the governments real motives for doing this. They range from some new cryptanalysis of ECC to a political need after the DUAL_EC_PRNG disaster -- to the stated reason...
---------------------------------------------
https://www.schneier.com/blog/archives/2015/10/why_is_the_nsa_.html
*** New DDoS attacks misuse NetBIOS name server, RPC portmap, and Sentinel licensing servers ***
---------------------------------------------
Akamai has observed three new reflection DDoS attacks in recent months: NetBIOS name server reflection, RPC portmap reflection, and Sentinel reflection. In a reflection DDoS attack, also called a D...
---------------------------------------------
http://feedproxy.google.com/~r/HelpNetSecurity/~3/g4MR874bgXg/secworld.php
*** TLS-Zertifikate: Google greift gegen Symantec durch ***
---------------------------------------------
Symantec hatte im September mehrere Tausend unberechtigte TLS-Zertifikate ausgestellt, verschweigt aber zunächst das Ausmaß des Vorfalls. Google zeigt dafür wenig Verständnis und stellt einige Bedingungen für den Verbleib der Symantec-Rootzertifikate im Chrome-Browser. (Symantec, Google)
---------------------------------------------
http://www.golem.de/news/tls-zertifikate-google-greift-gegen-symantec-durch…
*** Jackpotting: Geldautomaten in Deutschland mit USB-Stick ausgeräumt ***
---------------------------------------------
Seit 2010 ist das Plündern von Geldautomaten per USB-Stick bekannt. In Deutschland wurde nun erstmals ein Täter dabei gefilmt, wie er zwei Automaten an einem Tag ausräumte. (Security, Black Hat)
---------------------------------------------
http://www.golem.de/news/jackpotting-geldautomaten-in-deutschland-mit-usb-s…
*** Security: Forscher stellen LTE-Angriffe mit 1.250-Euro-Hardware vor ***
---------------------------------------------
LTE-Netzwerke galten bislang als deutlich sicherer als GSM- und 3G-Netzwerke. Anfang der Woche hat ein Team von Forschern jetzt verschiedene praktische Angriffe vorgestellt, die mit geringen Kosten und kommerzieller Hardware funktionieren sollen. (Security, Smartphone)
---------------------------------------------
http://www.golem.de/news/security-forscher-stellen-lte-angriffe-mit-1-250-e…
*** USB cleaning device for the masses, (Thu, Oct 29th) ***
---------------------------------------------
For so long, USB keys have been a nice out-of-bandinfection vector. People like goodies and people like to plug those small pieces of plastic into their computers. Even if good solutions exists (like BitLocker- the standard solution provided by Microsoft), a lot of infrastructureare not protected against the use ofrogue USB keys for many good or obscure reasons. There are also multiple reasons to receive USB keys: from partners, customers, contractors, vendors, etc. The best practice should be...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20315&rss
*** XEN Security Advisories ***
---------------------------------------------
Advisory | Public release | Updated | Version | CVE(s) | Title
XSA-153 | 2015-10-29 11:59 | 2015-10-29 11:59 | 3 | CVE-2015-7972 | x86: populate-on-demand balloon size inaccuracy can crash guests
XSA-152 | 2015-10-29 11:59 | 2015-10-29 11:59 | 3 | CVE-2015-7971 | x86: some pmu and profiling hypercalls log without rate limiting
XSA-151 | 2015-10-29 11:59 | 2015-10-29 11:59 | 3 | CVE-2015-7969 | x86: leak of per-domain profiling-related vcpu pointer array
XSA-150 | 2015-10-29 11:59 | 2015-10-29...
---------------------------------------------
http://xenbits.xen.org/xsa/
*** Cisco ASR 5500 SAE Gateway Lets Remote Users Cause the Target BGP Process to Restart ***
---------------------------------------------
http://www.securitytracker.com/id/1034024
*** IBM DB2 TLS Diffie-Hellman Export Cipher Downgrade Attack Lets Remote Users Decrypt Connections ***
---------------------------------------------
http://www.securitytracker.com/id/1033991
*** JBoss Operations Network Cassandra JMX/RMI Interface Lets Remote Users Execute Arbitrary Code on the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1034002
*** DSA-3382 phpmyadmin - security update ***
---------------------------------------------
https://www.debian.org/security/2015/dsa-3382
*** Security Notice - Statement About WormHole Vulnerability in Baidu Apps Preset in Huawei Phones ***
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-notices…
*** Security Advisory - UE Measurement Leak Vulnerability in Huawei P8 Phones ***
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor…
*** Security Advisory: OpenSSH vulnerability CVE-2015-5352 ***
---------------------------------------------
(SOL17461)
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/17000/400/sol17461.htm…
*** VU#573848: Qolsys IQ Panel contains multiple vulnerabilities ***
---------------------------------------------
Vulnerability Note VU#573848 Qolsys IQ Panel contains multiple vulnerabilities Original Release date: 29 Oct 2015 | Last revised: 29 Oct 2015 Overview All firmware versions of Qolsys IQ Panel contain hard-coded cryptographic keys, do not validate signatures during software updates, and use a vulnerable version of Android OS. Description Qolsys IQ Panel is an Android OS-based touch screen controller for home automation devices and functions. All firmware versions contain the following
---------------------------------------------
http://www.kb.cert.org/vuls/id/573848
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in IBM Java SDK affects IBM SAN Volume Controller and Storwize Family (CVE-2015-2613 CVE-2015-2601 CVE-2015-2625 CVE-2015-1931) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005435
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affects SAN Volume Controller and Storwize Family (CVE-2015-1789 CVE-2015-1791 CVE-2015-1788 ) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005434
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Storwize V7000 Unified (CVE-2014-8176, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005314
*** IBM Security Bulletin: Weak file permissions vulnerability affects IBM Tivoli Monitoring for Tivoli Storage Manager (CVE-2015-4927) ***
http://www.ibm.com/support/docview.wss?uid=swg21969340
*** IBM Security Bulletin: A security vulnerability in IBM WebSphere Application Server affects IBM Security Access Manager for Web version 7.0 software installations and IBM Tivoli Access Manager for e-business (CVE-2015-1946) ***
http://www.ibm.com/support/docview.wss?uid=swg21969077
*** IBM Security Bulletin: Vulnerability in RC4 stream cipher affects N-series Data ONTAP (CVE-2015-2808) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005273
*** IBM Security Bulletin: Multiple vulnerabilities in Firefox, affect IBM SmartCloud Provisioning for IBM Software Virtual Appliance (CVE-2015-4497, CVE-2015-4498) ***
http://www.ibm.com/support/docview.wss?uid=swg21968836
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security Access Manager for Mobile (CVE-2015-2613, CVE-2015-2601, CVE-2015-4749, CVE-2015-2625, CVE-2015-1931) ***
http://www.ibm.com/support/docview.wss?uid=swg21963711
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 27-10-2015 18:00 − Mittwoch 28-10-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** One in 20 apps on private PCs are end-of-life ***
---------------------------------------------
Secunia Research revealed the state of security for PC users in a total of 14 countries, including the US. One in 20 applications on private US PCs are end-of-life and 12 percent of Windows operating ...
---------------------------------------------
http://www.net-security.org/secworld.php?id=19032
*** Yahoo! crypto! chap! turns! security! code! into! evil! tracker! ***
---------------------------------------------
HTTP Strict Transport Security isnt working as advertised or planned Yahoo! crypto bod Yan Zhu has found twin attacks that allow websites to learn the web histories of visitors users by targeting HTTP Strict Transport Security (HSTS).
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2015/10/28/sniffly/
*** Update unbedingt installieren: Joomla im Fokus von Angreifern ***
---------------------------------------------
Nutzer von Joomla sollten das in der vergangenen Woche veröffentlichte Update dringend einspielen. Denn Angreifer attackieren aktuell massenweise Webseiten, die eine verwundbare Version einsetzen.
---------------------------------------------
http://heise.de/-2860521
*** Windows 10 Security ***
---------------------------------------------
Windows 10 was launched on July 29th of this year and had been adopted by 75 million users by the end of August. Despite its initial popularity, the adoption rate for the new operating system has slowed down since the time of its launch. While the Windows 10 market share for desktop operating systems climbed...
---------------------------------------------
http://resources.infosecinstitute.com/windows-10-security/
*** Victim of its own success and (ab)used by malwares, (Wed, Oct 28th) ***
---------------------------------------------
This morning, I faced an interesting case. We were notified that one of our computers was doing potentially malicious HTTP requests. The malicious URL was: api.wipmania.com. We quickly checked and detected to many hosts were sendingrequests to this API. It is a website hosted in France which provides geolocalisation services via a text/json/xml API. The usage is pretty quick and">xavier@vps2$curl http://api.wipmania.com/ip_address BE You provide an IP address and it returns its...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20311&rss
*** Certificate Authorities Will Stop Issuing SHA1 Certificates as of January 1 (October 23, 2015) ***
---------------------------------------------
As of midnight January 1, 2016, certificate authorities will cease issuing SHA1 digital certificates...
---------------------------------------------
http://www.sans.org/newsletters/newsbites/r/17/84/308
*** We set up a simple test page to see how browsers deal with mixed language IDNs. Try it out: http://www.example.xn--comindex-634g.jp/ . Test yours. (sorry, earlier link did not render right), (Tue, Oct 27th) ***
---------------------------------------------
--- Johannes B. Ullrich, Ph.D. STI|Twitter|LinkedIn (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20305&rss
*** DFN-CERT-2015-1672: NTP: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2015-1672/
*** DSA-3381 openjdk-7 - security update ***
---------------------------------------------
Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the executionof arbitrary code, breakouts of the Java sandbox, information disclosure,or denial of service.
---------------------------------------------
https://www.debian.org/security/2015/dsa-3381
*** DSA-3380 php5 - security update ***
---------------------------------------------
Two vulnerabilities were found in PHP, a general-purpose scriptinglanguage commonly used for web application development.
---------------------------------------------
https://www.debian.org/security/2015/dsa-3380
*** VU#350508: HP ArcSight SmartConnector fails to properly validate SSL and contains a hard-coded password ***
---------------------------------------------
Vulnerability Note VU#350508 HP ArcSight SmartConnector fails to properly validate SSL and contains a hard-coded password Original Release date: 27 Oct 2015 | Last revised: 27 Oct 2015 Overview The HP ArcSight SmartConnector fails to properly validate SSL certificates, and also contains a hard-coded password. Description CWE-295: Improper Certificate Validation - CVE-2015-2902The ArcSight SmartConnector fails to validate the certificate of the upstream Logger device it is reporting logs to.
---------------------------------------------
http://www.kb.cert.org/vuls/id/350508
*** Security Advisory: PAM vulnerability CVE-2015-3238 ***
---------------------------------------------
(SOL17494)
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/17000/400/sol17494.htm…
*** Security Advisory: Datastor kernel vulnerability CVE-2015-7394 ***
---------------------------------------------
(SOL17407)
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/17000/400/sol17407.htm…
*** Infinite Automation Systems Mango Automation Vulnerabilities ***
---------------------------------------------
This advisory provides mitigation details for vulnerabilities in the Infinite Automation Systems Mango Automation application. Infinite Automation Systems has produced a new version to mitigate these vulnerabilities.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-300-02
*** Rockwell Automation Micrologix 1100 and 1400 PLC Systems Vulnerabilities ***
---------------------------------------------
This advisory provides mitigation details for vulnerabilities in the Rockwell Automation Allen-Bradley MicroLogix 1100 and 1400 programmable logic controller (PLC) systems.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-300-03
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 23-10-2015 18:00 − Dienstag 27-10-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Botnets spreading Dridex still active, (Fri, Oct 23rd) ***
---------------------------------------------
Introduction In early September 2015, we started seeing reports about arrests tied to Dridex malware [1, 2]. About that time, we noticed a lack of botnet-based malicious spam (malspam) pushing Dridex malware. During the month of September, Dridex disappeared from our radar. By the beginning of October 2015, malspam pushing Dridex came back [3], and its continued since then. However, organizations still discussed the Dridex takedown, even after Dridex came back. The most recent wave of reporting...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20295&rss
*** Unsichere App-TAN: Sparkasse verteidigt ihr pushTAN-Banking ***
---------------------------------------------
Die Manipulationen beträfen "veraltete Versionsstände der S-pushTAN-App" und tatsächliche Schadensfälle seien unwahrscheinlich, heißt es in einer Stellungnahme der Sparkassen zu einem erfolgreichen Angriff auf ihr AppTAN-Verfahren.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Unsichere-App-TAN-Sparkasse-verteidi…
*** Free and Commercial Tools to Implement the SANS Top 20 Security Controls, Part 5: Malware Defenses ***
---------------------------------------------
This is Part 5 of a How-To effort to compile a list of tools (free and commercial) that can help IT administrators comply with SANS Security Controls. In Part 1 we looked at Inventory of Authorized and Unauthorized Devices. In Part 2 we looked at Inventory of Authorized and Unauthorized Software. In Part 3 we looked at Secure Configurations. In Part 4 we looked at Continuous Vulnerability Assessment and Remediation. Now in Part 5 well take on Malware Defenses. 5-1 Employ automated tools...
---------------------------------------------
https://www.alienvault.com/blogs/security-essentials/free-and-commercial-to…
*** Beyond Automated Penetration Testing ***
---------------------------------------------
#WarStoryWednesday Not too long ago, I was tasked with performing an Application Security Assessment while onsite at a client location. I had worked with this client before, and was eager to see how they had matured their applications over the past couple years. Originally, I had performed an Application Security Assessment on an older version...
---------------------------------------------
http://resources.infosecinstitute.com/beyond-automated-penetration-testing/
*** Joomla SQL Injection Attacks in the Wild ***
---------------------------------------------
Last week, the Joomla team released an update patching a serious vulnerability in Joomla 3.x. This vulnerability, an SQL injection (CVE-2015-7858), allows for an attacker to take over a vulnerable site with ease. We predicted that the attacks would start in the wild very soon, due to the popularity of the Joomla platform alongRead More The post Joomla SQL Injection Attacks in the Wild appeared first on Sucuri Blog.
---------------------------------------------
https://blog.sucuri.net/2015/10/joomla-sql-injection-attacks-in-the-wild.ht…
*** Patch außer der Reihe: Adobe schließt kritische Lücke in Shockwave ***
---------------------------------------------
Angreifer können den Shockwave Player verwenden, um aus der Ferne Schadcode auf Rechner zu schleusen. Adobe bewertet die Lücke mit der höchsten Prioritätsstufe.
---------------------------------------------
http://heise.de/-2860125
*** Intel x86 considered harmful (new paper) ***
---------------------------------------------
Oct 27, 2015 - Joanna Rutkowska | Back in summer I have read a new book published by one of the core Intel architects about the Management Engine (ME). I didnt quite like what I read there. In fact I even found this a bit depressing, even though Intel ME wasnt particular news to me as we, at the ITL, have already studied this topic quite in-depth, so to say, back in 2008... But, as you can see in the linked article, I believed we could use VT-d to protect the host OS from the potentially...
---------------------------------------------
http://blog.invisiblethings.org/2015/10/27/x86_harmful.html
*** Patchday: Updates für Xen-Hypervisor ***
---------------------------------------------
Xen hat einige Lücken in seinem Hypervisor geschlossen. Details werden, wie üblich, erst später bekannt gegeben.
---------------------------------------------
http://www.golem.de/news/patchday-updates-fuer-xen-hypervisor-1510-117152-r…
*** Volkswagen: Hacker deaktivieren Airbag über gefälschte Diagnose-Software ***
---------------------------------------------
Wieder gibt es manipulierte Software bei VW - doch dieses Mal ist der Konzern nicht selbst verantwortlich. Hackern ist es offensichtlich gelungen, die Steuersoftware eines Audi TT so zu manipulieren, dass der Airbag ohne Wissen der Nutzer abgeschaltet werden kann.
---------------------------------------------
http://www.golem.de/news/volkswagen-hacker-deaktivieren-airbag-ueber-gefael…
*** The "Yes, but..." syndrome, (Tue, Oct 27th) ***
---------------------------------------------
This weekend, I worked on a pentest report that was already pending for a while. Im honest: Im lazzy to write reports (like many of us, no?).During a pentest, it is mandatory to keep evidences of all your findings. No only the tools you used and how you used them but as much details as possible (screenshots, logs, videos, papers,etc). Every day, we had a quick debriefing meeting with the customer to make the point about the new findings. The first feedback was often a Yes, but...: Me: We were
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20303&rss
*** JSA10711 - 2015-10 Out of Cycle Security Bulletin: NTP.org announcement of multiple vulnerabilities. ***
---------------------------------------------
http://kb.juniper.net/index?page=content&id=JSA10711&actp=RSS
*** Bugtraq: [security bulletin] HPSBGN03429 rev.1 - HP Arcsight Logger, Remote Disclosure of Information ***
---------------------------------------------
http://www.securityfocus.com/archive/1/536749
*** Bugtraq: [security bulletin] HPSBGN03428 rev.1 - HP Asset Manager, Local Disclosure of Sensitive Information ***
---------------------------------------------
http://www.securityfocus.com/archive/1/536748
*** DSA-3377 mysql-5.5 - security update ***
---------------------------------------------
Several issues have been discovered in the MySQL database server. Thevulnerabilities are addressed by upgrading MySQL to the new upstreamversion 5.5.46. Please see the MySQL 5.5 Release Notes and OraclesCritical Patch Update advisory for further details:...
---------------------------------------------
https://www.debian.org/security/2015/dsa-3377
*** DSA-3378 gdk-pixbuf - security update ***
---------------------------------------------
Several vulnerabilities have been discovered in gdk-pixbuf, a toolkitfor image loading and pixel buffer manipulation. The CommonVulnerabilities and Exposures project identifies the following problems:...
---------------------------------------------
https://www.debian.org/security/2015/dsa-3378
*** Security Notice - Statement on the Huawei Honor phone Vulnerability Mentioned at the GeekPwn Conference ***
---------------------------------------------
Oct 25, 2015 09:27
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-notices…
*** Cisco Security Advisories ***
---------------------------------------------
*** Cisco Secure Access Control Server Input Validation Flaw Lets Remote Conduct Cross-Site Scripting Attacks ***
http://www.securitytracker.com/id/1033968
*** Cisco Secure Access Control Server Input Validation Flaw Lets Remote Authenticated Users Inject SQL Commands ***
http://www.securitytracker.com/id/1033967
*** Cisco Secure Access Control Server RBAC Flaw Lets Remote Authenticated Users Modify Dashboard Portlets on the Target System ***
http://www.securitytracker.com/id/1033971
*** Cisco Secure Access Control Server RBAC Flaw Lets Remote Authenticated Users Obtain System Administrator Reports and Status ***
http://www.securitytracker.com/id/1033970
*** Cisco Secure Access Control Server DOM Statement Input Validation Flaw Lets Remote Conduct Cross-Site Scripting Attacks ***
http://www.securitytracker.com/id/1033969
*** Siemens Rugged Operating System (ROS) Ethernet Frame Padding Bug Lets Remote Users on the Local Network Obtain Potentially Sensitive VLAN Information ***
---------------------------------------------
http://www.securitytracker.com/id/1033973
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 22-10-2015 18:00 − Freitag 23-10-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Red Hat CVE Database Revamp ***
---------------------------------------------
Since 2009, Red Hat has provided details of vulnerabilities with CVE names as part of our mission to provide as much information around vulnerabilities that affect Red Hat products as possible. These CVE pages distill information from a variety ..
---------------------------------------------
https://securityblog.redhat.com/2015/10/22/red-hat-cve-database-revamp/
*** Hack.lu 2015 Wrap-Up Day #3 ***
---------------------------------------------
I just drove back to home after the 11th edition of hack.lu. As always, it was an amazing event organized by, amongst others, many team members of the CIRCL. So, let's write a quick wrap-up for this third day. Some talk will be less covered due to interesting chat sessions with a lot of infosec peers. Lik ..
---------------------------------------------
https://blog.rootshell.be/2015/10/22/hack-lu-2015-wrap-up-day-3/
*** Oracle Critical Patch Update Advisory - October 2015 ***
---------------------------------------------
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
*** Janitza UMG Power Quality Measuring Products Vulnerabilities ***
---------------------------------------------
This advisory was originally posted to the US-CERT secure Portal library on September 22, 2015, and is being released to the ICS-CERT web site. This advisory provides mitigation details for several vulnerabilities in the Janitza UMG power quality measuring products. Janitza has produced new firmware and new documentation to mitigate these vulnerabilities.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-265-03
*** 5E5: Die nächste runde Ticketnummer ***
---------------------------------------------
Es ist soweit: unser Ticketsystem hat wieder eine symbolische Grenze überschritten: Wir haben das Ticket #500000 behandelt:Date: Thu Oct 22 11:07:54 2015Queue: InvestigationsSubject: [CERT.at #500000] SSDP-Service aus dem Internet erreichbar in AS12635 Was bedeuten diese Zahlen? Und was nicht? Wir bekommen und senden ..
---------------------------------------------
http://www.cert.at/services/blog/20151023103846-1610.html
*** Forscher demontieren App-TANs der Sparkasse ***
---------------------------------------------
"Komfortabel, aber leider unsicher" - so lässt sich das Ergebnis eines Forschungsprojekts zu den von immer mehr Banken angebotetenen App-basierten TAN-Verfahren zusammenfassen. Die Online-Banking-Apps der Sparkasse haben sie bereits geknackt.
---------------------------------------------
http://heise.de/-2853492
*** CCTV botnets proliferate due to unchanged default factory credentials ***
---------------------------------------------
Incapsula researchers have uncovered a botnet consisting of some 9,000 CCTV cameras located around the world, which was being used to target, among others, one of the companys clients with HTTP flood...
---------------------------------------------
http://www.net-security.org/secworld.php?id=19020
*** PMASA-2015-5 ***
---------------------------------------------
Content spoofing vulnerability when redirecting user to an external siteAffected VersionsVersions 4.4.x (prior to 4.4.15.1) and 4.5.x (prior to 4.5.1) are affected.CVE ID2015-7873
---------------------------------------------
https://www.phpmyadmin.net/security/PMASA-2015-5/
*** Malvertising-Kampagne verteilt Exploit-Kit über ebay.de ***
---------------------------------------------
Betrüger sollen aktuell Werbenetzwerke missbrauchen, um Exploit-Kits über Werbeanzeigen auf etwa ebay.de und t-online.de zu verteilen.
---------------------------------------------
http://heise.de/-2853882
Aufgrund des Feiertages am kommenden Montag, den 26.10.2015, erscheint der nächste End-of-Shift Report erst am 27.10.2015.
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 21-10-2015 18:00 − Donnerstag 22-10-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Cisco ASA Software DNS Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the DNS code of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause an affected system to reload.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco ASA Software DNS Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the DNS code of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause an affected system to reload.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Google Moving Gmail to Strict DMARC Implementation ***
---------------------------------------------
Google said it will move gmail.com to a policy of rejecting any messages that don't pass the authentication checks spelled out in the DMARC specification.
---------------------------------------------
http://threatpost.com/google-moving-gmail-to-strict-dmarc-implementation/11…
*** IBM Runs World's Worst Spam-Hosting ISP? ***
---------------------------------------------
This author has long sought to shame Web hosting and Internet service providers who fail to take the necessary steps to keep spammers, scammers and other online neer-do-wells ..
---------------------------------------------
http://krebsonsecurity.com/2015/10/ibm-runs-worlds-worst-spam-hosting-isp
*** Apple Releases Updates for iOS, WatchOS, OS X, Safari and iTunes. ***
---------------------------------------------
Apple published one of its usual updates for everything. Below I took a shot at a quick summary. You can find ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20285
*** Drupal Core - Overlay - Less Critical - Open Redirect - SA-CORE-2015-004 ***
---------------------------------------------
The Overlay module in Drupal core displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module does not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability.
---------------------------------------------
https://www.drupal.org/SA-CORE-2015-004
*** jQuery Update - Less Critical - Open Redirect - SA-CONTRIB-2015-158 ***
---------------------------------------------
The jQuery Update module enables you to update jQuery on your site. The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an open redirect attack (see SA-CORE-2015-004).
---------------------------------------------
https://www.drupal.org/node/2598426
*** Hack.lu 2015 Wrap-Up Day #2 ***
---------------------------------------------
Here we go with my wrap-up for the second day. After some coffee and pastries, the day started hardly with a very technical talk. Samuel Chevet & Clement Rouault presented their research about Windows local kernel debugging. Kernel debugging ..
---------------------------------------------
https://blog.rootshell.be/2015/10/21/hack-lu-2015-wrap-up-day-2/
*** E-Mail-Sicherheit: Was Provider beitragen können ***
---------------------------------------------
https://www.rtr.at/de/inf/E_Mail_Sicherheit05112015
*** Drahtlose Infektion: Erste Malware für Fitnesstracker entwickelt ***
---------------------------------------------
Übertragung auf Fitbit Flex in zehn Sekunden möglich – Schadsoftware befällt PC von Opfer
---------------------------------------------
http://derstandard.at/2000024345670
*** Geplante Obsoleszenz: Diese Software lässt Computer rasend schnell altern ***
---------------------------------------------
Forscher haben ein Programm entwickelt, das Prozessoren in kurzer Zeit so abnutzt, dass sie unbrauchbar werden. Mögliche Nutznießer: Hersteller, Kunden - oder Militärs.
---------------------------------------------
http://www.golem.de/news/geplante-obsoleszenz-diese-software-laesst-compute…
*** [20151001] - Core - SQL Injection ***
---------------------------------------------
http://developer.joomla.org/security-centre/628-20151001-core-sql-injection…
*** [20151002] - Core - ACL Violations ***
---------------------------------------------
http://developer.joomla.org/security-centre/629-20151002-core-acl-violation…
*** [20151003] - Core - ACL Violations ***
---------------------------------------------
http://developer.joomla.org/security-centre/630-20151003-core-acl-violation…
*** [2015-10-22] Lime Survey Multiple Critical Vulnerabilities ***
---------------------------------------------
Lime Survey contains multiple vulnerabilities which can be used by unauthenticated attackers to execute administrative functions. Moreover, in certain conditions unauthenticated attackers can run arbitrary PHP code and gain access to the filesystem and the Lime Survey database.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2015…
*** NAK to the Future: NTP Symmetric Association Authentication Bypass Vulnerability ***
---------------------------------------------
Unauthenticated off-path attackers can force ntpd processes to peer with malicious time sources of the attacker's choosing allowing the attacker to make arbitrary changes to system time. This attack leverages a logic error in ntpd's handling of ..
---------------------------------------------
http://talosintel.com/reports/TALOS-2015-0069/
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 20-10-2015 18:00 − Mittwoch 21-10-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** VMSA-2015-0003.13 ***
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2015-0003.html
*** APPLE-SA-2015-10-20-1 OS X: Flash Player plug-in blocked ***
---------------------------------------------
Due to security issues in older versions, Apple has updated the
web plug-in blocking mechanism to disable all versions prior to
Flash Player 19.0.0.226 and 18.0.0.255.
---------------------------------------------
http://prod.lists.apple.com/archives/security-announce/2015/Oct/msg00001.ht…
*** VMSA-2015-0007.2 ***
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2015-0007.html
*** Oracle Linux Bulletin - October 2015 ***
---------------------------------------------
Oracle Linux Bulletin - October 2015
---------------------------------------------
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719…
*** New Headaches: How The Pawn Storm Zero-Day Evaded Java's Click-to-Play Protection ***
---------------------------------------------
Several months ago, we disclosed that Pawn Storm was using a then-undiscovered zero-day Java vulnerability to carry out its attacks. At the time, we noted that a separate vulnerability was used to bypass the click-to-play protection that is in use by Java. This second vulnerability has now been ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-ho…
*** Multiple vulnerabilities in SAP products ***
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-15-532/http://www.zerodayinitiative.com/advisories/ZDI-15-531/http://www.zerodayinitiative.com/advisories/ZDI-15-530/http://www.zerodayinitiative.com/advisories/ZDI-15-529/http://www.zerodayinitiative.com/advisories/ZDI-15-528/http://www.zerodayinitiative.com/advisories/ZDI-15-527/http://www.zerodayinitiative.com/advisories/ZDI-15-526/
*** G DATA Malware Report - January - June 2015 ***
---------------------------------------------
The G Data SecurityLabs published the Malware Report for the first half of 2015. Here are the most important findings.
---------------------------------------------
https://blog.gdatasoftware.com/blog/article/g-data-malware-report-january-j…
*** EMET: To be, or not to be, A Server-Based Protection Mechanism ***
---------------------------------------------
Hi Folks - Platforms PFE Dan Cuomo here to discuss a common question seen in the field: 'My customer is deploying EMET and would like to know if it is supported on Server Operating Systems.' On the surface there is a simple answer to this question, ..
---------------------------------------------
http://blogs.technet.com/b/srd/archive/2015/10/20/emet-to-be-or-not-to-be-a…
*** Hack.lu 2015 Wrap-Up Day #1 ***
---------------------------------------------
Today started the 11th edition of hack.lu in Luxembourg. Being one of my preferred event, I drove to Luxembourg this morning direction to the Alvisse Parc hotel! The first day started with a security breakfast and a round ..
---------------------------------------------
https://blog.rootshell.be/2015/10/20/hack-lu-2015-wrap-up-day-1/
*** Flash, Java Patches Fix Critical Holes ***
---------------------------------------------
Adobe has issued a patch to fix a zero-day vulnerability in its Flash Player software. Separately, Oracle today released an update to plug more than two-dozen flaws in its Java software. Both programs plug directly into the browser and are ..
---------------------------------------------
http://krebsonsecurity.com/2015/10/flash-java-patches-fix-critical-holes/
*** Online-Banking: Neue Angriffe auf die mTAN ***
---------------------------------------------
Betrüger haben wieder einmal eine Methode gefunden, um Daten von Kunden beim Online-Banking abzugreifen und das mTAN-System auszuhebeln.
---------------------------------------------
http://heise.de/-2851624
*** Microsoft startet Bug-Bounty-Programm für .NET Core und ASP.NET ***
---------------------------------------------
Bis zum 20. Januar 2016 können Entwickler im Rahmen des Programms auf Sicherheitslücken in den Betas der CoreCLR und ASP.NET 5 hinweisen. Gute Lösungsvorschläge sind Microsoft bis zu 15.000 US-Dollar wert.
---------------------------------------------
http://heise.de/-2851587
*** Gwolle Guestbook <= 1.5.3 - Remote File Inclusion (RFI) ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8218
*** High-Tech Bridge launches free PCI and NIST compliant SSL test ***
---------------------------------------------
High-Tech Bridge is pleased to announce availability of its new online service to test SSL/TLS server security and configuration for compliance with NIST and PCI DSS.
---------------------------------------------
https://www.htbridge.com/news/high-tech-bridge-launches-free-pci-and-nist-c…
*** Metadaten-Leak: 1Password stellt Dateiformat um ***
---------------------------------------------
Nutzer der Abgleichfunktion "1Password Anywhere" hinterließen unter Umständen eine Liste mit den von ihnen verwendeten Websites im Netz. Ein neues Dateiformat für den Passworttresor soll Abhilfe schaffen.
---------------------------------------------
http://heise.de/-2851618
*** IniNet Solutions embeddedWebServer Cleartext Storage Vulnerability ***
---------------------------------------------
This advisory provides mitigation details for a cleartext storage of sensitive information vulnerability in the IniNet Solutions GmbH embeddedWebServer.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-293-01
*** IniNet Solutions SCADA Web Server Vulnerabilities ***
---------------------------------------------
This advisory provides mitigation details for three vulnerabilities in the IniNet Solutions GmbH SCADA Web Server.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-293-02
*** 3S CODESYS Gateway Null Pointer Exception Vulnerability ***
---------------------------------------------
This advisory provides mitigation details for a null pointer exception vulnerability in the 3S-Smart Software Solutions GmbH CODESYS Gateway Server.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-293-03
*** Angriffe auf Magento-Shops über bereits bekannte Lücken ***
---------------------------------------------
Die aktuellen Angriffe auf Tausende von Magento-Webseiten finden wohl über Lücken statt, für die bereits Patches existieren. Außerdem werden auch Seiten angegriffen, die Magento gar nicht einsetzen.
---------------------------------------------
http://heise.de/-2851842
*** Hacking Challenge: Staatsdruckerei sucht IT-Talente ***
---------------------------------------------
Die Österreichische Staatsdruckerei veranstaltet auf der Karrieremesse des Campus Hagenberg der FH OÖ eine Hacking Challenge mit dem Ziel, junge IT-Talente zu finden.
---------------------------------------------
http://futurezone.at/digital-life/hacking-challenge-staatsdruckerei-sucht-i…
*** Kampagnen Malvertising Campaign Goes After German Users ***
---------------------------------------------
Malvertising targets German users via carefully crafted attack to dupe ad networks...)
---------------------------------------------
https://blog.malwarebytes.org/malvertising-2/2015/10/kampagnen-malvertising…
*** Trend Micro kauft Tipping Point ***
---------------------------------------------
Mit Tipping Point verleibt sich der Antiviren-Hersteller auch die Zero Day Initiative (ZDI) und die Digital Vaccine Labs ein. Tipping Point, bisher Teil von HP, ist unter anderem auch als Sponsor der Pwn2Own-Events bekannt.
---------------------------------------------
http://heise.de/-2851848
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 19-10-2015 18:00 − Dienstag 20-10-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Joomla! - Important Security Announcement - Patch Available Soon ***
---------------------------------------------
A Joomla 3.4.5 release containing a security fix will be published on Thursday 22nd October at approximately 14:00 UTC The Joomla Security Strike Team (JSST) has been informed of a critical security issue in the Joomla core. Since this is a *very important security fix*, please be prepared to update your Joomla installations next Thursday.
---------------------------------------------
https://www.joomla.org/announcements/release-news/5633-important-security-a…
*** JSA10700 - 2015-10 Security Bulletin: Junos: J-Web in SRX5000-Series: A remote attacker can cause a denial of service to SRX5000-Series when J-Web is enabled causing the SRX to enter debug prompt. (CVE-2014-6451) ***
---------------------------------------------
http://kb.juniper.net/index?page=content&id=JSA10700&actp=RSS
*** ZDI-15-525: Foxit Reader Forms Out-Of-Bounds Read Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-15-525/
*** ZDI-15-524: Foxit Reader Forms Out-Of-Bounds Read Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-15-524/
*** Lets Encrypt: Cross-Sign mit Identtrust abgeschlossen ***
---------------------------------------------
Let's Encrypt hat einen neuen Meilenstein erreicht: Der Cross-Sign mit Identtrust ist abgeschlossen. Ab Mitte November soll der Dienst für die breite Öffentlichkeit verfügbar sein.
---------------------------------------------
http://www.golem.de/news/let-s-encrypt-cross-sign-mit-identtrust-abgeschlos…
*** DSA-3375 wordpress - security update ***
---------------------------------------------
Several vulnerabilities have been fixed in Wordpress, the popularblogging engine.
---------------------------------------------
https://www.debian.org/security/2015/dsa-3375
*** Android 6.0: Verschlüsselung wird verpflichtend ***
---------------------------------------------
Einen zweiten Anlauf nimmt Google zur Absicherung von Android-Smartphones und Tablets: Mit Android 6.0 müssen – fast – alle neuen Geräte von Haus aus verschlüsselt werden, dies schreibt die neueste Version des Android Compatibility Definition Document vor.
---------------------------------------------
http://derstandard.at/2000024183416
*** Hacking ZigBee Networks ***
---------------------------------------------
What is ZigBee? Internet of Things (IoT) is what most experts consider as the next step of the Internet revolution where physical objects are invariably linked to the real and virtual world at the same time. Connected devices now ..
---------------------------------------------
http://resources.infosecinstitute.com/hacking-zigbee-networks/
*** OpenSSH: Erster Code von SSH für Windows frei verfügbar ***
---------------------------------------------
Die portable Version des aktuellen OpenSSH 7.1 stellt Microsoft nun auch für Windows bereit. Interessierte können außerdem künftig zu dem Projekt beitragen. Der produktive Einsatz soll noch in der ersten Jahreshälfte 2016 möglich sein.
---------------------------------------------
http://www.golem.de/news/openssh-erster-code-von-ssh-fuer-windows-frei-verf…
*** How a criminal ring defeated the secure chip-and-PIN credit cards ***
---------------------------------------------
Over $680,000 stolen via a clever man-in-the-middle attack.
---------------------------------------------
http://arstechnica.com/tech-policy/2015/10/how-a-criminal-ring-defeated-the…
*** .:: Attacking Ruby on Rails Applications ::. ***
---------------------------------------------
This little article aims to give an introduction to the topic of attacking Ruby on Rails applications. Its neither complete nor dropping 0day. Its rather the authors attempt to accumulate the interesting attack paths and techniques in one write up. As yours truly spend most of his work on Ruby ..
---------------------------------------------
http://phrack.org/papers/attacking_ruby_on_rails.html
*** Korrupter Silk-Road-Ermittler zu über sechs Jahren Haft verurteilt ***
---------------------------------------------
Seine verdeckten Ermittlungen gegen den Drogenmarktplatz Silk Road nutzte ein US-Beamter für eigene kriminelle Machenschaften. Unter anderem wegen Erpressung und Geldwäsche muss er nun ins Gefängnis.
---------------------------------------------
http://heise.de/-2851334
*** Tech Support Scammers Impersonate Apple Technicians ***
---------------------------------------------
By setting up a phishing site for Apples remote sharing service, this tech support scam looks quite genuine.
---------------------------------------------
https://blog.malwarebytes.org/fraud-scam/2015/10/tech-support-scammers-impe…
*** There's no place like ::1 - Malware for the masses ***
---------------------------------------------
Analyzing malware samples provided by customers usually leads to interesting results. Recently, an HP customer downloaded something via Microsoft Internet Explorer and provided the sample analyzed in this blog. In some cases, analysis of these types of samples provides insight into previously unknown ..
---------------------------------------------
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/There-s-no-place-lik…
*** Das BSI nimmt sich der Router-Sicherheit an ***
---------------------------------------------
Das BSI hat ein Testkonzept vorgestellt, das die Sicherheit von Endkunden-Routern vergleichbar machen soll. Die 'wesentliche Sicherheitskomponente zum Schutz des internen Netzes' soll endlich sicher werden.
---------------------------------------------
http://heise.de/-2851354
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 16-10-2015 18:00 − Montag 19-10-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** eFast browser hijacks file associations ***
---------------------------------------------
We take a look at an Eorezo/Tuto4PC hijacker that installs a new browser called eFast rather than hijacking an existing one.
---------------------------------------------
https://blog.malwarebytes.org/online-security/2015/10/efast-browser-hijacks…
*** Surveillance Malware Trends: Tracking Predator Pain and HawkEye ***
---------------------------------------------
Malicious actors employ a range of tools to achieve their objectives. One of the most damaging activities an actor pursues is the theft of authentication information, whether it ..
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-tre…
*** SDG Technologies Plug and Play SCADA XSS Vulnerability ***
---------------------------------------------
NCCIC/ICS-CERT is aware of a public disclosure of a cross-site scripting vulnerability with proof-of-concept (PoC) exploit code affecting SDG Technologies Plug and Play SCADA, a supervisory control and data acquisition/human-machine ..
---------------------------------------------
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-15-288-01
*** DSA-3373 owncloud - security update ***
---------------------------------------------
Multiple vulnerabilities were discovered in ownCloud, a cloud storageweb service for files, music, contacts, calendars and many more. These flaws may lead to the execution of arbitrary code, authorization bypass,information disclosure, cross-site scripting or denial of service.
---------------------------------------------
https://www.debian.org/security/2015/dsa-3373
*** Massive Magento Guruincsite Infection ***
---------------------------------------------
We are currently seeing a massive attack on Magento sites where hackers inject malicious scripts that create iframes from 'guruincsite[.]com'. Google already blacklisted about seven thousand sites because of this malware. There are two ..
---------------------------------------------
https://blog.sucuri.net/2015/10/massive-magento-guruincsite-infection.html
*** New Neutrino EK Campaign Drops Andromeda ***
---------------------------------------------
On October 15th, we started seeing a new pattern of redirections to the Neutrino Exploit Kit via compromised websites. What actually caught our attention was one of the file names used to inject an iframe pointing to the exploit kit landing page. Ironically, it was called neitrino.php.
---------------------------------------------
https://blog.malwarebytes.org/exploits-2/2015/10/new-neutrino-ek-campaign-d…
*** Freies Unix: OpenBSD 5.8 zähmt das System ***
---------------------------------------------
Etwas eher als üblich ist OpenBSD auf den Tag genau 20 Jahre nach der Projektgründung erschienen. Für bessere Sicherheit wird das NX-Bit nun auch in der 32-Bit-X86-Architektur genutzt, der Sudo-Befehl ist ersetzt worden und das System kann offiziell gezähmt werden.
---------------------------------------------
http://www.golem.de/news/freies-unix-openbsd-5-8-zaehmt-das-system-1510-116…
*** 1Password Leaks Your Data ***
---------------------------------------------
For those of you who don't know, 1PasswordAnywhere is a feature of 1Password which allows you to access your data without needing their client software. 1Password originally only used the �Agile Keychain� format to store their data (not including when they were OS X keychain only). This format basically stores your data as a series of JavaScript files which are decrypted ..
---------------------------------------------
http://myers.io/2015/10/22/1password-leaks-your-data/
*** Staatliche Hackerangriffe: Facebook will seine Nutzer warnen ***
---------------------------------------------
Facebook will von staatlichen Angriffen bedrohte Nutzer künftig warnen und ihnen den Einsatz von Zwei-Faktor-Authentifizeriung empfehlen. Bei der Klarnamenpflicht bleibt das Unternehmen aber bei seiner Position.
---------------------------------------------
http://www.golem.de/news/staatliche-hackerangriffe-facebook-will-seine-nutz…
*** Supporting the Android Ecosystem ***
---------------------------------------------
A few months ago, a widely-publicized set of vulnerabilities called StageFright hit the Android ecosystem. While Google fixed the vulnerabilities in what appears to be a reasonable amount of time, the deployment of those fixes to ..
---------------------------------------------
https://insights.sei.cmu.edu/cert/2015/10/supporting-the-android-ecosystem.…
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 15-10-2015 18:00 − Freitag 16-10-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Security Updates Available for Adobe Flash Player (APSB15-27) ***
---------------------------------------------
A security bulletin (APSB15-27) has been published regarding security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an...
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1288
*** Exposing the most dangerous financial malware threats ***
---------------------------------------------
Cyphort analyzed the top eight types of financial malware cybercriminals are using today to target banks and electronic payment systems. The most dangerous financial malware threats have resulted i...
---------------------------------------------
http://feedproxy.google.com/~r/HelpNetSecurity/~3/otxCIk5qeu4/malware_news.…
*** Data dump points to a breach at Electronic Arts ***
---------------------------------------------
Account details of some 600 Electronic Arts (EA) customers have apparently been leaked on Pastebin. The company has yet to confirm that the leak is genuine, but they are "taking steps to secure any ac...
---------------------------------------------
http://feedproxy.google.com/~r/HelpNetSecurity/~3/-grCjlQtA4c/secworld.php
*** Enhanced Mitigation Experience Toolkit (EMET) version 5.5 Beta is now available ***
---------------------------------------------
Enhanced Mitigation Experience Toolkit (EMET) version 5.5 Beta is now available The Enhanced Mitigation Experience Toolkit (EMET) benefits enterprises and all computer users by helping to protect against security threats and breaches that can disrupt businesses and daily lives. It does this by anticipating, diverting, terminating, blocking, or otherwise invalidating the most common actions and techniques adversaries might use to compromise a computer. In this way, EMET can help protect your...
---------------------------------------------
http://blogs.technet.com/b/srd/archive/2015/10/15/enhanced-mitigation-exper…
*** Windows Drivers are True'ly Tricky ***
---------------------------------------------
Posted by James Forshaw, Driving for BugsAuditing a product for security vulnerabilities can be a difficult challenge, and there's no guarantee you'll catch all vulnerabilities even when you do. This post describes an issue I identified in the Windows Driver code for Truecrypt, which has already gone through a security audit. The issue allows an application running as a normal user or within a low-integrity sandbox to remap the main system drive and elevate privileges to SYSTEM or...
---------------------------------------------
http://googleprojectzero.blogspot.com/2015/10/windows-drivers-are-truely-tr…
*** Breaking Diffie-Hellman with Massive Precomputation (Again) ***
---------------------------------------------
The Internet is abuzz with this blog post and paper, speculating that the NSA is breaking the Diffie-Hellman key-exchange protocol in the wild through massive precomputation. I wrote about this at length in May when this paper was first made public. (The reason its news again is that the paper was just presented at the ACM Computer and Communications Security...
---------------------------------------------
https://www.schneier.com/blog/archives/2015/10/breaking_diffie.html
*** Auch Ubuntu Phone hat seine Sicherheitslücken ***
---------------------------------------------
Eine App aus dem Ubuntu Phone Store hat eine Sicherheitslücke aufgezeigt, mit der Angreifer die komplette Kontrolle über die Geräte der Opfer hätte erlangen können. Stattdessen ändert die App nur den Boot-Splash.
---------------------------------------------
http://heise.de/-2849370
*** Elasticsearch 1.7.3 released ***
---------------------------------------------
Today, we are happy to announce the bug fix release of Elasticsearch 1.7.3, based on Lucene 4.10.4. This is the latest stable release. Users are advised to upgrade if they find themselves affected by any of the bugs which have been fixed.You can download Elasticsearch 1.7.3 and read the full changes list here.Previous blog posts about the 1.7 series:Elasticsearch 1.7.2Elasticsearch 1.7.1Elasticsearch 1.7.0This release contains a number of bug fixes including:Synced flushes were reactivating...
---------------------------------------------
https://www.elastic.co/blog/elasticsearch-1-7-3-released
*** VMSA-2015-0003.12 ***
---------------------------------------------
VMware product updates address critical information disclosure issue in JRE
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2015-0003.html
*** Bugtraq: [security bulletin] HPSBUX03512 SSRT102254 rev.1 - HP-UX Web Server Suite running Apache, Remote Denial of Service (DoS) and Other Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/536687
*** Bugtraq: [security bulletin] HPSBOV03503 rev.1 - HP OpenVMS CSWS_JAVA running Tomcat, Multiple Remote Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/536689
*** Updated F5 Security Advisory: OpenSSL vulnerability CVE-2014-0224 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/15000/300/sol15325.htm…
*** F5 Security Advisory: vCMP DoS vulnerability CVE-2015-6546 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/17000/300/sol17386.htm…
*** APPLE-SA-2015-10-15-1 Keynote 6.6, Pages 5.6, Numbers 3.6, and iWork for iOS 2.6 ***
---------------------------------------------
APPLE-SA-2015-10-15-1 Keynote 6.6, Pages 5.6, Numbers 3.6, andiWork for iOS 2.6Keynote 6.6, Pages 5.6, Numbers 3.6, and iWork for iOS 2.6 are nowavailable which address the following:Keynote, Pages, and NumbersAvailable for: OS X Yosemite v10.10.4 or later, iOS 8. [...]
---------------------------------------------
http://prod.lists.apple.com/archives/security-announce/2015/Oct/msg00000.ht…
*** USN-2772-1: PostgreSQL vulnerabilities ***
---------------------------------------------
Ubuntu Security Notice USN-2772-116th October, 2015postgresql-9.1, postgresql-9.3, postgresql-9.4 vulnerabilitiesA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.04 Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummaryPostgreSQL could be made to crash or expose private information if ithandled specially crafted data.Software description postgresql-9.1 - Object-relational SQL database postgresql-9.3 - Object-relational SQL database postgresql-9.4 - Object-relational SQL...
---------------------------------------------
http://www.ubuntu.com/usn/usn-2772-1/
*** 3S CODESYS Runtime Toolkit Null Pointer Dereference Vulnerability ***
---------------------------------------------
This advisory provides mitigation details for a NULL pointer dereference vulnerability in the 3S-Smart Software Solutions GmbHs CODESYS Runtime Toolkit.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-288-01
*** Bugtraq: Qualys Security Advisory - LibreSSL (CVE-2015-5333 and CVE-2015-5334) ***
---------------------------------------------
http://www.securityfocus.com/archive/1/536692
*** Windows 10 Sandboxed Mount Reparse Point Creation Mitigation Bypass (MS15-111) ***
---------------------------------------------
Topic: Windows 10 Sandboxed Mount Reparse Point Creation Mitigation Bypass (MS15-111) Risk: Medium Text:Source: https://code.google.com/p/google-security-research/issues/detail?id=486 Windows: Sandboxed Mount Reparse Point Crea...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2015100120
*** Bugtraq: ERPSCAN Research Advisory [ERPSCAN-15-017] SAP NetWeaver J2EE DAS service - Unauthorized Access ***
---------------------------------------------
http://www.securityfocus.com/archive/1/536695
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 14-10-2015 18:00 − Donnerstag 15-10-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Zero-Day in Magento Plugin Magmi Under Attack ***
---------------------------------------------
A zero-day in a popular plugin for the Magento ecommerce platform called Magmi is under attack.
---------------------------------------------
http://threatpost.com/zero-day-in-magento-plugin-magmi-under-attack/115026/
*** Security Advisory for Adobe Flash Player (APSA15-05) ***
---------------------------------------------
A Security Advisory (APSA15-05) has been published regarding a critical vulnerability (CVE-2015-7645) in Adobe Flash Player 19.0.0.207 and earlier versions for Windows, Macintosh and Linux. Adobe is aware of a report that an exploit for this vulnerability is being used...
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1280
*** Kritische Flash-Lücke: Adobe stellt Patch in Aussicht ***
---------------------------------------------
Einer Sicherheitsfirma zufolge greift die Gruppe Pawn Storm derzeit gezielt aktuelle Flash-Versionen über eine Zero-Day-Lücke an. Adobe hat nun einen Patch angekündigt.
---------------------------------------------
http://heise.de/-2847993
*** Exploit kit roundup: Less Angler, more Nuclear, (Thu, Oct 15th) ***
---------------------------------------------
Introduction Earlier this month, Ciscos Talos team published an in-depth report on the Angler exploit kit (EK) [1]. The report also documentedCiscos coordination with hosting providers to shut down malicious servers associated with this EK. The result? Ive found far less Angler EK in the last two...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20255&rss
*** How is NSA breaking so much crypto? ***
---------------------------------------------
However, the documents do not explain how these breakthroughs work, and speculation about possible backdoors or broken algorithms has been rampant in the technical community. Yesterday at ACM CCS, one of the leading security research venues, we and twelve coauthors presented a paper that we think solves this technical mystery.
---------------------------------------------
https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking-so…
*** HTTP Evasions Explained - Part 5 - GZip Compression ***
---------------------------------------------
This is the fifth part in a series which will explain the evasions done by HTTP Evader. This part is about failures to handle gzip compression properly. Contrary to deflate compression all products Ive seen are able to handle gzip compression in theory. But several major products fail if you set some special bits, invalidate the checksum, remove some bytes from the end etc. But, the browsers unpack the content anyway so we get a bypass again.
---------------------------------------------
http://noxxi.de/research/http-evader-explained-5-gzip.html
*** Existing security standards do not sufficiently address IoT ***
---------------------------------------------
A lack of clarity and standards around Internet of Things (IoT) security is leading to a lack of confidence. According to the UK IT professionals surveyed by ISACA, 75 percent of the security exper...
---------------------------------------------
http://feedproxy.google.com/~r/HelpNetSecurity/~3/624P7Nfkph8/secworld.php
*** IETF verabschiedet Standard für die Absicherung des verschlüsselten Mail-Transports ***
---------------------------------------------
Die Spezifikation DANE over SMTP hat nur zwei Jahre für ihre Standardisierung benötigt. Das Bundesamt für Sicherheit und Informationstechnik fordert nun bereits von zertifizierten Mail-Providern die Umsetzung des DANE-Verfahrens.
---------------------------------------------
http://heise.de/-2848049
*** Juniper Security Advisories ***
---------------------------------------------
*** JSA10695 - 2015-10 Security Bulletin: Junos: Multiple privilege escalation vulnerabilities in Python on Junos (CVE-2014-6448) ***
http://kb.juniper.net/index?page=content&id=JSA10695&actp=RSS
*** JSA10702 - 2015-10 Security Bulletin: QFabric 3100 Director: CUPS printing system Improper Update of Reference Count leads to remote chained vulnerability attack via XSS against authenticated users (CVE-2015-1158, CVE-2015-1159) ***
http://kb.juniper.net/index?page=content&id=JSA10702&actp=RSS
*** JSA10706 - 2015-10 Security Bulletin: Junos: FTPS through SRX opens up wide range of data channel TCP ports (CVE-2015-5361) ***
http://kb.juniper.net/index?page=content&id=JSA10706&actp=RSS
*** JSA10701 - 2015-10 Security Bulletin: Junos: Trio Chipset (Trinity) Denial of service due to maliciously crafted uBFD packet. (CVE-2015-7748) ***
http://kb.juniper.net/index?page=content&id=JSA10701&actp=RSS
*** JSA10700 - 2015-10 Security Bulletin: Junos: J-Web in vSRX-Series: A remote attacker can cause a denial of service to vSRX when J-Web is enabled causing the vSRX instance to reboot. (CVE-2014-6451) ***
http://kb.juniper.net/index?page=content&id=JSA10700&actp=RSS
*** JSA10703 - 2015-10 Security Bulletin: Junos: vSRX-Series: A remote attacker can cause a persistent denial of service to the vSRX through a specific connection request to the firewalls host-OS.(CVE-2015-7749) ***
http://kb.juniper.net/index?page=content&id=JSA10703&actp=RSS
*** JSA10708 - 2015-10 Security Bulletin: Junos: SSH allows unauthenticated remote user to consume large amounts of resources (CVE-2015-7752) ***
http://kb.juniper.net/index?page=content&id=JSA10708&actp=RSS
*** JSA10704 - 2015-10 Security Bulletin: ScreenOS: Network based denial of service vulnerability in ScreenOS (CVE-2015-7750) ***
http://kb.juniper.net/index?page=content&id=JSA10704&actp=RSS
*** JSA10707 - 2015-10 Security Bulletin: Junos: Corrupt pam.conf file allows unauthenticated root access (​CVE-2015-7751) ***
http://kb.juniper.net/index?page=content&id=JSA10707&actp=RSS
*** JSA10705 - 2015-10 Security Bulletin: CTPView: Multiple Vulnerabilities in CTPView ***
http://kb.juniper.net/index?page=content&id=JSA10705&actp=RSS
*** JSA10699 - 2015-10 Security Bulletin: Junos: Crafted packets cause mbuf chain corruption which may result in kernel panic (CVE-2014-6450) ***
http://kb.juniper.net/index?page=content&id=JSA10699&actp=RSS
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in GNU glibc affect IBM Security Network Intrusion Prevention System (CVE-2013-2207, CVE-2014-8121, and CVE-2015-1781 ) ***
http://www.ibm.com/support/docview.wss?uid=swg21966788
*** IBM Security Bulletin: A vulnerability in net-snmp affects IBM Security Network Intrusion Prevention System (CVE-2015-5621) ***
http://www.ibm.com/support/docview.wss?uid=swg21966694
*** IBM Security Bulletin: IBM NetInsight is impacted by multiple vulnerabilities in open source cURL libcurl (CVE-2015-3153, CVE-2015-3236) ***
http://www.ibm.com/support/docview.wss?uid=swg21967448
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM FileNet System Monitor/IBM Enterprise Content Management System Monitor (CVE-2015-2601, CVE-2015-2613, CVE-2015-2625, CVE-2015-1931) ***
http://www.ibm.com/support/docview.wss?uid=swg21968048
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM InfoSphere Information Server (CVE-2015-1931 CVE-2015-2601 CVE-2015-2613 CVE-2015-2625) ***
http://www.ibm.com/support/docview.wss?uid=swg21964927
*** IBM Security Bulletin: IBM Personal Communications with IBM GSKit - Malformed ECParameters causes infinite loop (CVE-2015-1788) ***
http://www.ibm.com/support/docview.wss?uid=swg21962890
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM FileNet System Monitor/IBM Enterprise Content Management System Monitor (CVE-2015-1789, CVE-2015-1790, CVE-2015-1792) ***
http://www.ibm.com/support/docview.wss?uid=swg21968046
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Rational Team Concert Build Agent (CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792, CVE-2014-8176) ***
http://www.ibm.com/support/docview.wss?uid=swg21968724
*** IBM Security Bulletin: Logjam vulnerability affects IBM SmartCloud Entry (CVE-2015-4000) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022754
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM FileNet System Monitor/IBM Enterprise Content Management System Monitor (CVE-2015-0488) ***
http://www.ibm.com/support/docview.wss?uid=swg21968052
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational DOORS Web Access (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931, CVE-2015-0488 CVE-2015-0478 CVE-2015-1916 CVE-2015-0204) ***
http://www.ibm.com/support/docview.wss?uid=swg21963609
*** IBM Security Bulletin: Cross Site Scripting (XSS) Vulnerability in IBM Sametime Rich Client and in IBM Sametime Proxy (CVE-2015-1917) ***
http://www.ibm.com/support/docview.wss?uid=swg21965839
*** Security Advisory: Stored XSS in Akismet WordPress Plugin ***
---------------------------------------------
Security Risk: Dangerous Exploitation Level: Easy/Remote DREAD Score: 9/10 Vulnerability: Stored XSS Patched Version: 3.1.5 During a routine audit for our WAF, we discovered a critical stored XSS vulnerability affecting Akismet, a popular WordPress plugin deployed by millions of installs. Vulnerability Disclosure Timeline: October 2nd, 2015 - Bug discovered, initial report to Automattic security team October 5th, 2015...
---------------------------------------------
http://feedproxy.google.com/~r/sucuri/blog/~3/abpAvnfFREc/security-advisory…
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 13-10-2015 18:00 − Mittwoch 14-10-2015 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Patchday: Adobe schließt kritische Lücken in Flash und Reader ***
---------------------------------------------
Sicherheitslücken in beiden Produkten erlauben es Angreifern, den Rechner des Opfers aus der Ferne zu kapern. Bei Flash werden insgesamt 13 Lücken durch die Updates geschlossen, bei Acrobat und Reader sind es 56 Lücken.
---------------------------------------------
http://heise.de/-2845079
*** Nach Patchday: Flash über neue Sicherheitslücke immer noch angreifbar ***
---------------------------------------------
Eine Sicherheitsfirma berichtet von gezielten Angriffen, die momentan stattfinden und eine Zero-Day-Lücke in der aktuellen Flash-Version für Windows missbrauchen.
---------------------------------------------
http://heise.de/-2846807
*** MS15-OCT - Microsoft Security Bulletin Summary for October 2015 - Version: 1.0 ***
---------------------------------------------
This bulletin summary lists security bulletins released for October 2015.
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/MS15-OCT
*** Microsoft Patch Tuesday - October 2015 ***
---------------------------------------------
This month the vendor is releasing six bulletins covering a total of 33 vulnerabilities. Thirteen of this months issues are rated Critical.
---------------------------------------------
http://www.symantec.com/connect/blogs/microsoft-patch-tuesday-october-2015
*** Redirect to Microsoft Word Macro Virus ***
---------------------------------------------
These days we rarely see Microsoft Word malware on websites, but it still exists and compromised websites can distribute this kind of malware as well. It's not just email attachments when it comes to sharing infected documents. For example, this malicious file was found on a hacked Joomla site by our analyst Krasimir Konov.
---------------------------------------------
https://blog.sucuri.net/2015/10/redirect-to-microsoft-word-macro-virus.html
*** The Web Authentication Arms Race - A Tale of Two Security Experts ***
---------------------------------------------
Web authentication systems have evolved over the past ten years to counter a growing variety of threats. This post will present a fictional arms race between a web application developer and an attacker, showing how different threats can be countered with the latest security technologies.
---------------------------------------------
http://blog.slaks.net/2015-10-13/web-authentication-arms-race-a-tale-of-two…
*** MSRT October 2015: Tescrypt ***
---------------------------------------------
Octobers Microsoft Malicious Software Removal Tool (MSRT) includes detection and remediation for the following families: Tescrypt Blakamba Diplugem Escad Joanap Brambul Drixed This blog focuses on the ransomware family Tescrypt. Tescrypt started showing up early in 2015 and, like most of its file-encrypting predecessors, it does what most typical ransomware does: Searches for specific file types on the infected machine (see our encyclopedia description for a list of known file extensions
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2015/10/13/msrt-october-2015-tescry…
*** AndroidVulnerabilities.org - Calculating the score ***
---------------------------------------------
We developed the FUM score to compare the security provided by different device manufacturers. The score gives each Android manufacturer a score out of 10 based on the security they have provided to their customers over the last four years.
---------------------------------------------
http://androidvulnerabilities.org/
*** AV Phone Scan via Fake BSOD Web Pages, (Tue, Oct 13th) ***
---------------------------------------------
A few days ago, I found a malicious website which triesto lure the visitor by simulating a Microsoft Windows Blue Screen of Death(BSOD) and popping up error messages within their browser. This is not a brand new attack but it remains in the wild. For a while, we saw Microsoft engineers calling people to warn them about an important problem with their computer (I blogged about this last year). In this case, it is different: the computer itself warns the user about a security issue and users...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20251&rss
*** Injection on Steroids: Code-less Code Injections and 0-Day Techniques ***
---------------------------------------------
In this talk, we discuss known-yet-complex and less documented code injection techniques. We further expose additional new user- and kernel-mode injection techniques. One of these techniques we've coined as "code-less code injection" since, as opposed to other known injection techniques, does not require adding code to the injected process. We also reveal an additional kernel-mode code injection which is a variation to the technique used by the AVs. However, as we demonstrate,...
---------------------------------------------
http://breakingmalware.com/injection-techniques/code-less-code-injections-a…
*** On (OAuth) token hijacks for fun and profit part #2 (Microsoft/xxx integration) ***
---------------------------------------------
In a previous blogpost we have already analyzed a token hijack on one OAuth integration between some Microsoft and Google service and seen what went wrong. Now it is time to see yet another integration between Microsoft and xxxx (unluckily I cant disclose the name of the other company due the fact the havent still fixed a related issue...) and see some fallacy. But before to focus on the attack we might need a bit of introduction.
---------------------------------------------
http://intothesymmetry.blogspot.ie/2015/10/on-oauth-token-hijacks-for-fun-a…
*** VU#870744: ZyXEL NBG-418N, PMG5318-B20A and P-660HW-T1 routers contain multiple vulnerabilities ***
---------------------------------------------
Vulnerability Note VU#870744 ZyXEL NBG-418N, PMG5318-B20A and P-660HW-T1 routers contain multiple vulnerabilities Original Release date: 13 Oct 2015 | Last revised: 13 Oct 2015 Overview Several models of ZyXEL routers are vulnerable to multiple issues, including weak default passwords, command injections due to improper input validation, and cross-site scripting. Description CWE-255: Credentials Management - CVE-2015-6016According to the reporter, the following models contain the weak...
---------------------------------------------
http://www.kb.cert.org/vuls/id/870744
*** KerioControl Input Validation and Access Control Flaws Let Remote Users Conduct Cross-Site Request Forgery, Cross-Site Scripting, and SQL Injection Attacks and Remote Authenticated Users Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1033807