=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 13-01-2016 18:00 − Donnerstag 14-01-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** SlemBunk Part II: Prolonged Attack Chain and Better-Organized Campaign ***
---------------------------------------------
Our follow-up investigation of a nasty Android banking malware we identified at the tail end of last year has not only revealed that the trojan is more persistent than we initially realized - thus making for a much more dangerous threat - but that it is also being used as part of an ongoing and evolving campaign.
---------------------------------------------
https://www.fireeye.com/blog/threat-research/2016/01/slembunk-part-two.html
*** Faulty ransomware renders files unrecoverable, even by the attacker ***
---------------------------------------------
A cybercriminal has built a ransomware program based on proof-of-concept code released online, but messed up the implementation, resulting in victims files being completely unrecoverable.Researchers from antivirus vendor Trend Micro recently ..
---------------------------------------------
http://www.cio.com/article/3022159/faulty-ransomware-renders-files-unrecove…
*** As easy as Citrix123 - hacker claims he popped Citrixs CMS ***
---------------------------------------------
And once he was in, it became possible to pour malware onto all customers, allegedly A Russian hacker claims he broke into systems run by Citrix, and gained access to potentially a huge number of customers.
---------------------------------------------
www.theregister.co.uk/2016/01/13/ruskie_hacker_pops_citrix/
*** Ex-NSA-Chef: Hintertüren für Verschlüsselung sind eine furchtbare Idee ***
---------------------------------------------
Michael Hayden widerspricht den Forderungen von FBI-Boss James Comey
---------------------------------------------
http://derstandard.at/2000029033330
*** RedHen CRM - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-002 ***
---------------------------------------------
The Redhen set of modules allows you to build a CRM features in a Drupal site.When rendering individual Contacts, this module does not properly filter the certain data prior to display. When rendering listing of notes or engagement scores, ..
---------------------------------------------
https://www.drupal.org/node/2649800
*** Cisco kämpft mit statischem Passwort und fixt kritische Lücken ***
---------------------------------------------
In Ciscos Identity Services Engine klafft eine als kritisch und eine als hoch eingestufte Schwachstelle. Neben der Wireless-LAN-Controller-Software sind auch noch Aironet-Basisstationen der 1800-Serie verwundbar. Sicherheitsupdates stehen bereit.
---------------------------------------------
http://heise.de/-3070756
*** Angriff der Cyber-Eichhörnchen ***
---------------------------------------------
Eichhörnchen sind eine größere Gefahr für Internet- und Stromleitungen als Hacker. Das zeigt die Webseite CyberSquirrel1 auf augenzwinkernde Art und Weise.
---------------------------------------------
http://www.golem.de/news/internet-und-stromausfaelle-angriff-der-cyber-eich…
*** OpenSSL version 1.1.0 pre release 2 published ***
---------------------------------------------
OpenSSL 1.1.0 is currently in alpha. OpenSSL 1.1.0 pre release 2 has now been made available. For details of changes and known issues see the release ..
---------------------------------------------
https://mta.openssl.org/pipermail/openssl-announce/2016-January/000057.html
*** Triple-Seven: OpenSSH-Schwachstelle leakt geheime Schlüssel ***
---------------------------------------------
Eine unfertige Option, die bei OpenSSH seit 2010 standardmäßig aktiviert ist, führt dazu, dass gekaperte Server die geheimen Schlüssel der sich verbindenden Nutzer auslesen können. Updates, welche die Lücke schließen, stehen bereit.
---------------------------------------------
http://heise.de/-3071372
*** Ransomware a Threat to Cloud Services, Too ***
---------------------------------------------
Ransomware -- malicious software that encrypts the victims files and holds them hostage unless and until the victim pays a ransom in Bitcoin -- has emerged as a potent and increasingly common threat online. But many Internet users are unaware that ransomware also can just as easily seize control over files stored on cloud services.
---------------------------------------------
http://krebsonsecurity.com/2016/01/ransomware-a-threat-to-cloud-services-to…
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 12-01-2016 18:00 − Mittwoch 13-01-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Security Bulletins Posted for Adobe Acrobat and Reader ***
---------------------------------------------
Security Bulletins for Adobe Acrobat and Reader (APSB16-02) have been published. These updates address critical vulnerabilities, and Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant security bulletin. This posting ..
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1311
*** There Goes The Neighborhood - Bad Actors on GMHOST Alexander Mulgin Serginovic ***
---------------------------------------------
Whether they encourage it or not, some network operators become known and favored by criminals such as those that operate exploit kit (EK) and malware infrastructure. After ..
---------------------------------------------
http://research.zscaler.com/2016/01/there-goes-neighborhood-bad-actors-on.h…
*** MS16-JAN - Microsoft Security Bulletin Summary for January 2016 - Version: 1.0 ***
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/MS16-JAN
*** Raising the Dead ***
---------------------------------------------
It's a bit late for Halloween but the ability to resurrect the dead (processes that is) is an interesting type of security issue when dealing with multi-user Windows systems such as Terminal Servers. Specifically this blog is about this issue which I reported to Microsoft and was fixed in bulletin ..
---------------------------------------------
http://googleprojectzero.blogspot.com/2016/01/raising-dead.html
*** FortiOS SSH Undocumented Interactive Login Vulnerability ***
---------------------------------------------
http://www.fortiguard.com/advisory/fortios-ssh-undocumented-interactive-log…
*** Ransomware Strikes Websites ***
---------------------------------------------
Ransomware is one of the most insidious types of malware that one can come across. These infections will encrypt all files on the target computer as well as any hard drives connected to the machine - pictures, videos, text files - you ..
---------------------------------------------
https://blog.sucuri.net/2016/01/ransomware-strikes-websites.html
*** Triaging the exploitability of IE/EDGE crashes ***
---------------------------------------------
Both Internet Explorer (IE) and Edge have seen significant changes in order to help protect customers from security threats. This work has featured a number of mitigations that together have not only rendered classes of vulnerabilities not-exploitable, but also dramatically raised the cost ..
---------------------------------------------
http://blogs.technet.com/b/srd/archive/2016/01/12/triaging-the-exploitabili…
*** Die smarte Türklingel verrät das WLAN-Passwort ***
---------------------------------------------
Eine Gegensprechanlage, die mit dem Smartphone zusammenarbeitet. Klingt eigentlich praktisch, doch leider weist das Gerät Sicherheitsmängel auf, wie Hacker jetzt herausfanden.
---------------------------------------------
http://www.golem.de/news/internet-of-things-die-smarte-tuerklingel-verraet-…
*** Backdoor bei Fortinet vermutet: Firma spricht von Lücke ***
---------------------------------------------
Alternative Login-Methode in Software entdeckt – Patch bereits 2014 veröffentlicht
---------------------------------------------
http://derstandard.at/2000028972976
*** A Case of Too Much Information: Ransomware Code Shared Publicly for 'Educational Purposes', Used Maliciously Anyway ***
---------------------------------------------
Researchers, whether independent or from security vendors, have a responsibility to properly disseminate the information they gathered to help the industry as well as users. Even with the best intentions, improper disclosure of sensitive information ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/a-case-of-too-mu…
*** Security: Verizon routet 4 Millionen Spammer-IPs ***
---------------------------------------------
IPv4-Adressen sind ein knappes Gut. Doch der US-Anbieter Verizon reagiere trotzdem nicht auf Missbrauchsmitteilungen, kritisiert eine Sicherheitsfirma.
---------------------------------------------
http://www.golem.de/news/security-verizon-routet-4-millionen-spammer-ips-16…
*** [HTB23279]: Multiple SQL Injection Vulnerabilities in mcart.xls Bitrix Module ***
---------------------------------------------
High-Tech Bridge Security Research Lab discovered multiple SQL Injection vulnerabilities in mcart.xls Bitrix module, which can be exploited to execute arbitrary SQL queries and obtain potentially sensitive data, modify information in database and gain complete control over the vulnerable website.
---------------------------------------------
https://www.htbridge.com/advisory/HTB23279
*** [HTB23283]: Remote Code Execution in Roundcube ***
---------------------------------------------
High-Tech Bridge Security Research Lab discovered a path traversal vulnerability in a popular webmail client Roundcube. Vulnerability can be exploited to gain access to sensitive information and under certain circumstances to execute arbitrary code and totally compromise the vulnerable server.
---------------------------------------------
https://www.htbridge.com/advisory/HTB23283
*** Hacking Team's Leak Helped Researchers Hunt Down a Zero-Day ***
---------------------------------------------
Researchers at Kaspersky Lab have, for the first time, discovered a valuable zero-day exploit after intentionally going on the hunt for it.
---------------------------------------------
http://www.wired.com/2016/01/hacking-team-leak-helps-kaspersky-researchers-…
*** Denial-of-Service Flaw Patched in DHCP ***
---------------------------------------------
The Internet Systems Consortium (ISC) on Tuesday patched a denial-of-service vulnerability in numerous versions of DHCP.
---------------------------------------------
http://threatpost.com/denial-of-service-flaw-patched-in-dhcp/115875/
*** The SLOTH attack and IKE/IPsec ***
---------------------------------------------
Executive Summary: The IKE daemons in RHEL7 (libreswan) and RHEL6 (openswan) are not vulnerable to the SLOTH attack. But the attack is still interesting to look at . The SLOTH attack released today is a new transcript collision attack against ..
---------------------------------------------
https://securityblog.redhat.com/2016/01/13/the-sloth-attack-and-ikeipsec/
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 11-01-2016 18:00 − Dienstag 12-01-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Angler Exploit Kit Continues to Evade Detection: Over 90,000 Websites Compromised ***
---------------------------------------------
Exploit Kits (EK), arguably the most impactful malicious infrastructure on the Internet, constantly evolve to evade detection by security technology. Tremendous effort has been spent on tracking new variations of different EK families. In ..
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2016/01/angler-exploit-kit-conti…
*** Mac OS X, iOS, and Flash Had the Most Discovered Vulnerabilities in 2015 ***
---------------------------------------------
Interesting analysis: Which software had the most publicly disclosed vulnerabilities this year? The winner is none other than Apples Mac OS X, with 384 vulnerabilities. The runner-up? Apples iOS, with 375 vulnerabilities. Rounding out the top five are Adobes Flash Player, with 314 vulnerabilities; Adobes AIR ..
---------------------------------------------
https://www.schneier.com/blog/archives/2016/01/mac_os_x_ios_an.html
*** DSA-3440 sudo - security update ***
---------------------------------------------
When sudo is configured to allow a user to edit files under a directory that they can already write to without using sudo, they can actuallyedit (read and write) arbitrary files. Daniel Svartman reported that aconfiguration like this might ..
---------------------------------------------
https://www.debian.org/security/2016/dsa-3440
*** Ransom32 - look at the malicious package ***
---------------------------------------------
Ransom32 is a new ransomware implemented in a very atypical style. In our post, we will focus on some implementation details of the malicious package.
---------------------------------------------
https://blog.malwarebytes.org/intelligence/2016/01/ransom32-look-at-the-mal…
*** Say 'Cyber' again - Ars cringes through CSI: Cyber ***
---------------------------------------------
CBS endangered cyber-procedural: Plane hacking! Software defined radio! White noise! OMG!
---------------------------------------------
http://arstechnica.com/the-multiverse/2016/01/say-cyber-again-ars-cringes-t…
*** McAfee Application Control - The dinosaurs want their vuln back ***
---------------------------------------------
The experts of the SEC Consult Vulnerability Lab conducted research in the field of the security of application whitelisting in critical infrastructures. In the course of that research the security of McAfee Application Control was checked.The experts developed several methods to bypass the provided protections ..
---------------------------------------------
http://blog.sec-consult.com/2016/01/mcafee-application-control-dinosaurs.ht…
*** (ISC)2 SecureAustria ***
---------------------------------------------
How can we know what we are protecting if we struggle to understand and keep up with how we and our organizations are changing? It�s time to get a grip on the far-reaching and fundamental changes that are occurring in business today.
---------------------------------------------
https://www.sba-research.org/events/isc2-secureaustria/
*** Sicherheit: Aus für alte IE-Versionen trifft jeden fünften Webnutzer ***
---------------------------------------------
Über die Jahre hat Microsoft eine Fülle unterschiedlicher Versionen des Internet Explorers veröffentlicht. Nun entledigt man sich der Support-Pflichten für einen großen Teil derselben: Ab sofort liefert Microsoft keinerlei Updates mehr für Internet Explorer 8 bis 10.
---------------------------------------------
http://derstandard.at/2000028882047
*** Cops Say They Can Access Encrypted Emails on So-Called PGP BlackBerrys ***
---------------------------------------------
Dutch investigators have confirmed to Motherboard that they are able to read encrypted messages sent on PGP BlackBerry phones�custom, security-focused BlackBerry devices that come complete with an encrypted email feature, and which reportedly may be used by organized criminal groups.
---------------------------------------------
https://motherboard.vice.com/read/cops-say-they-can-access-encrypted-emails…
*** Ongoing Sophisticated Malware Campaign Compromising ICS (Update C) ***
---------------------------------------------
This alert update is a follow-up to the updated NCCIC/ICS-CERT Alert titled ICS-ALERT-14-281-01B Ongoing Sophisticated Malware Campaign Compromising ICS that was published December 10, 2014, on the ICS-CERT web site. | ICS-CERT has identified a sophisticated malware campaign that has compromised numerous ..
---------------------------------------------
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-281-01B
*** Experts warn Neutrino and RIG exploit kit activity spike ***
---------------------------------------------
Security experts at Heimdal Security are warning a spike in cyber attacks leveraging the popular Neutrino and RIG exploit kit. Cyber criminals always exploit new opportunities and users' bad habits, now crooks behind the recent campaigns relying on Neutrino and RIG exploit kits are ramping up attacks ..
---------------------------------------------
http://securityaffairs.co/wordpress/43482/cyber-crime/neutrino-rig-exploit-…
*** Group using DDoS attacks to extort business gets hit by European law enforcement ***
---------------------------------------------
On 15 and 16 December, law enforcement agencies from Austria, Bosnia and Herzegovina, Germany and the United Kingdom joined forces with Europol in the framework of an operation against the ...
---------------------------------------------
http://www.net-security.org/secworld.php?id=19314
*** Schwere Sicherheitslücken im Passwort-Manager von Trend Micro ***
---------------------------------------------
Google-Forscher Tavis Ormandy deckt wieder einmal Schwachstellen in Anti-Viren-Software auf. Bei Trend Micro stellt er konsterniert fest: "Das Lächerlichste, was ich je gesehen habe."
---------------------------------------------
http://heise.de/-3069140
*** UPC: Standard-WLAN-Passwörter kinderleicht zu knacken ***
---------------------------------------------
Neuer Hack erlaubt Berechnung basierend auf der ESSID – UPC prüft Klage gegen Sicherheitsforscher.
---------------------------------------------
http://derstandard.at/2000028921659
*** An Easy Way for Hackers to Remotely Burn Industrial Motors ***
---------------------------------------------
Devices that control the speed of industrial motors operating water plant pumps and other equipment can be remotely hacked and destroyed.
---------------------------------------------
http://www.wired.com/2016/01/an-easy-way-for-hackers-to-remotely-burn-indus…
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 08-01-2016 18:00 − Montag 11-01-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** GM Asks Friendly Hackers to Report Its Cars' Security Flaws ***
---------------------------------------------
The auto giant becomes the first in Detroit to extend an olive branch to car hackers.
---------------------------------------------
http://www.wired.com/2016/01/gm-asks-friendly-hackers-to-report-its-cars-se…
*** STIX - Looking at a Campaign, Part 1 ***
---------------------------------------------
Now we come to a useful application of STIX: characterizing a campaign.
---------------------------------------------
http://www.scmagazine.com/stix--looking-at-a-campaign-part-1/article/464093/
*** ZDI-16-007: McAfee Application Control Kernel Driver Memory Corruption Privilege Escalation Vulnerability ***
---------------------------------------------
This vulnerability allows local attackers to execute arbitrary code on vulnerable installations of McAfee Application Control. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-007/
*** Advancing the Security of Juniper Products ***
---------------------------------------------
BOB WORRALL, SVP CHIEF INFORMATION OFFICER makes provides more detail on the ScreenOS investigation and security steps being taken with Junos and across Juniper.
---------------------------------------------
http://forums.juniper.net/t5/Security-Incident-Response/Advancing-the-Secur…
*** Virtual Bitlocker Containers, (Sat, Jan 9th) ***
---------------------------------------------
This week, I gotan interestingquestion from a customer: What do you recommend to safely store files in a directoryon my laptop?. They are plenty of ways to achievethis, the right choice depending on the encryption reliability, the ease of use and ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20593
*** MMD-0049-2016 - A case of java trojan (downloader/RCE) for remote minerd hack ***
---------------------------------------------
This is a short post for supporting the takedown purpose. Warning: Sorry, theres nothing fancy nor "in-depth analysis" in here :-) The scheme is so bad, so I think its best for all to know for mitigation and hardening purpose. In this case, a bad actor was ..
---------------------------------------------
http://blog.malwaremustdie.org/2016/01/mmd-0049-2016-case-of-java-trojan.ht…
*** Studie: Mittelstand unterschätzt Gefahr durch Cyber-Kriminalität ***
---------------------------------------------
Die Schäden steigen, das Bewusstsein für IT-Sicherheit nicht: Laut einer Studie schützen sich Mittelständler nur unzureichend gegen IT-Angriffe. Dabei zwingt sie der Gesetzgeber längst zum Handeln.
---------------------------------------------
http://heise.de/-3067640
*** Jänner-Update: Google schließt kritische Lücken in Android ***
---------------------------------------------
Google scheint seinen Sicherheits-Update-Rhythmus gefunden zu haben – zumindest wenn es um die eigenen Geräte geht. Aktuell liefert Google das Jänner-Update für Android an die Smartphones und Tablets der Nexus-Linie aus.
---------------------------------------------
http://derstandard.at/2000028786638
*** NSA-Spionagevorwürfe: Juniper verspricht weitere Updates ***
---------------------------------------------
Vom US-Geheimdienst eingebrachter Zufallszahlengenerator wird aus Netzwerk-Betriebssystem entfernt
---------------------------------------------
http://derstandard.at/2000028789875
*** A Look Inside Cybercriminal Call Centers ***
---------------------------------------------
Crooks who make a living via identity theft schemes, dating scams and other con games often run into trouble when presented with a phone-based challenge that requires them to demonstrate mastery of a language they dont speak fluently. Enter the ..
---------------------------------------------
http://krebsonsecurity.com/2016/01/a-look-inside-cybercriminal-call-centers/
*** Android: Schadsoftware aus Play Store hunderttausendfach installiert ***
---------------------------------------------
Geht es um Android-Malware fällt der Ratschlag für die Nutzer meist recht simpel aus: Wer auf die Installation von Apps aus unsicheren Quellen verzichtet, ist üblicherweise auch nicht gefährdet. Doch in einem aktuellen Fall ist es Angreifern nun gelungen, die Sicherheitschecks des Play Store auszutricksen.
---------------------------------------------
http://derstandard.at/2000028774967
*** Hackerangriff auf Rechenzentrumsbetreiber Interxion ***
---------------------------------------------
Im Dezember kam es zu einem Einbruch auf das eigene CRM-System
---------------------------------------------
http://derstandard.at/2000028816801
*** Klickbetrug: Unter dem Deckmantel der Cookie-Warnung ***
---------------------------------------------
Online-Gauner verstecken sich im wahrsten Sinne des Wortes hinter Cookie-Warnungen und sammeln so Klicks auf Werbeanzeigen ein.
---------------------------------------------
http://heise.de/-3067995
*** OAuth2 & OpenID - HTTPS Bicycle Attack ***
---------------------------------------------
The OAuth 2.0 protocol allows users to grant relying parties access to resources at identity providers. In addition to being used for this kind of authorization, OAuth is also often employed for authentication in single sign-on (SSO) systems. OAuth 2.0 is, in fact, one of the most widely used ..
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016010064
*** PHP-Updates über alle Versionen beheben einige Sicherheitsprobleme ***
---------------------------------------------
Die Macher der Skriptsprache empfehlen den Nutzern von PHP 7.0, 5.5 und 5.6 die Installation der aktuellen Security-Releases. Gleichzeitig gibt ein Blick auf GitHub und das PHP-Wiki eine Vorschau auf kommende Funktionen in PHP 7.1.
---------------------------------------------
http://heise.de/-3068170
*** DSA-3438 xscreensaver - security update ***
---------------------------------------------
It was discovered that unplugging one of the monitors in a multi-monitorsetup can cause xscreensaver to crash. Someone with physical access toa machine could use this problem to bypass a locked session.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3438
*** Unverschlüsselte CMS-Updates: Drupal gelobt Besserung ***
---------------------------------------------
Das Update-Verfahren des beliebten Content Management Systems Drupal liefert Aktualisierungen unverschlüsselt aus. Ein Problem, das seit Jahren bekannt ist und von Angreifern missbraucht werden kann, um Seiten zu kapern.
---------------------------------------------
http://heise.de/-3068105
*** About CVE-2015-8518: SAP Adaptive Server Enterprise Extended Stored Procedure Unauthorized Invocation ***
---------------------------------------------
SAP released an update for SAP ASE 16.0 and 15.7 that addresses a serious security flaw discovered by Martin Rakhmanov, lead security researcher at Trustwave, that has been around for a long time. Suppose there is a user joe in...
---------------------------------------------
http://trustwave.com/Resources/SpiderLabs-Blog/About-CVE-2015-8518--SAP-Ada…
*** How Nvidia breaks Chrome Incognito ***
---------------------------------------------
When I launched Diablo III, I didn't expect the pornography I had been looking at hours previously to be splashed on the screen. But that's exactly what replaced the black loading screen. Like a scene from hollywood, the game temporarily froze as it launched, preventing any attempt to clear the screen. The game unfroze just before clearing the screen, and I was able to grab a screenshot (censored with bright red):
---------------------------------------------
https://charliehorse55.wordpress.com/2016/01/09/how-nvidia-breaks-chrome-in…
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 07-01-2016 18:00 − Freitag 08-01-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Upcoming Security Updates for Adobe Acrobat and Reader (APSB16-02) ***
---------------------------------------------
A prenotification Security Advisory (APSB16-02) has been posted regarding upcoming updates for Adobe Acrobat and Reader scheduled for Tuesday, January 12, 2016. We will continue to provide updates on the upcoming release via the Security Advisory as well as the...
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1308
*** Android-powered smart TVs targeted by malicious apps ***
---------------------------------------------
Smart TVs running older versions of Android are being targeted by several websites offering apps containing malware, according to Trend Micro.The security vendor wrote on Thursday that it found a handful of app websites targeting people in the U.S. and Canada by offering the malicious apps.The apps are exploiting a flaw in Android that dates to 2014, showing that many smart TVs do not have the latest patches."Most smart TVs today use older versions of Android, which still contain this...
---------------------------------------------
http://www.cio.com/article/3020357/android-powered-smart-tvs-targeted-by-ma…
*** Good news, OAuth is almost secure ***
---------------------------------------------
Boffins turn up a couple of protocol vulns in Facebooks login stanard German boffins believe there are protocol flaws in Facebooks ubiquitous OAuth protocol that render it vulnerable to attack.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/01/08/good_news_o…
*** Anschlussmissbrauch durch schwerwiegende Lücke bei o2 ***
---------------------------------------------
Seit über einem Jahr versucht o2 eine Schwachstelle im DSL-Netz zu schließen, durch die man fremde VoIP-Anschlüsse kapern kann. Bisher ist das nur zum Teil gelungen.
---------------------------------------------
http://heise.de/-3066225
*** Checkpoint chaps hack whacks air-gaps flat ***
---------------------------------------------
Bought a shiny IP KVM? Uh-oh 32c3 Checkpoint malware men Yaniv Balmas and Lior Oppenheim have developed an air gap-hopping malware system that can quietly infect, plunder, and maintain persistence on networked and physically separated computers.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/01/08/checkpoint_…
*** Streaming-Dongle EZCast öffnet Hintertür ins Heimnetzwerk ***
---------------------------------------------
Sicherheitsforscher haben Schwachstellen im HDMI-Dongle EZCast entdeckt. Über die können sich Angreifer Zugang zum Heimnetzwerk des Anwenders verschaffen - unabhängig davon, wie gut das Netz sonst geschützt ist.
---------------------------------------------
http://heise.de/-3066210
*** Sicherheitspatches: VMware unterbindet Rechteausweitung ***
---------------------------------------------
VMware dichtet seine Anwendungen ESXi, Fusion, Player und Workstation ab. Die abgesicherten Versionen stehen für Linux, OS X und Windows bereit. Von der Lücke scheint aber nur Windows bedroht zu sein.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Sicherheitspatches-VMware-unterbinde…
*** Blocking Shodan isnt some sort of magical fix that will protect your data ***
---------------------------------------------
Earlier this week, a threat alert from Check Point singled out Shodan as a risk to enterprise operations. The advisory warns Check Point customers about the service, highlighting some of the instances where sensitive data was exposed to the public because Shodan indexed it. When asked about the advisory [archive], Ron Davidson, Head of Threat Intelligence and Research at Check Point, said the company was seeing an increase in the variety and frequency of suspect scans, "including scanners...
---------------------------------------------
http://www.csoonline.com/article/3020108/techology-business/blocking-shodan…
*** Apple beseitigt gravierende QuickTime-Sicherheitslücken für Windows ***
---------------------------------------------
Angreifer können mit Hilfe einer manipulierten Videodatei Schadcode einschleusen, erklärt Apple. Das Update beseitigt die Schwachstellen in Windows 7 und Vista.
---------------------------------------------
http://heise.de/-3067145
*** Cracking Damn Insecure and Vulnerable App (DIVA) - Part 2: ***
---------------------------------------------
In the previous article, we have seen the solutions for the first two challenges. In this article we will discuss the insecure data storage vulnerabilities in DIVA.
---------------------------------------------
http://resources.infosecinstitute.com/cracking-damn-insecure-and-vulnerable…
*** rt-sa-2015-005 ***
---------------------------------------------
o2/Telefonica Germany: ACS Discloses VoIP/SIP Credentials
---------------------------------------------
https://www.redteam-pentesting.de/advisories/rt-sa-2015-005.txt
*** VMSA-2016-0001 ***
---------------------------------------------
VMware ESXi, Fusion, Player, and Workstation updates address important guest privilege escalation vulnerability
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2016-0001.html
*** PHP Bugs May Let Remote Users Obtain Potentially Sensitive Information, Gain Elevated Privileges, or Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1034608
*** APPLE-SA-2016-01-07-1 QuickTime 7.7.9 ***
---------------------------------------------
APPLE-SA-2016-01-07-1 QuickTime 7.7.9[Re-sending with a valid signature]QuickTime 7.7.9 is now available and addresses the following:QuickTimeAvailable for: Windows 7 and Windows VistaImpact: Viewing a maliciously crafted movie file may lead to an [...]
---------------------------------------------
http://prod.lists.apple.com/archives/security-announce/2016/Jan/msg00001.ht…
*** DFN-CERT-2016-0001: Mozilla Firefox, Network Security Services, OpenSSL, GnuTLS: Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0001/
*** USN-2865-1: GnuTLS vulnerability ***
---------------------------------------------
Ubuntu Security Notice USN-2865-18th January, 2016gnutls26, gnutls28 vulnerabilityA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.04 Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummaryGnuTLS could be made to expose sensitive information over the network.Software description gnutls26 - GNU TLS library gnutls28 - GNU TLS library DetailsKarthikeyan Bhargavan and Gaetan Leurent discovered that GnuTLS incorrectlyallowed MD5 to be used for TLS 1.2 connections. If a remote...
---------------------------------------------
http://www.ubuntu.com/usn/usn-2865-1/
*** Bugtraq: [security bulletin] HPSBUX03435 SSRT102977 rev.1 - HP-UX Web Server Suite running Apache, Remote Denial of Service (DoS) ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537254
*** Security Advisory: Privilege escalation vulnerability CVE-2015-7393 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/75/sol75136237.html?…
*** Security Advisory: BIG-IP AOM password sync vulnerability CVE-2015-8611 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/05/sol05272632.html?…
*** Security Advisory: F5 Path MTU Discovery vulnerability CVE-2015-7759 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/22/sol22843911.html?…
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 05-01-2016 18:00 − Donnerstag 07-01-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Ab Dienstag: Aus für Internet Explorer 8, 9 und 10 ***
---------------------------------------------
Microsoft stellt ab dem 12. Jänner den Support für die veralteten Internet-Explorer-Versionen 8,9 und 10 ein. Diese erhalten künftig keine Updates mehr.
---------------------------------------------
http://futurezone.at/produkte/ab-dienstag-aus-fuer-internet-explorer-8-9-un…https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support
*** Site Updates: ISC/DShield API and ipinfo_ascii.html Page, (Wed, Jan 6th) ***
---------------------------------------------
We are planning a couple of updates to the ways data can be retrieved automatically from this site. The main reason for this is to make it easier for us to maintain and support some of these features. The main idea will be that we focus automatic data retrieval to our API (isc.sans.edu/api or dshield.org/api). It should be the only place that is used to have scripts retrieve data. In the past, we had a couple of other pages that supported automatic data retrieval. For example, ipinfo_ascii.html...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20577&rss
*** How long is your password? HTTPS Bicycle attack reveals that and more ***
---------------------------------------------
Get your 2FA on, slackers A new attack on supposedly secure communication streams raises questions over the resilience of passwords, security researchers warn.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/01/06/https_bicyc…
*** Mozilla warns Firefox fans its SHA-1 ban could bork their security ***
---------------------------------------------
Protection mechanism screws other protection mechanisms. What a tangled web we weave Mozilla has warned Firefox users they may be cut off from more of the web than expected - now that the browser rejects new HTTPS certificates that use the weak SHA-1 algorithm.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/01/07/mozilla_war…https://blog.mozilla.org/security/2016/01/06/man-in-the-middle-interfering-…
*** MD5/SHA1: Sloth-Angriffe nutzen alte Hash-Algorithmen aus ***
---------------------------------------------
Neue Angriffe gegen TLS: Krypto-Forscher präsentieren mit Sloth mehrere Schwächen in TLS-Implementierungen und im Protokoll selbst. Am kritischsten ist ein Angriff auf Client-Authentifizierungen mit RSA und MD5.
---------------------------------------------
http://www.golem.de/news/md5-sha1-sloth-angriffe-nutzen-alte-hash-algorithm…
*** Encrypted Blackphone Patches Serious Modem Flaw ***
---------------------------------------------
msm1267 writes: Silent Circle, makers of the security and privacy focused Blackphone, have patched a vulnerability that could allow a malicious mobile application or remote attacker to access the devices modem and perform any number of actions. Researchers at SentinelOne discovered an open socket on the Blackphone that an attacker could abuse to intercept calls, set call forwarding, read SMS messages, mute the phone and more. Blackphone is marketed toward privacy-conscious users; it includes...
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/ocmLGjQf8XY/encrypted-black…
*** OS-X-Security-and-Privacy-Guide ***
---------------------------------------------
This is a collection of thoughts on securing a modern Apple Mac computer using OS X 10.11 "El Capitan", as well as steps to improving online privacy. This guide is targeted to "power users" who wish to adopt enterprise-standard security, but is also suitable for novice users with an interest in improving their privacy and security on a Mac.
---------------------------------------------
https://github.com/drduh/OS-X-Security-and-Privacy-Guide
*** Drupal - Insecure Update Process ***
---------------------------------------------
Just a few days after installing Drupal v7.39, I noticed there was a security update available: Drupal v7.41. This new version fixes an open redirect in the Drupal core. In spite of my Drupal update process checking for updates, according to my local instance, everything was up to date: Issue #1: Whenever the Drupal update process fails, Drupal states that everything is up to date instead of giving a warning.
---------------------------------------------
http://blog.ioactive.com/2016/01/drupal-insecure-update-process.html
*** Jetzt Update installieren: WordPress behebt XSS-Lücke ***
---------------------------------------------
Über eine Cross-Site-Scripting-Schwachstelle können Angreifer WordPress-Installationen kompromittieren. Betroffen sind alle Versionen bis einschließlich WordPress 4.4.
---------------------------------------------
http://heise.de/-3065193https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance…
*** AVM-Router: Fritzbox-Lücke erlaubt Telefonate auf fremde Kosten ***
---------------------------------------------
Durch eine kritische Lücke in den Fritzboxen können Angreifer etwa Telefonate auf fremde Rechnung führen und Code als Root ausführen. Die Lücke hat AVM bereits geschlossen, die Details wurden jedoch bis heute unter Verschluss gehalten.
---------------------------------------------
http://heise.de/-3065588
*** A new, open source tool proves: Even after patching, deserializing will still kill you ***
---------------------------------------------
Whats the problem here? ... When deserializing most objects, the code calls ObjectInputStream#resolveClass() as part of the process. This method is where all the patches and hardening against recent exploits take place. Because that method is never involved in deserializing Strings, anyone can use this to attack an application thats "fully patched" against the recent spate of attacks.
---------------------------------------------
https://www.contrastsecurity.com/security-influencers/java-deserializing-op…
*** rt-sa-2015-001 ***
---------------------------------------------
AVM FRITZ!Box: Remote Code Execution via Buffer Overflow
---------------------------------------------
https://www.redteam-pentesting.de/advisories/rt-sa-2015-001.txt
*** rt-sa-2014-014 ***
---------------------------------------------
AVM FRITZ!Box: Arbitrary Code Execution Through Manipulated Firmware Images
---------------------------------------------
https://www.redteam-pentesting.de/advisories/rt-sa-2014-014.txt
*** Bugtraq: [SYSS-2015-062] ownCloud Information Exposure Through Directory Listing (CVE-2016-1499) ***
---------------------------------------------
[SYSS-2015-062] ownCloud Information Exposure Through Directory Listing (CVE-2016-1499)
---------------------------------------------
http://www.securityfocus.com/archive/1/537244
*** DFN-CERT-2016-0023: Node.js-WS: Eine Schwachstelle ermöglicht das Ausspähen von Informationen ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0023/
*** DFN-CERT-2016-0028: Shotwell: Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0028/
*** DFN-CERT-2016-0004: Mozilla Thunderbird, Debian Icedove: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ***
---------------------------------------------
Version 3 (2016-01-05 17:52) | Debian stellt für die Distributionen Wheezy (old stable), Jessie (stable) und Stretch (testing) Sicherheitsupdates auf die Icedove Version 38.5.0 bereit. Die Schwachstellen CVE-2015-7210 und CVE-2015-7222 werden von diesen nicht adressiert.
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0004/
*** Security Advisory: QEMU vulnerability CVE-2012-3515 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/13/sol13405416.html?…
*** Security Advisory: Out-of-bounds memory vulnerability with the BIG-IP APM system CVE-2015-8098 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/43/sol43552605.html?…
*** DSA-3435 git - security update ***
---------------------------------------------
Blake Burkhart discovered that the Git git-remote-ext helper incorrectlyhandled recursive clones of git repositories. A remote attacker couldpossibly use this issue to execute arbitary code by injecting commandsvia crafted URLs.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3435
*** Advantech EKI Vulnerabilities (Update B) ***
---------------------------------------------
This updated advisory is a follow-up to the updated advisory titled ICSA-15-344-01A Advantech EKI Vulnerabilities that was published December 15, 2015, on the NCCIC/ICS-CERT web site. This advisory provides information regarding several vulnerabilities in Advantech's EKI devices.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-344-01
*** D-Link DCS-931L Arbitrary File Upload ***
---------------------------------------------
Topic: D-Link DCS-931L Arbitrary File Upload Risk: High Text:## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-f...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016010028
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 04-01-2016 18:00 − Dienstag 05-01-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** ProxieBack sneakily uses the victims server to bypass its own security ***
---------------------------------------------
Palo Alto Networks has come across a new family of proxy-creating malware, called ProxyBack, that the company believes has been in the wild since 2014 and may have more than 20 versions now running.
---------------------------------------------
http://www.scmagazine.com/proxieback-sneakily-uses-the-victims-server-to-by…
*** Hocus-pocus! The stupidity of cybersecurity predictions ***
---------------------------------------------
Every year, some publication asks me to come up with a list of my top 10 predictions for the security field, and every year I tell them they might as well just dust off an article I wrote a year earlier, with maybe a couple of buzzwords and a new technology added on. What you can generally expect in any given year is more of the same, with some slight variations.That doesn't stop people from making predictions, though. Vendors and supposed experts can't seem to control the urge, but...
---------------------------------------------
http://www.cio.com/article/3019071/security/hocus-pocus-the-stupidity-of-cy…
*** Matthew Garrett: Apple-Rechner eignen sich nicht für vertrauliche Arbeiten ***
---------------------------------------------
Zwar kann mit UEFI Secure Boot und TPMs der Startprozess von Windows- und Linux-Rechnern einigermaßen abgesichert werden - dies ließe sich aber verbessern, sagt Security-Experte Matthew Garrett. Katastrophal sei die Lage dagegen bei Apple.
---------------------------------------------
http://www.golem.de/news/matthew-garrett-apple-rechner-eignen-sich-nicht-fu…
*** Comcast Home Security System Vulnerable to Attack ***
---------------------------------------------
Comcast's Xfinity Home Security System is vulnerable to attacks that interfere with its ability to detect and alert to home intrusions.
---------------------------------------------
http://threatpost.com/comcast-home-security-system-vulnerable-to-attack/115…
*** Using IDAPython to Make Your Life Easier: Part 3 ***
---------------------------------------------
In the first two posts of this series (Part 1 and Part 2), we discussed using IDAPython to make your life as a reverse engineer easier. Now let's look at conditional breakpoints. While debugging in...
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2016/01/using-idapython-to-make-…
*** HTML5 Security Cheat Sheet ***
---------------------------------------------
This OWASP cheat sheet serves as a guide for implementing HTML5 in a secure fashion. Contents include:Communication APIsStorage APIsGeolocationWeb WorkersSandboxed FramesOffline ApplicationsAnd...
---------------------------------------------
http://www.net-security.org/secworld.php?id=19279
*** Nexus Security Bulletin - January 2016 ***
---------------------------------------------
We have released a security update to Nexus devices through an over-the-air (OTA) update as part of our Android Security Bulletin Monthly Release process. [...] The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files.
---------------------------------------------
https://source.android.com/security/bulletin/2016-01-01.html
*** DSA-3432 icedove - security update ***
---------------------------------------------
Multiple security issues have been found in Icedove, Debians version ofthe Mozilla Thunderbird mail client: Multiple memory safety errors,integer overflows, buffer overflows and other implementation errors maylead to the execution of arbitrary code or denial of service.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3432
*** Puppet Enterprise Configuration Error Lets Remote Non-Whitelisted Users Access the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1034550
*** Cisco Security Advisories ***
---------------------------------------------
*** Cisco Jabber STARTTLS Downgrade Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco IOS XR Software OSPF Link State Advertisement PCE Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Prime Infrastructure Frame Injection Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Unified Communications Manager SQL Injection Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** IBM Security Bulleins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSL affects Rational Tau (CVE-2015-3194) ***
http://www.ibm.com/support/docview.wss?uid=swg21973108
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Apache Commons affects IBM Kenexa LCMS Premier on Cloud (CVE-2015-7450) ***
http://www.ibm.com/support/docview.wss?uid=swg21972649
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSource Dojo ToolKit affects IBM InfoSphere Master Data Management ( CVE-2015-5654) ***
http://www.ibm.com/support/docview.wss?uid=swg21972787
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere Partner Gateway Advanced/Enterprise editions(CVE-2015-4872) ***
http://www.ibm.com/support/docview.wss?uid=swg21973241
---------------------------------------------
*** IBM Security Bulletin: The Elastic Storage Server and the GPFS Storage Server are affected by a vulnerability in IBM Spectrum Scale (CVE-2015-7456) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005574
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM TRIRIGA Application Platform (CVE-2015-7450) ***
http://www.ibm.com/support/docview.wss?uid=swg21972369
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Access Manager for Web and IBM Tivoli Access Manager for e-business ***
http://www.ibm.com/support/docview.wss?uid=swg21973135
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVE-2015-5006, CVE-2015-4872) ***
http://www.ibm.com/support/docview.wss?uid=swg21972446
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in the IBM Java SDK affects IBM Rational Application Developer for WebSphere Software (CVE-2015-4872) ***
http://www.ibm.com/support/docview.wss?uid=swg21973785
---------------------------------------------
*** IBM Security Bulletin: IBM Tealeaf Customer Experience allows unauthorized access to system files (CVE-2015-4988) ***
http://www.ibm.com/support/docview.wss?uid=swg21968868
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in the IBM Java SDK affects IBM Rational Application Developer for WebSphere Software (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931) ***
http://www.ibm.com/support/docview.wss?uid=swg21972455
---------------------------------------------
*** IBM Security Bulletin:Vulnerability in OpenSSL affects IBM PureApplication System. (CVE-2015-1788) ***
http://www.ibm.com/support/docview.wss?uid=swg21974116
---------------------------------------------
*** IBM Security Bulletin: IBM Tealeaf Customer Experience PCA Web UI PHP security issues ***
http://www.ibm.com/support/docview.wss?uid=swg21972384
---------------------------------------------
Next End-of-Shift report on 2016-01-07
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 31-12-2015 18:00 − Montag 04-01-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Identische SSH-Schlüssel auf Hetzner-Servern ***
---------------------------------------------
Aufgrund identischer SSH-Schlüssel können Angreifer verschlüsselte Verbindungen von Servern von Hetzner belauschen.
---------------------------------------------
http://heise.de/-3057777
*** Difficult to block JavaScript-based ransomware can hit all operating systems ***
---------------------------------------------
A new type of ransomware that still goes undetected by the great majority of AV solutions has been spotted and analyzed by Emsisoft researchers (via Google Translate). Ransom32 is delivered on the ...
---------------------------------------------
http://www.net-security.org/malware_news.php?id=3184http://blog.emsisoft.com/de/2016/01/01/meet-ransom32-the-first-javascript-r…
*** Apple had more CVEs than any single MS product in 2015, but it doesnt really matter ***
---------------------------------------------
Meaningless league table sparks silly schadenfreude A count of the number of CVEs issues on different platforms in 2015 has concluded that Apple was the most-advisoried operating system of the year, leading to gloating headlines that OS X is the "most vulnerable" of the lot.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/01/04/apple_had_m…
*** Cisco Jabbers in the clear due to STARTTLS bug ***
---------------------------------------------
Sysadmins get a belated Christmas present Twas the night before Christmas, when sysadmins probably werent watching their advisory feeds, that Cisco announced a vulnerability in its Jabber for Windows.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/01/04/cisco_jabbe…
*** BlackEnergy cyberespionage group adds disk wiper and SSH backdoor to its arsenal ***
---------------------------------------------
A cyberespionage group focused on companies and organizations in the energy sector has recently updated its arsenal with a destructive data-wiping component and a backdoored SSH server.The group is known in the security community as Sandworm or BlackEnergy, after its primary malware tool, and has been active for several years. It has primarily targeted companies that operate industrial control systems, especially in the energy sector, but has also gone after high-level government organizations,...
---------------------------------------------
http://www.cio.com/article/3018790/blackenergy-cyberespionage-group-adds-di…
*** The current state of boot security ***
---------------------------------------------
I gave a presentation at 32C3 this week. One of the things I said was "If any of you are doing seriously confidential work on Apple laptops, stop. For the love of god, please stop." I didnt really have time to go into the details of that at the time, but right now Im sitting on a plane with a ridiculous sinus headache and the pseudoephedrine hasnt kicked in yet so here we go.The basic premise of my presentation was that its very difficult to determine whether your system is in a...
---------------------------------------------
http://mjg59.dreamwidth.org/39339.html
*** A Tip For The Analysis Of MIME Files, (Sat, Jan 2nd) ***
---------------------------------------------
Ive written a diary entry about malicious MS Office documents stored as MIME files. A few days ago a reader contacted me for a problem he had analyzing such a maldoc MIME file. When he used emldump to analyze his sample (f67aa5a3ede3d31c5a68494c0678e2ee), it was not a multipart: $ ./emldump.py f67aa5a3ede3d31c5a68494c0678e2ee.vir 1: boundary=----=_NextPart_Jm9Ovypy.uUh6MCk charset=us-ascii $ You can make emldump skip this first line with option -H: $ ./emldump.py -H...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20561&rss
*** More Internet of Things irony: a security alarm with alarming security ***
---------------------------------------------
Imagine that a crook could change the text ALARM STATUS RED in your intruder alarm alerts to say ALARM STATUS GREEN...
---------------------------------------------
https://nakedsecurity.sophos.com/2016/01/03/more-internet-of-things-irony-a…
*** DFN-CERT-2016-0001: Mozilla Firefox, Network Security Services: Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen ***
---------------------------------------------
Bitte beachten Sie: Zur Behebung der hier genannten Schwachstelle hat Mozilla am 28. Dezember 2015 das Security Advisory MFSA2015-150 veröffentlicht, dieses aber kurze Zeit später, ohne Angaben von Gründen, wieder zurückgezogen. Zeitgleich wurde die Firefox Version 43.0.3 bereitgestellt. Ob die hier genannte Schwachstelle in der Version also tatsächlich behoben ist, ist unklar. In den Release Notes zur Firefox Version 43.0.3 wird die Schwachstelle nicht genannt.
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0001/
*** Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1034541
*** DFN-CERT-2016-0004: Mozilla Thunderbird: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0004/
*** Bugtraq: OSS-2016-03: Insufficient Integrity Protection in Winkhaus Bluesmart locking systems using Hitag S ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537223
*** Bugtraq: OSS-2016-02: Weak authentication in NXP Hitag S transponder allows an attacker to read, write and clone any tag ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537224
*** Bugtraq: Confluence Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537232
*** DSA-3433 samba - security update ***
---------------------------------------------
Several vulnerabilities have been discovered in Samba, a SMB/CIFS file,print, and login server for Unix. The Common Vulnerabilities andExposures project identifies the following issues:
---------------------------------------------
https://www.debian.org/security/2016/dsa-3433
*** PCRE Heap Overflow in pcre_compile2() in Processing Certain Regex Patterns May Let Remote Users Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1034555
*** #2015-012 Ganeti multiple issues ***
---------------------------------------------
Ganeti, an open source virtualization manager, suffers from multiple issues in its RESTful control interface (RAPI).
---------------------------------------------
http://www.ocert.org/advisories/ocert-2015-012.html
=======================
= End-of-Shift Report =
=======================
Timeframe: Dienstag 29-12-2015 18:00 − Mittwoch 30-12-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Microsoft may have your encryption key; here's how to take it back ***
---------------------------------------------
It doesnt require you to buy a new copy of Windows.
---------------------------------------------
http://arstechnica.com/information-technology/2015/12/microsoft-may-have-yo…
*** Actor using Rig EK to deliver Qbot - update, (Wed, Dec 30th) ***
---------------------------------------------
Introduction This diary is a follow-up to my previous diary on the actor using Rig exploit kit (EK) to deliver Qbot [1]. For this diary, Ive infected more Windows hosts from other compromised websites, so we have additional data on this actor. As previously noted, this actor has been delivering Qbot (also known as Qakbot) malware. The actor uses a gate to route traffic from the compromised website to the EK landing page. In this case, the gate returns a variable that is translated to a URL for...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20551&rss
*** The Truth is in Your Logs! ***
---------------------------------------------
[The post The Truth is in Your Logs! has been first published on /dev/random]Keeping an eye on logs is boring... but mandatory! Hopefully, sometimes it can reveal funny stuffs! It looks like people at the CCC are having some fun too while their annual conference is ongoing... Here is what I got in my Apache logs this morning: 151.217.177.200 - - [30/Dec/2015:06:51:22 +0100] "DELETE your logs. \ Delete your installations. Wipe everything clean. Walk out into the...
---------------------------------------------
https://blog.rootshell.be/2015/12/30/the-truth-is-in-your-logs/
*** Killed by Proxy: Analyzing Client-end TLS Interception Software ***
---------------------------------------------
Topic: Killed by Proxy: Analyzing Client-end TLS Interception Software Risk: Medium Text:Abstract—To filter SSL/TLS-protected traffic, some antivirus and parental-control applications interpose a TLS proxy in the...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2015120310
*** 32C3: Automatisierte Sicherheitstests für das Internet der Dinge ***
---------------------------------------------
Ein französisch-deutsches Forscherteam hat eine Emulationsumgebung entwickelt, mit der sich dynamische Penetrationstests von Firmware vernetzter Elektronikgeräte maschinell durchführen lassen. Erste Ergebnisse sprechen für sich.
---------------------------------------------
http://heise.de/-3056880
*** Cloud Computing: Attacks Vectors and Counter Measures ***
---------------------------------------------
I can bet that some of you might have missed the news about Star Wars, but there will be hardly any who do not know what Cloud computing is, as this has been the buzz for last several years. In this article, we will learn about various types of attacks that are possible in a...
---------------------------------------------
http://resources.infosecinstitute.com/cloud-computing-attacks-vectors-and-c…
*** Chrome: Google-Entwickler zerpflückt Antiviren-Addon ***
---------------------------------------------
Eine Chrome-Erweiterung des Antiviren-Herstellers AVG habe so viele Sicherheitslücken gehabt, dass es auch Malware hätte sein können, schreibt ein Google-Entwickler. Die Fehler sind zwar behoben, das Addon könnte aber trotzdem aus dem Chrome-Store verbannt werden.
---------------------------------------------
http://www.golem.de/news/chrome-google-entwickler-zerpflueckt-antiviren-add…
*** Misconfigured databases, a growing threat ***
---------------------------------------------
It has become commonplace to find misconfigured databases exposed to the public Internet. Last summer alone - 1,175 terabytes (approximately 1.1 petabytes) of data was left wide open for the amusement of inquiring minds and malicious hackers alike - ranging from SMBs to Fortune 500 companies.
---------------------------------------------
http://darkmatters.norsecorp.com/2015/12/29/misconfigured-databases-a-growi…
*** Mobile malware review for 2015 ***
---------------------------------------------
December 30, 2015 The last year proved to be another challenging period for the smartphones and tablets owners. Cybercriminals continued to target users of Android devices - thus, the majority of "mobile" threats and unwanted software discovered in 2015 were intended for this platform. In particular, banking Trojans, Android ransomware, advertising modules, and SMS Trojans expanded their activity. Besides, this year witnessed a growing number of malware pre-installed into...
---------------------------------------------
http://news.drweb.com/show/?i=9779&lng=en&c=9
*** Using IDAPython to Make Your Life Easier: Part 1 ***
---------------------------------------------
As a malware reverse engineer, I often find myself using IDA Pro in my day-to-day activities. It should come as no surprise, seeing as IDA Pro is the industry standard (although alternatives such as radare2...
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2015/12/using-idapython-to-make-…
*** The weird and wacky of 2015: strange security and privacy stories ***
---------------------------------------------
These wacky stories remind us how important cybersecurity and online privacy have become in all areas of our lives.
---------------------------------------------
https://nakedsecurity.sophos.com/2015/12/29/the-weird-and-wacky-of-2015-str…
*** Steam blows as games websites security collapse ***
---------------------------------------------
Christmas hiccup on gaming platform exposed user information to others
---------------------------------------------
http://www.scmagazine.com/steam-blows-as-games-websites-security-collapse/a…
*** 2755801 - Update for Vulnerabilities in Adobe Flash Player in Internet Explorer and Microsoft Edge - Version: 52.0 ***
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/2755801
*** PHP Class Name Format String Flaw Lets Remote Users Execute Arbitrary C ode ***
---------------------------------------------
http://www.securitytracker.com/id/1034543
*** Security Advisory: Apache HTTPD vulnerability CVE-2010-2791 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/23/sol23332326.html?…
*** Security Advisory: Apache vulnerability CVE-2011-3639 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/20/sol20979231.html?…
*** AVG Anti-Virus Flaws in Web TuneUp Chrome Extension Lets Remote Users Obtain Potentially Sensitive Information on the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1034547
Next End-of-Shift Report on 2016-01-04.
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 28-12-2015 18:00 − Dienstag 29-12-2015 18:00
Handler: L. Aaron Kaplan
Co-Handler: Stephan Richter
*** Security Updates Available for Adobe Flash Player (APSB16-01) ***
---------------------------------------------
A security bulletin (APSB16-01) has been published regarding security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an...
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1305
*** Quick Tips to Protect Your New (and old) Apple Devices ***
---------------------------------------------
Apple has projected yet another record holiday for sales, but this should come as no surprise to fellow "Macheads". I myself, am a huge fan of Apple and have been for a quite...read moreThe post Quick Tips to Protect Your New (and old) Apple Devices appeared first on Webroot Threat Blog.
---------------------------------------------
http://www.webroot.com/blog/2015/12/28/18251/
*** 2016 Reality: Lazy Authentication Still the Norm ***
---------------------------------------------
My PayPal account was hacked on Christmas Eve. The perpetrator tried to further stir up trouble by sending my PayPal funds to a hacker gang that recruits for the terrorist group ISIS. Although the intruder failed to siphon any funds, the successful takeover of the account speaks volumes about why most organizations -- including many financial institutions -- remain woefully behind the times in authenticating their customers and staying ahead of identity thieves.
---------------------------------------------
http://krebsonsecurity.com/2015/12/2016-reality-lazy-authentication-still-t…
*** An Overview of the Upcoming libModSecurity ***
---------------------------------------------
libModSecurity is a major rewrite of ModSecurity. It preserves the rich syntax and feature set of ModSecurity while delivering improved performance, stability, and a new experience in easy integration on different. libModSecurity - Motivations While ModSecurity version 2.9.0 is available...
---------------------------------------------
http://trustwave.com/Resources/SpiderLabs-Blog/An-Overview-of-the-Upcoming-…
*** Forscher: Herzschrittmacher für Hackerangriffe und Softwarefehler anfällig ***
---------------------------------------------
Forscherin und Patientin Marie Moe sprach auf dem Hackerkongress 32C3 über das Thema
---------------------------------------------
http://derstandard.at/2000028215506
*** Lets Encrypt: Ein kostenfreies Zertifikat, alle zwei Sekunden ***
---------------------------------------------
Der Start der neuen Certificate Authority Lets Encrypt hat offenbar recht gut funktioniert. Nach nur rund einem Monat im Betabetrieb ist das Projekt schon die fünftgrößte CA der Welt. Doch es gibt noch einige Aufgaben zu bewältigen.
---------------------------------------------
http://www.golem.de/news/let-s-encrypt-ein-kostenfreies-zertifikat-alle-zwe…
*** 32C3: pushTAN-App der Sparkasse nach wie vor angreifbar ***
---------------------------------------------
Zwischen Erlanger Sicherheitsforschern und dem Sparkassenverband hat sich ein Katz-und-Maus-Spiel um die Online-Banking-App "pushTAN" entwickelt. Die jüngste Version ließe sich weiter recht einfach angreifen, sagen Experten.
---------------------------------------------
http://heise.de/-3056667
*** 32C3: Verschlüsselung gängiger RFID-Schließanlagen geknackt ***
---------------------------------------------
RFID-Transponderkarten, die für die elektronische Zutrittskontrolle genutzt werden, lassen sich Sicherheitsexperten zufolge oft "trivial einfach" klonen.
---------------------------------------------
http://heise.de/-3056646
*** Geldautomaten-Skimming auf dem Rückzug ***
---------------------------------------------
Die Milliardeninvestitionen von Banken und Handel in mehr Sicherheit zeigen Wirkung: Datendiebe kommen am Geldautomat in Deutschland immer seltener zum Zug. Doch noch finden die Kriminellen Löcher im System.
---------------------------------------------
http://heise.de/-3056638
*** Microsoft Has Your Encryption Key If You Use Windows 10 ***
---------------------------------------------
An anonymous reader writes with this bit of news from the Intercept. If you login to Windows 10 using your Microsoft account, your computer automatically uploads a copy of your recovery key to a Microsoft servers. From the article: "The fact that new Windows devices require users to backup their recovery key on Microsofts servers is remarkably similar to a key escrow system, but with an important difference. Users can choose to delete recovery keys from their Microsoft accounts...
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/YfNKeGMMq1o/microsoft-has-y…
*** Voice over LTE: Angriffe auf mobile IP-Telefonie vorgestellt ***
---------------------------------------------
Talks, die Albträume über mobile Kommunikation auslösen, haben beim CCC Tradition. Dieses Mal haben zwei koreanische Studenten Angriffe auf Voice over LTE vorgeführt. In Deutschland soll das angeblich nicht möglich sein.
---------------------------------------------
http://www.golem.de/news/voice-over-lte-mobile-ip-telefonie-kann-abgehoert-…
*** Fixing JavaScripts Broken Random Number Generator ***
---------------------------------------------
szczys writes: It is surprising to learn how broken the JavaScript Random Number Generator has been for the past six years. The problem is compounded by the fact that Node.js uses the same broken Math.random() module. Learning about why this is broken is interesting, but perhaps even more interesting is how the bad code got there in the first place. It seems that a forum thread from way back in 1999 shared two versions of the code. If you read to the end of the thread you got the working
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/GG87DY0k6I4/fixing-javascri…
*** DFN-CERT-2015-2002: Roundcubemail: Zwei Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2015-2002/
*** libtiff bmp file Heap Overflow ***
---------------------------------------------
Topic: libtiff bmp file Heap Overflow Risk: High Text:Details = Product: libtiff Affected Versions: <= 4.0.6 Vulnerability Type: Heap Overflow Security Risk: High Vendor U...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2015120304