=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 11-03-2016 18:00 − Montag 14-03-2016 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** VU#713312: DTE Energy Insight app vulnerable to information exposure ***
---------------------------------------------
The DTE Energy Insight app API allows an authenticated user to obtain and query certain limited customer information from other customers.
---------------------------------------------
http://www.kb.cert.org/vuls/id/713312
*** Mehr als zwei Jahre alter Java-Security-Patch von Oracle immer noch verwundbar ***
---------------------------------------------
Geht es nach dem Sicherheitsexperten Adam Gowdiak hat Oracle vor mehr als zwei Jahren eine Sicherheitslücke falsch bewertet und zudem bei dem Patch gepfuscht, der den Fehler eigentlich hätte beseitigen sollen.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Mehr-als-zwei-Jahre-alter-Java-Secur…
*** The Source of All Major Android Banking Trojans Just Got Updated To V2 ***
---------------------------------------------
An anonymous reader writes: Apparently, during the past months it has started coming to the surface the fact that most top-tier Android malware was actually related, coming from a common malware variant called GM Bot, and sold for only ..
---------------------------------------------
http://news.slashdot.org/story/16/03/12/1556259/the-source-of-all-major-and…
*** Google Chrome Extension Caught Stealing Bitcoin From Users ***
---------------------------------------------
An anonymous reader writes: Bitcoin exchange portal Bitstamp is warning users of a Google Chrome extension that steals their Bitcoin when making a transfer. According to Bitstamp, this extension contains malicious code that is redirecting ..
---------------------------------------------
http://news.slashdot.org/story/16/03/12/2328254/google-chrome-extension-cau…
*** Armada Collective is back, extorting Financial Intuitions in Switzerland ***
---------------------------------------------
These extortion emails usually originate from free email service providers (such as Gmail or Openmail) and are being sent to the info@ email address of the targeted financial institution. Unlike the extortion attempts conducted by Armada Collective in September 2015, we are not aware of ..
---------------------------------------------
http://www.govcert.admin.ch/blog/19/armada-collective-is-back-extorting-fin…
*** Auto vulnerability scanners turn up mostly false positives ***
---------------------------------------------
Automated vulnerability scanners turn up mostly false positives, but even the wild goose chase that results can be cheaper for businesses than manual processes, according to NCC Group security engineer Clint Gibler.
---------------------------------------------
http://www.theregister.co.uk/2016/03/14/cheap_auto_vulnerability_scanners_c…
*** SSA-833048 (Last Update 2016-03-14): Vulnerability in SIMATIC S7-1200 CPUs prior to V4 ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-833048…
*** IBM Security Bulletin: GNU C library (glibc) vulnerability affects TS4500 (CVE-2015-7547) ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=ssg1S1005695
*** IBM Security Bulletin: glibc getaddrinfo stack-based buffer overflow (CVE-2015-7547) ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=isg3T1023395
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security Network Protection ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21975835
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM SmartCloud Entry (CVE-2016-0475 CVE-2016-0448 CVE-2015-7575 CVE-2016-0466) ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=isg3T1023378
Botnets Plague the Web. This AI Is Out to Stop Them
---------------------------------------------
A group of Israeli researchers believe they are the first to have discovered a way to locate botnets and identify who is behind them, by planting honeypots that gather information about attacks carried out by the network, and analyzing that data with machine learning programs.
---------------------------------------------
https://motherboard.vice.com/read/botnets-plague-the-web-this-ai-is-out-to-…
*** Broken 2013 Java Patch Leads to Sandbox Bypass ***
---------------------------------------------
A patch for a critical 2013 Java vulnerability is incomplete, and exposes Java servers and clients to a sandbox bypass, researchers at Security Explorations of Poland said.
---------------------------------------------
http://threatpost.com/broken-2013-java-patch-leads-to-sandbox-bypass/116757/
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 10-03-2016 18:00 − Freitag 11-03-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Locky Ransomware Spreading in Massive Spam Attack ***
---------------------------------------------
Researchers are tracking a massive spam campaign pelting inboxes with Locky ransomware downloaders in the form of JavaScript attachments.
---------------------------------------------
http://threatpost.com/locky-ransomware-spreading-in-massive-spam-attack/116…
*** Deinstallieren oder Aktualisieren: Adobe verteilt Notfall-Update für Flash ***
---------------------------------------------
Es kommt nicht überraschend: Adobe veröffentlicht wieder ein Notfall-Update für den Flash-Player. Wer ihn nicht bereits deinstalliert hat, sollte das Update installieren. Auch die Digital Editions und der Adobe Reader werden versorgt.
---------------------------------------------
http://www.golem.de/news/deinstallieren-oder-aktualisieren-adobe-rollt-notf…
*** Security Afterworks Spezial: Secure your Enterprise - Innovative Microsoft-Security-Lösungen im Enterprise- & Mobility-Umfeld ***
---------------------------------------------
April 18, 2016 - 3:00 pm - 5:00 pm Microsoft Österreich Am Europlatz 3 Wien
---------------------------------------------
https://www.sba-research.org/events/security-afterworks-spezial-secure-your…
*** Files compromised by ransomware Trojan for OS X can be decrypted by Doctor Web ***
---------------------------------------------
March 11, 2016 At the beginning of March, numerous mass media, websites, and blogs announced about the emergence of the first ever ransomware for Mac computers. Doctor Web specialists examined this malicious program, which was named Mac.Trojan.KeRanger.2, and they have developed a method that can help to decrypt files affected by this Trojan. Mac.Trojan.KeRanger.2 was first detected in a compromised version of the installer for a popular OS X torrent client that was distributed as a DMG file.
---------------------------------------------
http://news.drweb.com/show/?i=9877&lng=en&c=9
*** Cerber Ransomware - New, But Mature ***
---------------------------------------------
We take a look at Cerber, Ransomware named after the mythical multi-headed dog...Categories: Malware AnalysisTags: cerberransomware(Read more...)
---------------------------------------------
https://blog.malwarebytes.org/intelligence/2016/03/cerber-ransomware-new-bu…
*** OpenSSH Security Advisory: x11fwd.adv ***
---------------------------------------------
Missing sanitisation of untrusted input allows an authenticated user who is able to request X11 forwarding to inject commands to xauth(1).
---------------------------------------------
http://www.openssh.com/txt/x11fwd.adv
*** Cisco Gigabit Switch Router 12000 Series Routers Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Schneider Electric Telvent RTU Improper Ethernet Frame Padding Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a vulnerability caused by an Institute of Electrical and Electronics Engineers (IEEE) conformance issue involving improper frame padding in Schneider Electric's Telvent SAGE 2300 and 2400 remote terminal units.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-070-01
*** VU#270232: Quagga bgpd with BGP peers enabled for VPNv4 contains a buffer overflow vulnerability ***
---------------------------------------------
Vulnerability Note VU#270232 Quagga bgpd with BGP peers enabled for VPNv4 contains a buffer overflow vulnerability Original Release date: 10 Mar 2016 | Last revised: 10 Mar 2016 Overview Quagga, version 0.99.24.1 and earlier, contains a buffer overflow vulnerability in bgpd with BGP peers enabled for VPNv4 that may leveraged to gain code execution. Description CWE-121: Stack-based Buffer Overflow - CVE-2016-2342Quagga is a software routing suite that implements numerous routing protocols for...
---------------------------------------------
http://www.kb.cert.org/vuls/id/270232
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: GNU C library (glibc) vulnerability affects Tivoli Provisioning Manager for OS deployment and Tivoli Provisioning Manager for Images (CVE-2015-7547) ***
http://www.ibm.com/support/docview.wss?uid=swg21978194
---------------------------------------------
*** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM DataPower Gateways (CVE-2015-7547) ***
http://www.ibm.com/support/docview.wss?uid=swg21977460
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM Java Runtime affects Rational Publishing Engine (CVE-2015-7575) ***
http://www.ibm.com/support/docview.wss?uid=swg21978188
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in the GSKit component of IBM DataPower Gateways (CVE-2016-0201) ***
http://www.ibm.com/support/docview.wss?uid=swg21974969
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in the GSKit component of IBM DB2 LUW (CVE-2016-0201, CVE-2015-7420 & CVE-2015-7421) ***
http://www.ibm.com/support/docview.wss?uid=swg21977787
---------------------------------------------
*** IBM Security Bulletin: Cross-Site Scripting Vulnerability with the UML Vizualization tools ***
http://www.ibm.com/support/docview.wss?uid=swg21978003
---------------------------------------------
*** Security Bulletin: Vulnerability in lighttpd affects IBM Integrated Management Module (IMM)(CVE-2015-3200) ***
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099226
---------------------------------------------
*** IBM Security Bulletin: The GPFS pattern provided with IBM PureApplication System is affected by a security vulnerability. (CVE-2015-1788) ***
http://www.ibm.com/support/docview.wss?uid=swg21978471
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 09-03-2016 18:00 − Donnerstag 10-03-2016 18:00
Handler: Stephan Richter
Co-Handler: Alexander Riepl
*** First Principles for Network Defenders: A Unified Theory for Security Practitioners ***
---------------------------------------------
Great thinkers like Aristotle, Descartes and Elon Musk have said that, in order to solve really hard problems, you have to get back to first principles. First principles in a designated ..
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2016/03/first-principles-for-net…
*** DSA-3509 rails - security update ***
---------------------------------------------
Two vulnerabilities have been discovered in Rails, a web applicationframework written in Ruby. Both vulnerabilities affect Action Pack, whichhandles the web requests for Rails.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3509
*** Powershell Malware - No Hard drive, Just hard times, (Wed, Mar 9th) ***
---------------------------------------------
ISC Reader Eric Volking submitted a very nice sample of some Powershell based malware. Lets take a look! The malware starts inthe traditional way, by launching itself with an ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20823
*** Bugtraq: [CORE-2016-0004] - SAP Download Manager Password Weak Encryption ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537746
*** Bugtraq: [CORE-2016-0003] - Samsung SW Update Tool MiTM ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537750
*** DSA-3512 libotr - security update ***
---------------------------------------------
Markus Vervier of X41 D-Sec GmbH discovered an integer overflowvulnerability in libotr, an off-the-record (OTR) messaging library, inthe way how the sizes of portions of incoming messages were stored. Aremote attacker can exploit this ..
---------------------------------------------
https://www.debian.org/security/2016/dsa-3512
*** DSA-3511 bind9 - security update ***
---------------------------------------------
https://www.debian.org/security/2016/dsa-3511
*** Security Advisory: BIND vulnerability CVE-2016-2088 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/59/sol59692558.html
*** Security Advisory: BIND vulnerability CVE-2016-1285 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/46/sol46264120.html
*** Security Advisory: BIND vulnerability CVE-2016-1286 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/62/sol62012529.html
*** Scald File - Critical - Remote Code Execution - SA-CONTRIB-2016-015 ***
---------------------------------------------
When a PDF is uploaded in Scald File, various tools can be executed if theyre installed on the server, to try to generate a thumbnail out of that PDF.This is mitigated by the need to have the sufficient permissions to upload a file in Scald, ..
---------------------------------------------
https://www.drupal.org/node/2684601
*** Ransomware: "Von Zahlungen ist abzuraten" ***
---------------------------------------------
DDoS-Attacken, CEO-Frauds und Ransomware: Angriffe auf Firmen nehmen zu. Die futurezone hat den Sicherheitsexperten Michael Krausz dazu befragt.
---------------------------------------------
http://futurezone.at/digital-life/ransomware-von-zahlungen-ist-abzuraten/18…
*** Erpressungs-Trojaner: Time-Machine-Backups anfällig ***
---------------------------------------------
Die Entwickler der OS-X-Ransomware KeRanger haben auch Time-Machine-Backups als Angriffsziel erwogen. Tatsächlich ist es möglich, selbst ohne Admin-Rechte Dokumente in der Datensicherung zu verändern.
---------------------------------------------
http://heise.de/-3131762
*** TRUST 2016, organized by SBA Research ***
---------------------------------------------
August 29, 2016 - August 30, 2016 - All Day Vienna University of Technology Gußhausstraße 27-29 Vienna
---------------------------------------------
https://www.sba-research.org/events/trust-2016-organized-by-sba-research/
*** Kritische Lücke in Jabber-Verschlüsselung OTR ***
---------------------------------------------
Das Protokoll Off-the-Record (OTR) und dessen Umsetzung galt als eigentlich als recht sicher. Doch jetzt entdeckten Forscher eine kritische Lücke, die es Angreifern erlaubt, eigenen Code einzuschleusen und auszuführen. Updates schließen das Loch.
---------------------------------------------
http://heise.de/-3130396
*** PlugX malware: A good hacker is an apologetic hacker ***
---------------------------------------------
Sometimes malware writers put messages in their malware. We found one such message in PlugX dropper. And it was pretty melodramatic ..
---------------------------------------------
http://securelist.com/blog/virus-watch/74150/plugx-malware-a-good-hacker-is…
*** [R4] OpenSSL 20160301 Advisory Affects Tenable Nessus ***
---------------------------------------------
https://www.tenable.com/security/tns-2016-03
*** Apple Software Update 2.2 ***
---------------------------------------------
Impact: An attacker in a privileged network position may be able to control the contents of the updates window
---------------------------------------------
https://support.apple.com/en-us/HT206091
*** Vulnerabilities in multiple third party TYPO3 CMS extensions ***
---------------------------------------------
It has been discovered that the extension "phpMyAdmin" (phpmyadmin) is susceptible to unsafe comparison of XSRF/CSRF token, multiple full path disclosure vulnerabilities, multiple XSS vulnerabilities, insecure password generation in JavaScript.
---------------------------------------------
https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-…
*** Security: Drown gefährdet weiterhin zahlreiche Webdienste ***
---------------------------------------------
Wie schnell patchen Serverbetreiber die Drown-Sicherheitslücke? Offenbar zu langsam, sagen mehrere Sicherheitsfirmen. Bei Heartbleed lief es deutlich besser.
---------------------------------------------
http://www.golem.de/news/security-drown-gefaehrdet-weiterhin-zahlreiche-web…
*** Android mobile banking trojan uses layered defenses to avoid removal ***
---------------------------------------------
Researchers at ESET have spotted a new Android banking trojan that camouflages itself as a legitimate mobile banking app, but instead of giving access to a persons bank account it steals login credentials.
---------------------------------------------
http://www.scmagazine.com/android-mobile-banking-trojan-uses-layered-defens…
*** Cisco Prime LAN Management Solution Default Decryption Key Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Security Updates Available for Adobe Flash Player (APSB16-08) ***
---------------------------------------------
A Security Bulletin (APSB16-08) has been published regarding security updates for Adobe Flash Player. These updates address critical vulnerabilities, and Adobe recommends users update their product installations to the latest versions using ..
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1327
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 08-03-2016 18:00 − Mittwoch 09-03-2016 18:00
Handler: n/a
Co-Handler: Stephan Richter
*** Apple denies researchers claims of bypassing iOS passcode using Siri ***
---------------------------------------------
Vulnerability Lab researchers claim to have spotted multiple passcode bypass vulnerabilities in the latest Apple iOS systems.
---------------------------------------------
http://www.scmagazine.com/researchers-says-ios-has-passcode-bypass-vulnerab…
*** Microsoft-Patchday: Fünf kritische Lücken, alle Windows-Versionen betroffen ***
---------------------------------------------
Microsoft verteilt diesen Monat insgesamt 13 Updates für WIndows, Office und seine beiden Browser Internet Explorer und Edge. Mehrere Lücken erlauben es, Windows-Rechner aus der Ferne zu kapern.
---------------------------------------------
http://heise.de/-3131122
*** Trivial path for DDoS amplification attacks found by infosec bods ***
---------------------------------------------
600,000 servers are vulnerable to this little-known protocol Security researchers have discovered a new vector for DDoS amplification attacks - and its quite literally trivial.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/03/09/trivial_ddo…
*** KeRanger Mac ransomware is a rewrite of Linux Encoder ***
---------------------------------------------
KeRanger, the recently discovered first functional Mac ransomware, is a copy of Linux Encoder, the crypto-ransomware first unearthed and analyzed in November 2015 by Dr. Web researchers. "The encryption functions are identical and have same names: encrypt_file, recursive_task, currentTimestamp and createDaemon to only mention a few. The encryption routine is identical to the one employed in Linux.Encoder", explained Catalin Cosoi, Chief Security Strategist at Bitdefender.
---------------------------------------------
https://www.helpnetsecurity.com/2016/03/09/keranger-mac-ransomware-rewrite-…
*** A Wall Against Cryptowall? Some Tips for Preventing Ransomware, (Wed, Mar 9th) ***
---------------------------------------------
A lot of attention has been paid lately to the Cryptowall / Ransomware family (as in crime family) of malware. What I get asked a lot by clients is how can I prepare / prevent an infection? Prepare is a good word in this case, it encompasses both prevention and setting up processes for dealing with the infection that will inevitably happen in spite of those preventative processes. Plus its the first step in the Preparation / Identification / Containment / Eradication / Restore Service / Lessons...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20821&rss
*** Android-Sicherheitsupdates: Immer Ärger mit Stagefright ***
---------------------------------------------
Google wird die Stagefright-Probleme nicht los. Auch das März-Update patcht mehrere kritische Lücken, die in den Multimedia-Diensten der Android-Geräte stecken. Updates für Nexus-Smartphones und -Tablets werden bereits verteilt.
---------------------------------------------
http://heise.de/-3131138
*** RSA: Seven Attack Trends (March 3, 2016) ***
---------------------------------------------
At the RSA Conference in San Francisco last week, SANS researchers described seven cyberattack trends that are likely to come up again and again over the course of this year: Weaponization of Windows PowerShell; Stagefright-like mobile vulnerabilities; Developer environment vulnerabilities like Xcode Ghost; Industrial Control System (ICS) attacks; Targeting unsecure third-party software components; Internet of (Evil) Things; and Ransomware...
---------------------------------------------
http://www.sans.org/newsletters/newsbites/r/18/19/201
*** MS16-MAR - Microsoft Security Bulletin Summary for March 2016 - Version: 1.0 ***
---------------------------------------------
V1.0 (March 8, 2016): Bulletin Summary published.
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/MS16-MAR
*** [R1] PHP < 5.6.18 / PCRE < 8.38 Vulnerabilities Affect Tenable SecurityCenter ***
---------------------------------------------
http://www.tenable.com/security/tns-2016-04
*** Bugtraq: [security bulletin] HPSBHF03557 rev.1 - HPE Networking Products using Comware 7 (CW7) running NTP, Remote Denial of Service (DoS) ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537721
*** Persistent Cross-Site Scripting Vulnerability in Citrix XenMobile Server 10.x Web User Interface ***
---------------------------------------------
This vulnerability could potentially be used to execute malicious client-side script in the same context as legitimate content from the web server; if this vulnerability is used to execute script in the browser of an authenticated administrator then the script may be able to gain access to the administrator's session or other potentially sensitive information.
---------------------------------------------
https://support.citrix.com/article/CTX207499
*** Cisco Cable Modem with Digital Voice Remote Code Execution Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco ASA Content Security and Control Security Services Module Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Wireless Residential Gateway with EDVA Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Wireless Residential Gateway Information Disclosure Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 07-03-2016 18:00 − Dienstag 08-03-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** PhishLabs on the growing sophistication of business email scams ***
---------------------------------------------
At the 2016 RSA Conference, CSOs Steve Ragan chats with Joseph Opacki from PhishLabs about how cyber-criminals are becoming increasingly smarter about targeting specific high-end business users to try and steal data or money.
---------------------------------------------
http://www.cio.com/video/63026/phishlabs-on-the-growing-sophistication-of-b…
*** Google plugs 19 holes in newest Android security update ***
---------------------------------------------
In the March 2016 security update for the Android Open Source Project (AOSP), Google has fixed 19 security issues, seven of which are considered to be critical. Among these, and admittedly the most important to patch, are two remote code execution vulnerabilities in - yes, you've guessed it - Mediaserver. Mediaserver is a service in Android that allows the device to index media files that are located on it. The vulnerabilities in question (CVE-2016-0815, CVE-2016-0816)...
---------------------------------------------
https://www.helpnetsecurity.com/2016/03/08/android-security-update/
*** Free and Commercial Tools to Implement the Center for Internet Security (CIS) Security Controls, Part 12: Controlled Use of Administrative Privileges ***
---------------------------------------------
This is Part 12 of a How-To effort to compile a list of tools (free and commercial) that can help IT administrators comply with what was formerly known as the "SANS Top 20 Security Controls". It is now known as the Center for Internet Security (CIS) Security Controls. A summary of the previous posts is here: Part 1 - we looked at Inventory of Authorized and Unauthorized Devices. Part 2 - we looked at Inventory of Authorized and Unauthorized Software. Part 3 - we looked at Secure...
---------------------------------------------
https://www.alienvault.com/blogs/security-essentials/free-and-commercial-to…
*** Cloud sellers who acted on Heartbleed sink when it comes to DROWN ***
---------------------------------------------
An out-stretched arm slowly disappears... Response to the critical web-crypto-blasting DROWN vulnerability in SSL/TLS by cloud services has been much slower than the frantic patching witnessed when the Heartbleed vulnerability surfaced two years ago.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/03/08/drown_vulne…
*** Erpressungs-Trojaner Keranger: Wie Sie Ihren Mac schützen ***
---------------------------------------------
Erstmals zielt funktionstüchtige Ransomware auf OS-X-Nutzer ab. Nach der Infektion bleiben drei Tage, bis "Keranger" Dokumente verschlüsselt. Nutzer sollten prüfen, ob sie betroffen sind - und Gegenmaßnahmen ergreifen.
---------------------------------------------
http://heise.de/-3130854
*** Security Bulletins Posted ***
---------------------------------------------
Security Bulletins for Adobe Digital Editions (APSB16-06) as well as Adobe Acrobat and Reader (APSB16-09) have been published. Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant security bulletin. A security...
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1322
*** DFN-CERT-2016-0402: ISC DHCP: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0402/
*** DFN-CERT-2016-0405: PuTTY: Eine Schwachstelle ermöglicht das Ausführen beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0405/
*** DFN-CERT-2016-0400: BlackBerry powered by Android: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes mit den Rechten des Mediaservers ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0400/
*** Bugtraq: ESA-2016-012: EMC Documentum xCP - User Information Disclosure Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537712
*** [R3] OpenSSL 20160301 Advisory Affects Tenable Nessus ***
---------------------------------------------
http://www.tenable.com/security/tns-2016-03
*** Security Advisory: Libpng vulnerability CVE-2015-8472 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/81/sol81903701.html?…
*** Security Advisory: OpenSSL vulnerabilities CVE-2016-0703, CVE-2016-0704, and CVE-2016-0800 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/23/sol23196136.html?…
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: GNU C library (glibc) and OpenSSL vulnerabilities affect WebSphere Cast Iron. (CVE-2015-7547 CVE-2015-3193 CVE-2015-3194 CVE-2015-3195 CVE-2015-3196 CVE-2015-1794) ***
http://www.ibm.com/support/docview.wss?uid=swg21978339
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in current releases of IBM SDK for Node.js in IBM Bluemix (CVE-2015-3197, CVE-2016-2086, CVE-2016-2216) ***
http://www.ibm.com/support/docview.wss?uid=swg21977242
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSH affect IBM XIV Gen2 (CVE-2016-0777, CVE-2016-0778) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005618
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSH affect IBM XIV Gen3 (CVE-2016-0777, CVE-2016-0778) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005619
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM XIV Gen3 systems and IBM XIV Management Tools (CVE-2015-7575) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005615
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 04-03-2016 18:00 − Montag 07-03-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** When a WordPress Plugin Goes Bad ***
---------------------------------------------
Last summer we shared a story about the SweetCaptcha WordPress plugin injecting ads and causing malvertising problems for websites that leveraged the plugin. When this plugin was removed from the official WordPress Plugin directory, the authors revived another WordPress account with a long abandoned plugin and uploaded SweetCaptcha as a "new version" of that plugin.
---------------------------------------------
https://blog.sucuri.net/2016/03/when-wordpress-plugin-goes-bad.html
*** Novel method for slowing down Locky on Samba server using fail2ban, (Sun, Mar 6th) ***
---------------------------------------------
One of our loyal readers, Gebhard, pointed out a nice post (in German) on how to slow down Lockyif you are using a Samba server for filesharing in your environment. The technique takes advantage of fail2ban and some additional Samba logging to keep Locky from encrypting all the files on the share. It is worth a look. ">[de]:">[en]:https://translate.google.com/translate?sl=autotl=enjs=yprev=_thl=enie=U… --------------- Jim Clausing,
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20805&rss
*** KeRanger: Erste Ransomware-Kampagne bedroht Mac OS X ***
---------------------------------------------
Ein Erpressungs-Trojaner verschlüsselt erstmals auch Daten von Mac-Nutzern. Der Schädling versteckt sich im BitTorrent-Client Transmission. Apple und die Entwickler haben bereits reagiert.
---------------------------------------------
http://heise.de/-3129346
*** Bundestags-Hack: Angriff mit gängigen Methoden und Open-Source-Tools ***
---------------------------------------------
Interne Dokumente bringen neue Details zum Hackerangriff auf den Bundestag im letzten Jahr ans Licht: Die Angreifer bedienten sich gängiger Methoden und setzten frei verfügbare Werkzeuge ein.
---------------------------------------------
http://heise.de/-3129862
*** Maintainers of new generic top level domains have a hard time keeping abuse in check ***
---------------------------------------------
Generic top-level domains (gTLDs) that have sprung up in recent years have become a magnet for cybercriminals, to the point where some of them host more malicious domains than legitimate ones.Spamhaus, an organization that monitors spam, botnet and malware activity on the Internet, has published a list of the worlds top 10 "worst TLDs" on Saturday. Whats interesting is that the list is not based on the overall number of abusive domains hosted under a TLD, but on the TLDs ratio of...
---------------------------------------------
http://www.cio.com/article/3041338/maintainers-of-new-generic-top-level-dom…
*** DFN-CERT-2016-0398: Squid: Zwei Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0398/
*** HPE Network Automation Unspecified Flaws Let Remote Users Execute Arbitrary Code and Obtain Potentially Sensitive Information ***
---------------------------------------------
http://www.securitytracker.com/id/1035192
*** Filr 2.0 - Security Update 1 ***
---------------------------------------------
Abstract: Security Updates for glibc and nscd on the Filr, Search and MySQL 2.0.0 appliances (CVE-2015-7547).Document ID: 5237510Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:MySQL-2.0.0.182.HP.zip (21.71 MB)Filr-2.0.0.422.HP.zip (23.03 MB)Search-2.0.0.400.HP.zip (21.71 MB)Products:Filr 2Superceded Patches: None
---------------------------------------------
https://download.novell.com/Download?buildid=LqikC-Hosps~
*** Filr 1.2 - Security Update 2 ***
---------------------------------------------
Abstract: Security Updates for glibc and nscd on the Filr, Search and MySQL 1.2.0 appliances (CVE-2015-7547).Document ID: 5237480Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:Filr-1.2.0.861.HP.zip (23.03 MB)MySQL-1.2.0.413.HP.zip (21.71 MB)Search-1.2.0.998.HP.zip (21.71 MB)Products:Filr 1.2Superceded Patches: None
---------------------------------------------
https://download.novell.com/Download?buildid=PQBDzZUKFac~
*** Sentinel 7.4 SP1 (Sentinel 7.4.1.0) Build 2512 ***
---------------------------------------------
Abstract: Sentinel 7.4.1 upgrade for Sentinel 7.4Document ID: 5237090Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:sentinel_server-7.4.1.0-2512.x86_64.tar.gz.sha256 (109 bytes)sentinel_server-7.4.1.0-2512.x86_64.tar.gz (1.74 GB)Products:SentinelSentinel 7.3Sentinel 7.3.1Sentinel 7.3.2Sentinel 7.4Sentinel 7.2Sentinel 7.2.1Sentinel 7.2.2Sentinel 7.4.1Superceded Patches: None
---------------------------------------------
https://download.novell.com/Download?buildid=ZEMvbiAk5k8~
*** innovaphone IP222 / IP232 Denial Of Service ***
---------------------------------------------
Topic: innovaphone IP222 / IP232 Denial Of Service Risk: Medium Text: --BEGIN PGP SIGNED MESSAGE -- Hash: SHA512 Advisory ID: SYSS-2015-053 Product: innovaphone IP222/IP232 Manufacturer: inn...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016030035
*** Bugtraq: Apple iOS v9.2.1 - Multiple PassCode Bypass Vulnerabilities (App Store Link, Buy Tones Link & Weather Channel Link) ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537708
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in libpng affect PowerKVM (CVE-2015-8126, CVE-2015-8472) ***
2016-03-07T08:14:25-05:00
http://www.ibm.com/support/docview.wss?uid=isg3T1023374
---------------------------------------------
*** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM MQ Appliance (CVE-2015-7547) ***
http://www.ibm.com/support/docview.wss?uid=swg21977498
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in the GNU C Library (glibc) affect PowerKVM ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023385
---------------------------------------------
*** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Guardium (CVE-2015-7547) ***
http://www.ibm.com/support/docview.wss?uid=swg21977444
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in grub2 affect PowerKVM (CVE-2015-5281, CVE-2015-8370) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023376
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in netcf affects PowerKVM (CVE-2014-8119) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023367
---------------------------------------------
*** IBM Security Bulletin: Lotus Protector for Mail affected by libcurl vulnerability (CVE-2016-0755) ***
http://www.ibm.com/support/docview.wss?uid=swg21977843
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in libxml2 affect PowerKVM ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023350
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in bind affects PowerKVM (CVE-2015-8704) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023372
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in MIT Kerberos 5 (krb5) affect PowerKVM (CVE-2014-5355, CVE-2015-2694) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023354
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in file affect PowerKVM ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023349
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in xfsprogs affects PowerKVM (CVE-2012-2150) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023356
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in Gnu binutils affect PowerKVM ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023355
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 03-03-2016 18:00 − Freitag 04-03-2016 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** Upcoming Security Updates for Adobe Acrobat and Reader (APSB16-09) ***
---------------------------------------------
A prenotification Security Advisory has been posted regarding upcoming updates for Adobe Acrobat and Reader scheduled for Tuesday, March 8, 2016. We will continue to provide updates on the upcoming release via the Security Advisory as well as the ..
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1319
*** Open-Xchange Guard 2.2.0 / 2.0 Private Key Disclosure ***
---------------------------------------------
The "getprivkeybyid" API call is used to download a PGP Private Key for a specific user after providing authentication credentials. Clients provide the "id" and "cid" parameter to specify the current user by its user- and context-ID. The "auth" parameter contains ..
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016030034
*** Kriminelle setzen oft auf Standard-Passwörter ***
---------------------------------------------
Im Projekt Heisenberg haben Honeypots einen RDP-Port angeboten. Sicherheitsforscher werteten im weiteren Verlauf die Login-Daten von Angreifern aus.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Kriminelle-setzen-oft-auf-Standard-P…
*** NCSC publishes factsheet Disable SSL 2.0 and upgrade OpenSSL ***
---------------------------------------------
On 1 March, a group of researchers presented the DROWN attack methods for TLS. An attacker uses DROWN to abuse servers that still support SSL 2.0. Servers that run a vulnerable version of OpenSSL can be abused in the same way, regardless of whether they support SSL 2.0. An attacker who is able to intercept network traffic that is secured with TLS, may attempt to decrypt this traffic ..
---------------------------------------------
https://www.ncsc.nl/english/current-topics/news/ncsc-publishes-factsheet-di…
*** Mit Sicherheit - BSI-Magazin 2016/01 ***
---------------------------------------------
in dieser Ausgabe des BSI-Magazins blicken wir zurück auf ein Vierteljahrhundert deutsche IT-Sicherheitsgeschichte, denn das Bundesamt für Sicherheit in der Informationstechnik feiert in diesem Jahr sein ..
---------------------------------------------
https://www.bsi.bund.de/DE/Publikationen/BSI-Magazin/BSI-Magazin_node.html
*** Amazon App Store verbreitet Android-Trojaner ***
---------------------------------------------
Kann Nutzer umfassend ausspionieren – Lässt sich aber auch einfach deinstallieren ..
---------------------------------------------
http://derstandard.at/2000032287420
*** Drown-Angriff: Server4You stellt tausende betroffene Kunden bloss ***
---------------------------------------------
In einem Abuse-Ticket von Server4You an Kunden mit vom Drown-Angriff bedrohten Servern tauchen zehntausende IP-Adressen und Ports betroffener Server auf. Zudem stellt der Hoster den Kunden ein Ultimatum - rudert mittlerweile aber wieder zurück.
---------------------------------------------
http://heise.de/-3128656
*** Amazon entfernt Verschlüsselungsfunktion aus Fire-Tablets ***
---------------------------------------------
Weil die Kunden sie nicht benutzt hätten, hat Amazon die Android-Funktion zur Verschlüsselung des Speichers aus dem Betriebssystem seiner Fire-Tablets entfernt. So zumindest erklärt der Konzern den nun bekannt gewordenen Schritt.
---------------------------------------------
http://heise.de/-3128844
*** Chaos Computer Club bekommt Schwesterverein in Wien ***
---------------------------------------------
Mitgliederversammlung am Samstag - Hackertreffen Easterhegg findet in Salzburg statt
---------------------------------------------
http://derstandard.at/2000032301583
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 02-03-2016 18:00 − Donnerstag 03-03-2016 18:00
Handler: Stephan Richter
Co-Handler: Alexander Riepl
*** Cisco Unified Communications Domain Manager Cross-Site Scripting Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** LibreSSL Unaffected By DROWN ***
---------------------------------------------
The OpenBSD people forked and heavily cleaned up OpenSSL to create LibreSSL due to dissatisfaction with the maintainance of OpenSSL, culminating in the heartbleed bug. The emphasis has been on cleaning up the code and improving security, which includes removing things such as SSL2 which has fundamental security flaws. As a result, LibreSSL is not ..
---------------------------------------------
http://it.slashdot.org/story/16/03/02/1620221/libressl-unaffected-by-drown
*** Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2016 ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Prime Infrastructure Log File Remote Code Execution Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Schneider Electric Building Operation Automation Server Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a vulnerability in servers programmed with Schneider Electric's StruxureWare Building Operation software.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01
*** Rockwell Automation Allen-Bradley CompactLogix Reflective Cross-Site Scripting Vulnerability ***
---------------------------------------------
This advisory is a follow-up to the alert titled ICS-ALERT-15-225-01A Rockwell Automation 1766-L32 Series Vulnerability that was published August 13, 2015, on the NCCIC/ICS-CERT web site. This advisory contains mitigation details for a cross-site scripting vulnerability in Rockwell Automation's CompactLogix application.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-061-02
*** Windows Built-In PDF Reader Exposes Edge Browser To Hacking ***
---------------------------------------------
Edge, Microsofts new browser, uses the WinRT PDF library to automatically embed and present PDF files while navigating the web. This is what Java does with applets, and Flash with SWF files -- it unintentionally allows a hacker to append malicious code to PDF files and trigger drive-by attacks, which exploit WinRT ..
---------------------------------------------
http://news.slashdot.org/story/16/03/02/2210256/windows-built-in-pdf-reader…
*** Open-Xchange Guard Access Control Flaw Lets Remote Authenticated Users Obtain Private Keys in Certain Cases ***
---------------------------------------------
http://www.securitytracker.com/id/1035174
*** Google Analytics Counter - Moderately Critical - CSRF - SA-CONTRIB-2016-011 ***
---------------------------------------------
The Google Analytics Counter module provides total pageview counts for each page on a website. In that it is similar to the core Statistics module counter, but it is much lighter and ultimately faster because it draws on ..
---------------------------------------------
https://www.drupal.org/node/2679515
*** Register now for the International NCSC One Conference 2016 ***
---------------------------------------------
Protecting Bits & Atoms is the theme for our international One Conference 2016. It is especially timely given the increasingly connected physical and digital worlds and how information and communication technologies (ICT) have ingrained themselves into the very fabric of our society. The ONE conference will take place on Tuesday April 5 and Wednesday April 6 at the World Forum in The Hague, The Netherlands.
---------------------------------------------
https://www.ncsc.nl/english/current-topics/news/register-now-for-the-intern…
*** Wie Betrüger Apple Pay missbrauchen können ***
---------------------------------------------
Apple Pay ist praktisch und gilt als sicher. Doch das System lässt sich von Kriminellen missbrauchen, um digitale Kreditkartenkopien zu erstellen.
---------------------------------------------
http://www.golem.de/news/security-wie-betrueger-apple-pay-missbrauchen-koen…
*** Java Deserialization Attacks with Burp ***
---------------------------------------------
This blog is about Java deserialization and the Java Serial Killer Burp extension. If you want to download the extension and skip past all of this, head to the Github page here. The recent Java deserialization attack that was discovered has provided a large window of opportunity for penetration testers to gain access to the underlying systems that Java applications communicate with.
---------------------------------------------
https://blog.netspi.com/java-deserialization-attacks-burp/
*** Valve informiert Steam-Nutzer über Weihnachts-Datenpanne ***
---------------------------------------------
Fast drei Monate nach der massiven Datenpanne informiert Valve nun die betroffenen Nutzer. Die hatten das Problem in der Zwischenzeit wahrscheinlich längst vergessen.
---------------------------------------------
http://heise.de/-3127829
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 01-03-2016 18:00 − Mittwoch 02-03-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Threat Actors Behind "Shrouded Crossbow" Create BIFROSE for UNIX ***
---------------------------------------------
We recently came across a variant of the BIFROSE malware that has been rewritten for UNIX and UNIX-like systems. This is the latest tool developed by attackers behind operation Shrouded Crossbow, which have produced other BIFROSE variants such as KIVARS and KIVARS x64. UNIX-based operating systems are widely used in servers, workstations, and even mobile devices. With a lot of highly confidential data found in these servers and devices, a UNIX version of BIFROSE can certainly be classified as a...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/m3eM40z3oI8/
*** Cachebleed-Angriff: CPU-Cache kann private Schlüssel verraten ***
---------------------------------------------
Forschern ist es gelungen, RSA-Verschlüsselungsoperationen von OpenSSL mittels eines Cache-Timing-Angriffs zu belauschen und so den privaten Key zu knacken. Der Cachebleed-Angriff nutzt dabei Zugriffskonflikte auf den Cache-Speicher.
---------------------------------------------
http://www.golem.de/news/cachebleed-angriff-cpu-cache-kann-private-schluess…
*** Let's ride with TeslaCrypt ***
---------------------------------------------
TeslaCrypt is a ransomware spread by e-mails or exploit kits. It encrypts your files and asks you to pay in order to retrieve the decryption key. The current version is 3.0. Many analysis are already available on the Internet. In this article we are focusing on two aspects of TeslaCrypt: - The attack vector - The web callback...
---------------------------------------------
http://thisissecurity.net/2016/03/02/lets-ride-with-teslacrypt/
*** Security: Angebliche Locky-Warnung vom BKA ist ein Trojaner ***
---------------------------------------------
Die Angst vor Locky wird jetzt offenbar von Kriminellen ausgenutzt. In einer angeblich vom Bundeskriminalamt stammenden Mail wird vor dem Kryptotrojaner gewarnt und ein Werkzeug zur Entfernung angeboten - das selbst Malware enthält.
---------------------------------------------
http://www.golem.de/news/security-angebliche-locky-warnung-vom-bka-ist-ein-…
*** $17 smartwatch sends something to random Chinese IP address ***
---------------------------------------------
Samsung Gear 2 also has some problems, researcher says RSA bsides A cheap smart watch often peddled on eBay uses a pairing app for Android or iOS that contains a backdoor that quietly connects to an unknown Chinese IP address.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/03/02/chinese_bac…
*** iPhone-Fingerabdruck lässt sich mit Plastilin austricksen ***
---------------------------------------------
Ein Hersteller von Fingerabdrucksensoren zeigt, wie einfach Apples Touch-ID mit gefälschten Fingerabdrücken zu umgehen ist.
---------------------------------------------
http://futurezone.at/produkte/iphone-fingerabdruck-laesst-sich-mit-plastili…
*** Der DROWN Angriff auf SSL/TLS ***
---------------------------------------------
Es ist wieder soweit: Es gibt einen Presserummel rund um eine neu entdeckte Schwachstelle in SSL/TLS. Es gibt einen Namen (DROWN = Decrypting RSA with Obsolete and Weakened eNcryption) und ein fancy Logo. Nachzulesen ist alles unter: [...] Wir haben uns das angesehen und beschlossen, dazu keine offizielle Warnung zu publizieren. Das Problem ist nicht so dringend und dramatisch, wie manche...
---------------------------------------------
http://www.cert.at/services/blog/20160302151126-1688.html
*** Django Bugs Let Remote Users Conduct Redirect and Cross-Site Scripting Attacks and Determine Valid Usernames ***
---------------------------------------------
http://www.securitytracker.com/id/1035152
*** DFN-CERT-2016-0366: Perl: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes mit Benutzerrechten ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0366/
*** Intel Security - Security Bulletin: Protected resource access bypass vulnerability resolved in multiple McAfee endpoint products for Microsoft Windows ***
---------------------------------------------
Multiple McAfee endpoint products include a private mechanism to access settings and files protected by self-protection rules. This mechanism is not sufficiently secure and may be misused to access registry keys and files that should be protected from tampering.
---------------------------------------------
https://kc.mcafee.com/corporate/index?page=content&id=SB10151
*** Schneider Electric Building Operation Application Server Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a vulnerability in servers programmed with Schneider Electric's StruxureWare Building Operation software.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01
*** Rockwell Automation Allen-Bradley CompactLogix Reflective Cross-Site Scripiting ***
---------------------------------------------
This advisory is a follow-up to the alert titled ICS-ALERT-15-225-01A Rockwell Automation 1766-L32 Series Vulnerability that was published August 13, 2015, on the NCCIC/ICS-CERT web site. This advisory contains mitigation details for a cross-site scripting vulnerability in Rockwell Automation's CompactLogix application.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-061-02
*** Cisco Security Advisories ***
---------------------------------------------
*** Cisco NX-OS Software TCP Netstack Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Nexus 3000 Series and 3500 Platform Switches Insecure Default Credentials Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Web Security Appliance HTTPS Packet Processing Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco NX-OS Software SNMP Packet Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco FireSIGHT System Software Convert Timing Channel Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco FireSIGHT System Software Device Management UI Cross-Site Scripting Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Privileged Identity Manager Virtual Appliance (CVE-2015-7547) ***
http://www.ibm.com/support/docview.wss?uid=swg21978009
---------------------------------------------
*** IBM Security Bulletin: Lotus Protector for Mail affected by glibc, getaddrinfo stack-based buffer overflow (CVE-2015-7547) ***
http://www.ibm.com/support/docview.wss?uid=swg21977368
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM Marketing Platform, IBM Campaign, IBM Predictive Insight, IBM Contact Optimization, IBM Marketing Operations (CVE-2015-7575) ***
http://www.ibm.com/support/docview.wss?uid=swg21976886
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in the GSKit component of IBM Tivoli Storage Manager Fastback for Workstations (CVE-2016-0201) ***
http://www.ibm.com/support/docview.wss?uid=swg21974685
---------------------------------------------
*** Security Bulletin: Vulnerabilities in OpenSSL and MD5 Signature and Hash Algorithm (CVE-2015-7575) affect IBM System Networking RackSwitch products. ***
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099210
---------------------------------------------
*** Security Bulletin: Multiple vulnerabilities, including MD5 Signature and Hash Algorithm (CVE-2015-7575), affect IBM Flex System Networking Switches ***
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099200
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in libpng affect IBM Cognos Metrics Manager (CVE-2015-8126, CVE-2015-8472, CVE-2015-8540) ***
http://www.ibm.com/support/docview.wss?uid=swg21976924
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM Client Application Access (CVE-2015-7575) ***
http://www.ibm.com/support/docview.wss?uid=swg21977618
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 29-02-2016 18:00 − Dienstag 01-03-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Bleichenbacher-Angriff: Drown entschlüsselt mit uraltem SSL-Protokoll ***
---------------------------------------------
Kein moderner Browser unterstützt das alte SSL-Protokoll Version 2. Trotzdem kann es zum Sicherheitsrisiko werden, solange Server es aus Kompatibilitätsgründen unterstützen. Es muss nicht einmal derselbe Server sein.
---------------------------------------------
http://www.golem.de/news/bleichenbacher-angriff-drown-entschluesselt-mit-ur…
*** The Definitive Guide on Win32 to NT Path Conversion ***
---------------------------------------------
Posted by James Forshaw, path'ological reverse engineer. How the Win32 APIs process file paths on Windows NT is a tale filled with backwards compatibility hacks, weird behaviour, and beauty. Incorrect handling of Win32 paths can lead to security vulnerabilities. This blog post is to try and give a definitive* guide on the different types of paths supported by the OS. I'm going to try and avoid discussion of quirks in the underlying filesystem implementations (such as NTFS...
---------------------------------------------
http://googleprojectzero.blogspot.com/2016/02/the-definitive-guide-on-win32…
*** De-obfuscating malicious Vbscripts ***
---------------------------------------------
With the returned popularity of visual basic as a first attack vector in mind, we took a look at de-obfuscating a few recent vbs files starting with a very easy one and progressing to a lot more complex script.Categories: Malware AnalysisTags: bankerclickerde-obfuscatedecryptdroppermalwareobfuscationPieter Arntztrojanvbsvbscriptworm(Read more...)
---------------------------------------------
https://blog.malwarebytes.org/intelligence/2016/02/de-obfuscating-malicious…
*** Look Into Locky ***
---------------------------------------------
Some sources say that Locky is the latest ransomware created and released in the wild by Dridex gang. Our studies indicate that it is well prepared, which means that the threat actor/s behind it has invested for it.Categories: Malware AnalysisTags: Lockyransomware(Read more...)
---------------------------------------------
https://blog.malwarebytes.org/intelligence/2016/03/look-into-locky/
*** OpenSSL Security Advisories ***
---------------------------------------------
CVE-2016-0800 (OpenSSL advisory) [High severity]
CVE-2016-0705 (OpenSSL advisory) [Low severity]
CVE-2016-0798 (OpenSSL advisory) [Low severity]
CVE-2016-0797 (OpenSSL advisory) [Low severity]
CVE-2016-0799 (OpenSSL advisory) [Low severity]
CVE-2016-0702 (OpenSSL advisory) [Low severity]
CVE-2016-0703 (OpenSSL advisory) [High severity]
CVE-2016-0704 (OpenSSL advisory) [Moderate severity]
---------------------------------------------
https://openssl.org/news/vulnerabilities.html
*** VU#938151: Forwarding Loop Attacks in Content Delivery Networks may result in denial of service ***
---------------------------------------------
Vulnerability Note VU#938151 Forwarding Loop Attacks in Content Delivery Networks may result in denial of service Original Release date: 29 Feb 2016 | Last revised: 29 Feb 2016 Overview Content Delivery Networks (CDNs) may in some scenarios be manipulated into a forwarding loop, which consumes server resources and causes a denial of service (DoS) on the network. Description CWE-400: Uncontrolled Resource Consumption (Resource Exhaustion)Content Delivery Networks (CDNs) are used to improve...
---------------------------------------------
http://www.kb.cert.org/vuls/id/938151
*** F5 Security Advisory: Multiple NTP vulnerabilities CVE-2015-8139 and CVE-2015-8140 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/00/sol00329831.html?…
*** Bugtraq: [security bulletin] HPSBUX03552 SSRT102983 rev.1 - HP-UX BIND running Named, Remote Denial of Service (DoS) ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537659
*** DFN-CERT-2016-0355: phpMyAdmin: Mehrere Schwachstellen ermöglichen u.a. das Umgehen von Sicherheitsvorkehrungen ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0355/
*** Bugtraq: [SYSS-2016-009] Sophos UTM 525 Web Application Firewall - Cross-Site Scripting in ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537662
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in the GSKit component of Tivoli Network Manager IP Edition (CVE-2016-0201) ***
http://www.ibm.com/support/docview.wss?uid=swg21974785
---------------------------------------------
*** IBM Security Bulletin: Multiple Security Vulnerabilities in Apache Tomcat affect IBM RLKS Administration and Reporting Tool ***
http://www.ibm.com/support/docview.wss?uid=swg21976103
---------------------------------------------
*** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Access Manager for Web (CVE-2015-7547) ***
http://www.ibm.com/support/docview.wss?uid=swg21977374
---------------------------------------------
*** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Access Manager for Mobile (CVE-2015-7547) ***
http://www.ibm.com/support/docview.wss?uid=swg21977372
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM Java SDK affect IBM Tivoli Access Manager for e-business and IBM Security Access Manager for Web 7.0 software (CVE-2016-0603) ***
http://www.ibm.com/support/docview.wss?uid=swg21978024
---------------------------------------------
*** IBM Security Bulletin: Cross-Site scripting vulnerability in IBM Business Process Manager document list control (CVE-2016-0227) ***
http://www.ibm.com/support/docview.wss?uid=swg21978058
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM OS Images for Red Hat Linux Systems, AIX, and Windows. (CVE-2015-7575) ***
http://www.ibm.com/support/docview.wss?uid=swg21977880
---------------------------------------------
*** IBM Security Bulletin:A vulnerability in IBM Java SDK affects IBM Image Construction and Composition Tool. (CVE-2015-7575) ***
http://www.ibm.com/support/docview.wss?uid=swg21977647
---------------------------------------------
*** IBM Security Bulletin:A vulnerability in IBM Java SDK affects IBM Workload Deployer. (CVE-2015-7575) ***
http://www.ibm.com/support/docview.wss?uid=swg21977646
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM SmartCloud Entry (CVE-2016-0475 CVE-2016-0448 CVE-2015-7575 CVE-2016-0466) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023408
---------------------------------------------
*** Security Bulletin: Vulnerability in IBM Java SDK affects IBM System Networking Switch Center (CVE-2015-7575) ***
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099203
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM PureApplication System. (CVE-2015-7575) ***
http://www.ibm.com/support/docview.wss?uid=swg21978026
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Access Manager for Mobile ***
http://www.ibm.com/support/docview.wss?uid=swg21976765
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Access Manager for Web and IBM Tivoli Access Manager for e-business ***
http://www.ibm.com/support/docview.wss?uid=swg21976678
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects Rational Software Architect, Software Architect for WebSphere Software & Rational Software Architect RealTime ***
http://www.ibm.com/support/docview.wss?uid=swg21976894
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in Apache ActiveMQ affects IBM Tivoli System Automation Application Manager (CVE-2015-5254) ***
http://www.ibm.com/support/docview.wss?uid=swg21977546
---------------------------------------------