Daily

daily@lists.cert.at

1 participants
3196 discussions

Tageszusammenfassung - Freitag 12-02-2016
by Daily end-of-shift report 12 Feb '16

12 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 11-02-2016 18:00 − Freitag 12-02-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** SC Congress: "flakey kettles and dolls that swear at you" *** --------------------------------------------- Ken Munro, managing director of Pen Test Partners, showed the SC Congress just how easy it is to crack a whole range of IoT nonsense --------------------------------------------- http://www.scmagazine.com/sc-congress-flakey-kettles-and-dolls-that-swear-a… *** Determining Physical Location on the Internet *** --------------------------------------------- Interesting research: "CPV: Delay-based Location Verification for the Internet": Abstract: The number of location-aware services over the Internet continues growing. Some of these require the clients geographic location for security-sensitive applications. Examples include location-aware authentication, location-aware access policies, fraud prevention, complying with media licensing, and regulating online gambling/voting. An adversary can evade existing geolocation techniques, e.g.,... --------------------------------------------- https://www.schneier.com/blog/archives/2016/02/determining_phy.html *** New Trojan threatens users' bank accounts *** --------------------------------------------- February 12, 2016 Banking Trojans are considered to be one of the most dangerous threats. Not only they have a complex architecture but they are also capable to perform a wide variety of functions. Yet, some attackers do not disdain to contrive rather primitive malicious programs such as, for example, Trojan.Proxy2.102, which was examined by Doctor Web specialists. Trojan.Proxy2.102 steals money from victims' bank accounts using the following method. Once launched, it installs a root... --------------------------------------------- http://news.drweb.com/show/?i=9840&lng=en&c=9 *** Vermehrte Scans und Workarounds zu Ciscos ASA-Lücke *** --------------------------------------------- Die Angreifer sammeln offenbar bereits aktiv Informationen zu möglicherweise verwundbaren Systemen, während die Verteidiger noch mit den Tücken des Updates kämpfen. --------------------------------------------- http://heise.de/-3100443 *** Download.com and Others Bundle Superfish-Style HTTPS Breaking Adware *** --------------------------------------------- It's a scary time to be a Windows user. Lenovo was bundling HTTPS-hijacking Superfish adware, Comodo ships with an even worse security hole called PrivDog, and dozens of other apps like LavaSoft are doing the same. It's really bad, but if you want your encrypted web sessions to be hijacked just head to CNET Downloads or any freeware site, because they are all bundling HTTPS-breaking adware now. --------------------------------------------- http://www.howtogeek.com/210265/download.com-and-others-bundle-superfish-st… *** How to Avoid Potentially Unwanted Programs *** --------------------------------------------- We've come up with a PUPs cheat sheet that businesses can use to train IT staff and users. A little PUPs awareness, if you will. Read on to learn more about how you get PUPs, Categories: Online SecurityTags: avoidpotentially unwanted programsPUP(Read more...) --------------------------------------------- https://blog.malwarebytes.org/online-security/2016/02/how-to-avoid-potentia… *** How to use the traffic light protocol - TLP *** --------------------------------------------- The TLP or Traffic Light Protocol is a set of designations designed to help sharing of sensitive information. It has been widely adopted in the CSIRT and security community. The originator of the information labels the information with one of four colours. These colours indicate what further dissemination, if any, can be undertaken by the recipient. Note that the colours only mark the level of dissemination, not the sensitivity level (although they often align). --------------------------------------------- https://www.vanimpe.eu/2015/08/21/use-traffic-light-protocol-tlp/ *** D-Link DSL-2750B Remote Command Execution *** --------------------------------------------- Topic: D-Link DSL-2750B Remote Command Execution Risk: High Text:After some playing around Ive noticed something interesting during login phase: by sending wrong credentials, user is redirec... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016020128 *** Sophos UTM 9 Cross Site Scripting *** --------------------------------------------- Topic: Sophos UTM 9 Cross Site Scripting Risk: Low Text: -- Vendor: -- Sophos (https://www.sophos.com) -- Affected Products/Versions: -- Produc... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016020117 *** ASUS Router Administrative Interface Exposure *** --------------------------------------------- Topic: ASUS Router Administrative Interface Exposure Risk: Low Text:Asus wireless routers running ASUSWRT firmware (in other words, anything with an RT- in the model name) have a design flaw in w... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016020116 *** ZCM 11.3.x - Fix for CVE-2015-5970 ZCM ZENworks ChangePassword XPath Injection Information Disclosure Vulnerability - See TID 7017240 *** --------------------------------------------- Abstract: Vulnerability overview: CVE-2015-5970 An XPath injection exists in the ChangePassword RPC method implementation. By combining this with an entity reference to a file on the appliance, an attacker can exfiltrate arbitrary text files from the vulnerable device.This issue has been found and reported by cpnrodzc7 working with HPs Zero Day Initiative (ZDI-CAN-3136). Patch overview: This patch contains the necessary files and installation information to correct the below issue on ZCM 11.3.x --------------------------------------------- https://download.novell.com/Download?buildid=vt0EO0DgaX8~ *** ZCM 11.4.x - Fix for CVE-2015-5970 ZCM ZENworks ChangePassword XPath Injection Information Disclosure Vulnerability - See TID 7017240 *** --------------------------------------------- Abstract: Vulnerability overview: CVE-2015-5970 An XPath injection exists in the ChangePassword RPC method implementation. By combining this with an entity reference to a file on the appliance, an attacker can exfiltrate arbitrary text files from the vulnerable device.This issue has been found and reported by cpnrodzc7 working with HPs Zero Day Initiative (ZDI-CAN-3136). Patch overview: This patch contains the necessary files and installation information to correct the below issue on ZCM 11.4.x --------------------------------------------- https://download.novell.com/Download?buildid=SOM6P0NdZ5U~ *** PostgreSQL Bugs Let Remote Users Deny Service and Let Remote Authenticated Users Gain Elevated Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1035005 *** DFN-CERT-2016-0260: Mozilla Firefox, Firefox ESR: Zwei Schwachstellen ermöglichen u.a. das Umgehen von Sicherheitsvorkehrungen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0260/ *** DFN-CERT-2016-0263: Cacti: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0263/

1 0

Tageszusammenfassung - Donnerstag 11-02-2016
by Daily end-of-shift report 11 Feb '16

11 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 10-02-2016 18:00 − Donnerstag 11-02-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Critical bug found in Cisco ASA products, attackers are scanning for affected devices *** --------------------------------------------- Several Cisco Adaptive Security Appliance (ASA) products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code exec... --------------------------------------------- http://www.net-security.org/secworld.php?id=19427 *** Some notes on VirusTotal. *** --------------------------------------------- Many of you are probably familiar with VirusTotal, a service that allows you to scan a file or URL using multiple antivirus and URL scanners. VirusTotal results are often used in write-ups about...read moreThe post Some notes on VirusTotal. appeared first on Webroot Threat Blog. --------------------------------------------- http://www.webroot.com/blog/2016/02/09/some-notes-on-virustotal/ *** Seo-moz.com SEO Spam Campaign *** --------------------------------------------- Here at Sucuri we handle countless cases of SEO spam. This malware involves a website being compromised in order to spread (mostly pharmaceutical) advertisements by linking visitors to unwanted websites and stuffing spam keywords into the site. These links and keywords help the spam websites to rank higher in search engines like Google, sending evenRead More The post Seo-moz.com SEO Spam Campaign appeared first on Sucuri Blog. --------------------------------------------- https://blog.sucuri.net/2016/02/seo-moz-com-seo-spam-campaign.html *** Malvertising Via Skype Delivers Angler *** --------------------------------------------- A recent malvertising campaign shows that platforms that display ads, even when they are not necessarily the browser, are not immune to the attack. An example of a popular non-browser application that shows ads is Skype. These images would be familiar to avid Skype users. This did not really bother us much until last night, when we... --------------------------------------------- https://labsblog.f-secure.com/2016/02/10/malvertising-via-skype-delivers-an… *** Tomcat IR with XOR.DDoS, (Thu, Feb 11th) *** --------------------------------------------- Apache Tomcat is a java based web service that is used for different applications. While you may have it running in your environment, you may not be familiar with its workings to provide adequate incident response "> "> ">0 S root 31847 1 0 80 0 - 1124641 futex_ 2015 ? 02:36:33 /usr/bin/java -classpath /usr/share/apache-tomcat-7.0.65/bin/bootstrap.jar ">Here you can see that it is running from /usr/share/apache-tomcat-7.0.65. ">The Tomcat configurations --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20721&rss *** Building automation systems are so bad IBM hacked one for free *** --------------------------------------------- Remote sites owned as router, controller and server all fall to pen-test team An IBM-led penetration testing team has thoroughly owned an enterprise building management network in a free assessment designed to publicise the horrid state of embedded device security. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/02/11/building_au… *** How Malware Detects Virtualized Environment, and its Countermeasures - An Overview *** --------------------------------------------- Virtual Machines are usually considered a good way to analyze malware as they can provide an isolated environment for the malware to trigger but their actions can be controlled and intercepted. However, modern age malware detects their environment in which they are running, and if they detect they are running in VM, they sustain their... --------------------------------------------- http://resources.infosecinstitute.com/how-malware-detects-virtualized-envir… *** DFN-CERT-2016-0252: Cisco Adaptive Security Appliance Software: Eine Schwachstelle ermöglicht die Übernahme der Systemkontrolle *** --------------------------------------------- Eine Schwachstelle in der Cisco Adaptive Security Appliances Software ermöglicht einem entfernten, nicht authentifizierten Angreifer beliebigen Programmcode auszuführen und so die Kontrolle über ein betroffenes System zu übernehmen, auch ist die Durchführung eines Denial-of-Service-Angriffs möglich. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0252/ *** ZDI-16-163: Dell SonicWALL GMS Virtual Appliance Deserialization of Untrusted Data Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Dell SonicWALL GMS Virtual Appliance. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-163/ *** ZDI-16-164: Dell SonicWALL GMS Virtual Appliance Multiple Remote Code Execution Vulnerabilities *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Dell SonicWALL GMS Virtual Appliance. Authentication is required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-164/ *** Cisco Spark Representational State Transfer Interface Information Disclosure Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Spark Representational State Transfer Interface Unauthorized Access Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Spark Representational State Transfer Interface Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Advanced Malware Protection and Email Security Appliance Proxy Engine Security Bypass Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Citrix NetScaler Application Delivery Controller and NetScaler Gateway Multiple Security Updates *** --------------------------------------------- A number of vulnerabilities have been identified in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway that could allow a malicious, unprivileged user to perform privileged operations or execute commands. --------------------------------------------- https://support.citrix.com/article/CTX206001 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in libssh2 affects PowerKVM (CVE-2015-1782) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023318 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in curl affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1023307 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime affects Tivoli Storage Manager Operations Center and Tivoli Storage Manager Client Management Service (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976362 --------------------------------------------- *** IBM Security Bulletin:Security Bulletin: Vulnerability in IBM Java Runtime affect AppScan Source (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976569 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in cpio affects PowerKVM (CVE-2014-9112) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023298 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Linux Kernel affects PowerKVM (CVE-2016-0728) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023279 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in OpenSSL affects IBM Netezza Platform Software clients (CVE-2015-3194) *** http://www.ibm.com/support/docview.wss?uid=swg21976419 --------------------------------------------- *** IBM Security Bulletin: IBM Sterling Order Management is affected by Apache Commons Collections security vulnerabilities (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21975793 --------------------------------------------- *** IBM Security Bulletin: Cross-site scripting vulnerability in Liberty for Java for IBM Bluemix (CVE-2015-7417) *** http://www.ibm.com/support/docview.wss?uid=swg21976218 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM JAVA Runtime affect AppScan Source (CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21976159 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 10-02-2016
by Daily end-of-shift report 10 Feb '16

10 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 09-02-2016 18:00 − Mittwoch 10-02-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Fast Flux Bot Nets and Fluxer - Part 1 *** --------------------------------------------- This time well start a two-parter on fast flux bot nets including the concept of domain generation algorithms. --------------------------------------------- http://www.scmagazine.com/fast-flux-bot-nets-and-fluxer--part-1/article/473… *** DMA Locker Strikes Back *** --------------------------------------------- A few days ago we published a post about a new ransomware - DMA Locker (read more here). At that time, it was using a pretty simple way of storing keys. Having the original sample was enough to recover files. Unfortunately, the latest version (discovered February 8th) comes with several improvements and RSA key. Let's... --------------------------------------------- https://blog.malwarebytes.org/news/2016/02/dma-locker-strikes-back/ *** Linode SSH key blunder left virtual servers open to man-in-the-middle fiddles for months *** --------------------------------------------- Regen your keys ASAP Web hosting biz Linode broke the security in its customers virtual machines, allowing attackers to eavesdrop on SSH connections and hijack them. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/02/09/linode_ssh_… *** Skimmers Hijack ATM Network Cables *** --------------------------------------------- If you have ever walked up to an ATM to withdraw cash only to decide against it after noticing a telephone or ethernet cord snaking from behind the machine to a jack in the wall, your paranoia may not have been misplaced: ATM maker NCR is warning about skimming attacks that involve keypad overlays, hidden cameras and skimming devices plugged into the ATM network cables to intercept customer card data. --------------------------------------------- http://krebsonsecurity.com/2016/02/skimmers-hijack-atm-network-cables/ *** Patchday: Microsoft stopft 6 kritische Lücken, lässt alte Internet-Explorer-Versionen im Regen stehen *** --------------------------------------------- Es ist wieder einmal Zeit zum Updaten für Microsoft-Anwender. Wer noch ältere Versionen des Internet Explorer im Einsatz hat, muss jetzt schleunigst handeln. --------------------------------------------- http://heise.de/-3098499 *** The history of Cryptowall: a large scale cryptographic ransomware threat *** --------------------------------------------- This tracker focusses on tracking the development changes in the CryptoWall ransomware, it does not attempt to track every single CryptoWall sample that exists. It simply exists to track the family in a more higher level fashion, a few samples will be listed next to specific versions just for reference rather than bulk collection. The timeline below shows the development track of CryptoWall when new versions were first seen. Below the timeline you will find an overview. --------------------------------------------- https://www.cryptowalltracker.org/ *** Sparkle-Installer: Gatekeeper-Sicherung für Macs lässt sich umgehen *** --------------------------------------------- Viele App-Entwickler für Mac nutzen das Sparkle-Framwork für praktische Auto-Updates - und machen damit zahlreiche Mac-Programme angreifbar. Betroffen sind nicht nur VLC und uTorrent. --------------------------------------------- http://www.golem.de/news/man-in-the-middle-angriff-sparkle-installer-macht-… *** Cracking Damn Insecure and Vulnerable App (DIVA) - part 5: *** --------------------------------------------- In the first four articles, we have discussed solutions for the first eleven challenges in DIVA. In this last article of this series, we will discuss the remaining two challenges that are related to native code. In case if you missed the previous articles in this series, here are the links. http://resources.infosecinstitute.com/cracking-damn-insecure-and-vulnerable… http://resources.infosecinstitute.com/cracking-damn-insecure-and-vulnerable… --------------------------------------------- http://resources.infosecinstitute.com/cracking-damn-insecure-and-vulnerable… *** Hijacking forgotten & misconfigured subdomains *** --------------------------------------------- Its been a while since my last blog post, so I decided to release a new tool. I think that we need more articles about "DNS hacking", I hope that you will learn something new here. --------------------------------------------- http://www.xexexe.cz/2016/02/hijacking-forgotten-misconfigured.html *** Network forensic analysis tool NetworkMiner 2.0 released *** --------------------------------------------- NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. ... --------------------------------------------- http://www.net-security.org/secworld.php?id=19421 *** MSRT February 2016 *** --------------------------------------------- The February release of the Microsoft Malicious Software Removal Tool (MSRT) includes updated detections for the following malware families: Bladabindi Gamarue Sality Kelihos Diplugem The updates include detections for the latest variants from these malware families. There were no new malware families added to the MSRT this month. The MSRT works in tandem with real-time... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/02/09/msrt-february-2016/ *** MS16-FEB - Microsoft Security Bulletin Summary for February 2016 - Version: 1.0 *** --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS16-FEB *** Deception: Shine Bright Like a Diamond *** --------------------------------------------- ***German Summary: Projektpläne, Designs, Kundendaten: Die Kronjuwelen eines jeden Unternehmens gehören vor Cyberkriminellen unter allen Umständen versteckt - oder? Werfen Sie den Ködern aus, denn jetzt täuschen die Guten! Deception ("Täuschung") lautet der neue Cyber-Security-Ansatz, der nach Schätzungen des renommierten Marktforschungsunternehmens Gartner bereits 2018 in rund 10 % aller Unternehmen zum Einsatz kommen wird. Virtuelle Fallen... --------------------------------------------- http://blog.sec-consult.com/2016/02/deception-shine-bright-like-diamond.html *** Tollgrade SmartGrid Sensor Management System Software Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for vulnerabilities in Tollgrade Communications, Inc.'s SmartGrid LightHouse Sensor Management System (SMS) Software EMS. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-040-01 *** Bugtraq: Safebreach adsivory: Node.js HTTP Response Splitting (CVE-2016-2216) *** --------------------------------------------- http://www.securityfocus.com/archive/1/537490 *** Bugtraq: ESA-2016-010 EMC Documentum xCP Security Update for Multiple Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/537489 *** Bugtraq: dotDefender Firewall CSRF *** --------------------------------------------- http://www.securityfocus.com/archive/1/537491 *** [2016-02-10] Yeager CMS multiple vulnerabilities *** --------------------------------------------- Yeager CMS suffers from multiple critical security issues including multiple SQL injections, arbitrary file upload, server-side request forgery and non-permanent cross-site scripting vulnerabilities. Unauthenticated attackers are able to compromise Yeager CMS in both application and database levels. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016… *** DFN-CERT-2016-0237: Horde Application Framework: Zwei Schwachstellen ermöglichen einen Cross-Site-Scripting-Angriff *** --------------------------------------------- 09.02.2016 --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0237/ *** Cisco Security Advisories *** --------------------------------------------- *** Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Prime Collaboration Provisioning Local Privilege Escalation Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Application Policy Infrastructure Controller Enterprise Module Web Framework Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Video Communications Server Information Disclosure Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Unified Products Information Disclosure Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Unified Communications Manager Information Disclosure Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM SDK Java Technology Edition affect Liberty for Java for IBM Bluemix January 2016 CPU (CVE-2016-0475, CVE-2016-0466, CVE-2015-7575, CVE-2016-0448) *** http://www.ibm.com/support/docview.wss?uid=swg21976217 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Security SiteProtector System (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976042 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSH affect IBM Flex System Manager (FSM) (CVE-2016-0777, CVE-2016-0778) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023319 --------------------------------------------- *** IBM Security Bulletin: IBM Pure Power Integrated Manager (PPIM) is affected by vulnerabilities in ntp (CVE-2014-9750, CVE-2014-9751) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023291 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM Pure Power Integrated Manager (PPIM) (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023292 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects Watson Explorer (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21974808 --------------------------------------------- *** IBM Security Bulletin: IBM Netezza SQL Extensions is vulnerable to an OpenSource PCRE Vulnerability (CVE-2015-8380, CVE-2015-8382, CVE-2015-8391) *** http://www.ibm.com/support/docview.wss?uid=swg21976124 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities identified in IBM Java SDK affect WebSphere Service Registry and Repository Studio (CVE-2015-4872, CVE-2015-4911, CVE-2015-4893, CVE-2015-4803) *** http://www.ibm.com/support/docview.wss?uid=swg21971058 --------------------------------------------- *** IBM Security Bulletin: A libxml vulnerability affects IBM Security Access Manager for Mobile (CVE-2015-1819) *** http://www.ibm.com/support/docview.wss?uid=swg21976393 --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Access Manager for Mobile (CVE-2014-8121) *** http://www.ibm.com/support/docview.wss?uid=swg21976290 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in nss-softokn affects IBM Security Access Manager for Mobile (CVE-2015-2730) *** http://www.ibm.com/support/docview.wss?uid=swg21976295 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager for Mobile is affected by an OpenSSH vulnerability (CVE-2008-5161) *** http://www.ibm.com/support/docview.wss?uid=swg21976082 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager for Mobile is affected by multiple NTP vulnerabilities *** http://www.ibm.com/support/docview.wss?uid=swg21975967 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM MQ Light (CVE-2015-3197) *** http://www.ibm.com/support/docview.wss?uid=swg21976345 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVS-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21975832 --------------------------------------------- *** IBM Security Bulletin: A Security Vulnerability has been identified in Apache Solr shipped with IBM Operations Analytics - Log Analysis *** http://www.ibm.com/support/docview.wss?uid=swg21975544 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in cURL and libcURL affect IBM Security Access Manager (CVE-2014-3613, CVE-2014-8150) *** http://www.ibm.com/support/docview.wss?uid=swg21974736 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime affects IBM MQ Light (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976341 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 9-02-2016
by Daily end-of-shift report 09 Feb '16

09 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 08-02-2016 18:00 − Dienstag 09-02-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Gate To Nuclear EK Uses Fake CloudFlare DDoS Check *** --------------------------------------------- This rogue CloudFlare page hides a malicious payload. Categories: ExploitKits Tags: cloudflareEKNuclear(Read more...) --------------------------------------------- https://blog.malwarebytes.org/exploitkits/2016/02/gate-to-nuclear-ek-uses-f… *** Patching Complex Web Vulnerabilities Using ModSecurity WAF *** --------------------------------------------- In this blog post we will demonstrate complicated examples of common web application vulnerabilities, and see how they can be mitigated with ModSecurity WAF. --------------------------------------------- https://www.htbridge.com/blog/patching-complex-web-vulnerabilities-using-mo… *** Its 2016 and a font file can own your computer *** --------------------------------------------- Libgraphite font library buggy and vulnerable in Firefox, Thunderbird, WordPad and more says Talos Cisco-owned Talos has announced a bunch of font library bugs present in apps running on Windows and Linux, affecting client and-server-side machines. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/02/09/libgraphite… *** Power Grid Honeypot Puts Face on Attacks *** --------------------------------------------- Researchers from MalCrawler built a honeypot mimicking an electronic management system at the heart of a power grid, exposing attackers' behavior once they have access to critical infrastructure systems. --------------------------------------------- http://threatpost.com/power-grid-honeypot-puts-face-on-attacks/116217/ *** Russian hackers used malware to manipulate the Dollar/Ruble exchange rate *** --------------------------------------------- Russian-language hackers have managed to break into Russian regional bank Energobank, infect its systems, and gain unsanctioned access to its trading system terminals, which allowed them to manipulat... --------------------------------------------- http://www.net-security.org/malware_news.php?id=3201 *** How to Hack the Power Grid Through Home Air Conditioners *** --------------------------------------------- Researchers show how hackers can manipulate the remote on-off device installed on some air conditioners to cause a blackout. --------------------------------------------- http://www.wired.com/2016/02/how-to-hack-the-power-grid-through-home-air-co… *** (Not only) Oracle Java Windows installer vulnerable *** --------------------------------------------- Oracle hat einen Out-of-Band Patch für Java 6, 7 und 8 für Windows veröffentlicht, mit dem eine Sicherheitslücke im Installationsprozess geschlossen wird. Es sind dazu bereits zahlreiche Medienberichte erschienen, in denen allerdings häufig die Tatsache ausser acht gelassen wird, dass es sich hier nicht um eine Java-spezifische Schwachstelle handelt. Das Problem - Stichwort "Binary Planting" -... --------------------------------------------- http://www.cert.at/services/blog/20160209102305-1678.html *** Security Bulletins Posted *** --------------------------------------------- Security Bulletins for Adobe Photoshop and Bridge (APSB16-03), Flash Player (APSB16-04), Adobe Experience Manager (APSB16-05) and Adobe Connect (APSB16-07) have been published. Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant security bulletin. This... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1315 *** DSA-3472 wordpress - security update *** --------------------------------------------- Two vulnerabilities were discovered in wordpress, a web blogging tool.The Common Vulnerabilities and Exposures project identifies thefollowing problems: --------------------------------------------- https://www.debian.org/security/2016/dsa-3472 *** DSA-3471 qemu - security update *** --------------------------------------------- Several vulnerabilities were discovered in qemu, a full virtualizationsolution on x86 hardware. --------------------------------------------- https://www.debian.org/security/2016/dsa-3471 *** DSA-3470 qemu-kvm - security update *** --------------------------------------------- Several vulnerabilities were discovered in qemu-kvm, a fullvirtualization solution on x86 hardware. --------------------------------------------- https://www.debian.org/security/2016/dsa-3470 *** DSA-3469 qemu - security update *** --------------------------------------------- Several vulnerabilities were discovered in qemu, a full virtualizationsolution on x86 hardware. --------------------------------------------- https://www.debian.org/security/2016/dsa-3469 *** USN-2880-2: Firefox regression *** --------------------------------------------- Ubuntu Security Notice USN-2880-28th February, 2016firefox regressionA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.10 Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummaryUSN-2880-1 introduced a regression in Firefox.Software description firefox - Mozilla Open Source web browser DetailsUSN-2880-1 fixed vulnerabilities in Firefox. This update introduced aregression which caused Firefox to crash on startup with some configurations.This update fixes the problem.We apologize --------------------------------------------- http://www.ubuntu.com/usn/usn-2880-2/

1 0

Tageszusammenfassung - Montag 8-02-2016
by Daily end-of-shift report 08 Feb '16

08 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 05-02-2016 18:00 − Montag 08-02-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Magento PCI Compliance Issues and Theft Over TLS *** --------------------------------------------- With about 30% of the market share, Magento is gradually becoming a "WordPress" of the ecommerce world. Like WordPress, it becomes a major target for hackers due to its popularity. However, in the case of Magento, the main goal that hackers pursue is to steal money, either from shop customers or the shop owners. During... --------------------------------------------- https://blog.sucuri.net/2016/02/theft-over-tls-or-illusion-of-pci-complianc… *** Extracting and distributing information on incidents, or what is PROKI *** --------------------------------------------- In the last blogpost, I promised to write something about our new project PROKI. PROKI is the abbreviation of the Czech phrase for "prediction and protection against cyber incidents" and in this project, our team set two goals for itself. --------------------------------------------- http://en.blog.nic.cz/2016/02/05/extracting-and-distributing-information-on… *** GitHub bug bounty hunting *** --------------------------------------------- Last month, I went hunting for security bugs in GitHub, a popular platform for sharing and collaborating on code. After spending many hours mapping out GitHub's infrastructure, and testing for weaknesses without any significant results or leads, I shifted my focus to the service providers. This is a write-up about two of the issues I found, which both have since been addressed. --------------------------------------------- https://medium.com/@ircbot/github-bug-bounty-hunting-741de324be1c *** Netgear-Router-Software: Schwachstelle ermöglicht Dateiupload und Download *** --------------------------------------------- Die Router-Verwaltungssoftware Netgear Management System hat ein Sicherheitsproblem. Angreifer können zwischen einer Remote-Code-Execution und einer Directory-Traversal-Schwachstelle wählen. Einen Patch gibt es bislang nicht. --------------------------------------------- http://www.golem.de/news/netgear-router-software-schwachstelle-ermoeglicht-… *** Bankomat-Trick: Geld abheben, Kontostand bleibt gleich *** --------------------------------------------- Die Angriffe auf Finanzinstitute werden immer erfinderischer. Eine neue Schadsoftware bucht Finanzbeträge aufs Konto zurück, nachdem diese bei Bankomaten abgehoben wurden. --------------------------------------------- http://futurezone.at/digital-life/bankomat-trick-geld-abheben-kontostand-bl… *** T9000 backdoor steals documents, records Skype conversations, victims actions *** --------------------------------------------- A new backdoor Trojan with spyware capabilities is being used in targeted attacks against organizations based in the United States. It has been dubbed T9000, since its a newer, improved version of th... --------------------------------------------- http://www.net-security.org/malware_news.php?id=3199 *** Avast SafeZone Browser Lets Attackers Access Your Filesystem *** --------------------------------------------- Just two days after Comodos Chromodo browser was publicly shamed by Google Project Zero security researcher Tavis Ormandy, its now Avasts turn to be scorned for failing to provide a "secure" browser for its users. --------------------------------------------- http://news.softpedia.com/news/avast-safezone-browser-lets-attackers-access… *** Adwind: FAQ *** --------------------------------------------- Adwind - a cross-platform RAT, multifunctional malware program which is distributed through a single malware-as-a-service platform. Different versions of the Adwind malware have been used in attacks against at least 443,000 private users, commercial and non-commercial organizations around the world. --------------------------------------------- http://securelist.com/blog/research/73660/adwind-faq/ *** Java installer flaw shows why you should clear your Downloads folder *** --------------------------------------------- On most computers, the default download folder quickly becomes a repository of old and unorganized files that were opened once and then forgotten about. A recently fixed flaw in the Java installer highlights why keeping this folder clean is important.On Friday, Oracle published a security advisory recommending that users delete all the Java installers they might have laying around on their computers and use new ones for versions 6u113, 7u97, 8u73 or later. The reason is that older Java... --------------------------------------------- http://www.cio.com/article/3030707/security/java-installer-flaw-shows-why-y… *** Netgear Pro NMS 300 Code Execution / File Download *** --------------------------------------------- Topic: Netgear Pro NMS 300 Code Execution / File Download Risk: High Text:>> Remote code execution / arbitrary file download in NETGEAR ProSafe Network Management System NMS300 >> Discovered by Pedro ... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016020070 *** Oracle Security Alert for CVE-2016-0603 - 5 February 2016 *** --------------------------------------------- To be successfully exploited, this vulnerability requires that an unsuspecting user be tricked into visiting a malicious web site and download files into the user's system before installing Java SE 6, 7 or 8. Though relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user’s system. --------------------------------------------- http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0603-28743… *** Bugtraq: [security bulletin] HPSBGN03434 rev.1 - HP Continuous Delivery Automation using Java Deserialization, Remote Arbitrary Code Execution *** --------------------------------------------- http://www.securityfocus.com/archive/1/537461 *** Bugtraq: [security bulletin] HPSBHF03431 rev.2 - HPE Network Switches, local Bypass of Security Restrictions, Indirect Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/537460 *** 0Day Vulnerabilities in Advantech WebAccess *** --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-146/ http://www.zerodayinitiative.com/advisories/ZDI-16-147/ http://www.zerodayinitiative.com/advisories/ZDI-16-148/ http://www.zerodayinitiative.com/advisories/ZDI-16-149/ http://www.zerodayinitiative.com/advisories/ZDI-16-150/ http://www.zerodayinitiative.com/advisories/ZDI-16-151/ http://www.zerodayinitiative.com/advisories/ZDI-16-152/ http://www.zerodayinitiative.com/advisories/ZDI-16-153/ http://www.zerodayinitiative.com/advisories/ZDI-16-154/ http://www.zerodayinitiative.com/advisories/ZDI-16-155/ --------------------------------------------- *** SSA-253230 (Last Update 2016-02-08): Vulnerabilities in SIMATIC S7-1500 CPU *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-253230… *** Bugtraq: Local Microsoft Windows 7 / 8 / 10 Buffer Overflow via Third-Party USB-Driver (ser2co64.sys) *** --------------------------------------------- http://www.securityfocus.com/archive/1/537471 *** WooCommerce - Store Toolkit Plugin Privilege Escalation <= 1.5.6 *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8385 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: A vulnerability in net-snmp affects IBM DataPower Gateways (CVE-2015-5621) *** http://www.ibm.com/support/docview.wss?uid=swg21975340 --------------------------------------------- *** IBM Security Bulletin: A cross-site scripting vulnerability has been identified in IBM Security Access Manager for Web (CVE-2015-8531) *** http://www.ibm.com/support/docview.wss?uid=swg21974651 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager for Web is affected by multiple NTP vulnerabilities *** http://www.ibm.com/support/docview.wss?uid=swg21974652 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Net-SNMP affect IBM Security Access Manager for Web (CVE-2014-3565, CVE-2015-5621) *** http://www.ibm.com/support/docview.wss?uid=swg21974644 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM QRadar SIEM, and QRadar Incident Forensics (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976113 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM DataPower Gateways (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21974965 --------------------------------------------- *** IBM Security Bulletin: Information disclosure vulnerability found in IBM WebSphere Commerce (CVE-2015-7444) *** http://www.ibm.com/support/docview.wss?uid=swg21974307 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager for Web is affected by Network Security Services (NSS) vulnerabilities (CVE-2015-7181, CVE-2015-7182, CVE-2015-7183) *** http://www.ibm.com/support/docview.wss?uid=swg21974648 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager for Mobile is affected by Network Security Services (NSS) vulnerabilities (CVE-2015-7181, CVE-2015-7182, CVE-2015-7183) *** http://www.ibm.com/support/docview.wss?uid=swg21974650 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in GSKit affect IBM Security Access Manager for Web (CVE-2015-7421, CVE-2015-7420) *** http://www.ibm.com/support/docview.wss?uid=swg21974750 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in GSKit affect IBM Security Access Manager for Mobile (CVE-2015-7421, CVE-2015-7420) *** http://www.ibm.com/support/docview.wss?uid=swg21974747 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Access Manager for Mobile *** http://www.ibm.com/support/docview.wss?uid=swg21973139 --------------------------------------------- *** IBM Security Bulletin: A libxml vulnerability affects IBM Security Access Manager for Web (CVE-2015-1819) *** http://www.ibm.com/support/docview.wss?uid=swg21974737 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in XML processing affects IBM DataPower Gateways (CVE-2015-1819) *** http://www.ibm.com/support/docview.wss?uid=swg21975341 --------------------------------------------- *** IBM Security Bulletin: IBM Tivoli Storage Manager ASNODENAME Vulnerability (CVE-2015-7408) *** http://www.ibm.com/support/docview.wss?uid=swg21975957 --------------------------------------------- *** IBM Security Bulletin: A Linux-PAM vulnerability affects IBM Security Access Manager for Web (CVE-2015-3238) *** http://www.ibm.com/support/docview.wss?uid=swg21974738 --------------------------------------------- *** IBM Security Bulletin: A Linux-PAM vulnerability affects IBM Security Access Manager for Mobile (CVE-2015-3238) *** http://www.ibm.com/support/docview.wss?uid=swg21975882 --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Access Manager for Web (CVE-2014-8121) *** http://www.ibm.com/support/docview.wss?uid=swg21974653 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in nss-softokn affects IBM Security Access Manager for Web (CVE-2015-2730) *** http://www.ibm.com/support/docview.wss?uid=swg21974657 --------------------------------------------- *** IBM Security Bulletin: OpenSSL as used in IBM QRadar SIEM is vulnerable to a Denial of Service attack, and Sensitive Information Exposure. (CVE-2015-3194, CVE-2015-3195, CVE-2015-3196) *** http://www.ibm.com/support/docview.wss?uid=swg21976148 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 5-02-2016
by Daily end-of-shift report 05 Feb '16

05 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 04-02-2016 18:00 − Freitag 05-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** WP-Invoice <= 4.1.0 - Multiple Vulnerabilities *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8378 *** User Meta Manager <= 3.4.6 - Authenticated Blind SQL Injection *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8380 *** User Meta Manager <= 3.4.6 - Privilege Escalation *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8379 *** Racing MIDI messages in Chrome *** --------------------------------------------- This is a guest blog post by Oliver Chang from the Chrome Security team.This post is about an exceptionally bad use after free bug in Chrome's browser process that affected Linux, Chrome OS and OS X. What makes this bug interesting is the fact that it could be directly triggered from the web without .. --------------------------------------------- http://googleprojectzero.blogspot.com/2016/02/racing-midi-messages-in-chrom… *** DSA-3466 krb5 - security update *** --------------------------------------------- Several vulnerabilities were discovered in krb5, the MIT implementation of Kerberos. The Common Vulnerabilities and Exposures project identifies the following .. --------------------------------------------- https://www.debian.org/security/2016/dsa-3466 *** Neutrino Exploit Kit Not Responding - Bug or Feature? *** --------------------------------------------- A couple of weeks ago we were looking at some exploit kits in one of our lab environments and noticed a decline in the number of Neutrino instances were seeing. This sent us on yet another journey to investigate Neutrino .. --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/Neutrino-Exploit-Kit-Not-Res… *** Chrome picks up bonus security features on Windows 10 *** --------------------------------------------- The Windows 10 November update (version 1511, build 10586) included a handful of new security features to provide protection against some security issues that have kept on popping up in Windows for a number of years. Google yesterday added source .. --------------------------------------------- http://arstechnica.com/information-technology/2016/02/chrome-picks-up-bonus… *** A trip through the spam filters: more malspam with zip attachments containing .js files *** --------------------------------------------- I was discussing malicious spam (malspam) with a fellow security professional earlier this week. He was examining malspam with zip attachments containing .js files. This is something Ive covered previously in ISC .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20697 *** Verschlüsselungs-Trojaner TeslaCrypt 2 geknackt; Kriminelle rüsten nach *** --------------------------------------------- Opfer des berüchtigten Verschlüsselungs-Trojaners TeslaCrypt können aufatmen: Das kostenlose Tool TeslaDecoder kann zumindest die Dateien der Version 2 entschlüsseln. Doch die Betrüger schlafen nicht: Aktuell kursiert schon Version 3. --------------------------------------------- http://heise.de/-3092667 *** Eset NOD32 Antivirus 9 gefährdet https-Verschlüsselung *** --------------------------------------------- Eset NOD32 Antivirus 9 installiert einen SSL-Filter, der sich in die Verschlüsselung einklinkt. Wie heise Security entdeckte, akzeptiert er dabei unter Umständen gefälschte Zertifikate; ein Update des Herstellers beseitigt den Fehler. --------------------------------------------- http://heise.de/-3095024 *** Dridex: Botnet verteilt Virenscanner *** --------------------------------------------- Gelingt es Cyberkriminellen, ihre Malware auf fremden Rechnern einzuschleusen, nutzen sie dies mitunter aus, um sie zum Teil eines Botnets zu machen. Über ihre Server steuern sie die kompromittierten Computer und nutzen ihre .. --------------------------------------------- http://derstandard.at/2000030450321 *** The Malware Museum @ Internet Archive *** --------------------------------------------- Here's what submitting a virus sample looked like back in the days of 5" floppy disks. And now you can see classic viruses in action at The Malware Museum. Do you feel like emulating old malware inside a MS-DOS Virtual Machine inside .. --------------------------------------------- https://labsblog.f-secure.com/2016/02/05/the-malware-museum-internet-archiv… *** Positive Research Center *** --------------------------------------------- In December 2015, I found a critical vulnerability in one of PayPal business websites (manager.paypal.com). It allowed me to execute arbitrary shell commands on PayPal web servers via unsafe Java object deserialization and to access production databases. I immediately reported this bug to PayPal security team, and it was fixed promptly. --------------------------------------------- http://blog.ptsecurity.com/2016/02/paypal-remote-code-execution.html

1 0

Tageszusammenfassung - Donnerstag 4-02-2016
by Daily end-of-shift report 04 Feb '16

04 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 03-02-2016 18:00 − Donnerstag 04-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Weiterhin etliche IP-Kameras von Aldi unzureichend geschützt *** --------------------------------------------- Nach wie vor ist mindestens eine dreistellige Zahl der bei Aldi verkauften Maginon-Kameras ohne Passwort über das Internet steuerbar. Unterdessen hat sich herausgestellt, dass der Hersteller bereits im Juni 2015 informiert wurde. --------------------------------------------- http://heise.de/-3092642 *** Cisco Unified Communications Manager SQL Injection Vulnerability *** --------------------------------------------- A vulnerability in the Cisco Unified Communications Manager SQL database interface could allow an authenticated, remote attacker to impact the confidentiality of the system by executing arbitrary SQL queries. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** CERT: Poor password policy leaves OpenELEC operating system vulnerable to hackers *** --------------------------------------------- The CERT Division at Carnegie Mellon University yesterday issued an alert detailing a password vulnerability in the Open Embedded Linux Entertainment Center operating system. --------------------------------------------- http://www.scmagazine.com/cert-poor-password-policy-leaves-openelec-operati… *** Macro Redux: the Premium Package *** --------------------------------------------- Earlier this week we came across an interesting spam email. It was targeted at one of our customers in the retail industry. It contained a Microsoft Word document (MD5 = b74604d0081e68e91d64b361601d79c4) with a rather small macro in it. All that macro did was save a copy of the document as RTF, open it and then .. --------------------------------------------- http://labs.bromium.com/2016/02/03/macro-redux-the-premium-package/ *** Cisco Jabber Guest Server HTTP Web-Based Management Interface Cross-Site Scripting Vulnerability *** --------------------------------------------- A vulnerability in the HTTP web-based management interface of the Cisco Jabber Guest application could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Unity Connection Web Framework Cross-Site Scripting Vulnerability *** --------------------------------------------- A vulnerability in the web framework of Cisco Unity Connection could allow an unauthenticated, remote attacker to execute a cross-site scripting (XSS) attack. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Fake Adobe Flash Update OS X Malware *** --------------------------------------------- Yesterday, while investigating some Facebook click-bait, I came across a fake Flash update that is targeting OS X users. Fake flash updates have been very common to infect OS X. They do not rely on a vulnerability in the operating system. Instead, the user is asked to willingly install them, by making .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20693 *** No More Deceptive Download Buttons *** --------------------------------------------- In November, we announced that Safe Browsing would protect you from social engineering attacks - deceptive tactics that try to trick you into doing something dangerous, like installing unwanted software or revealing your personal information (for example, passwords, phone numbers, or credit cards). You may .. --------------------------------------------- https://googleonlinesecurity.blogspot.co.uk/2016/02/no-more-deceptive-downl… *** l+f: Web-Dienst prüft Präsenz sicherheitsrelevanter HTTP-Header *** --------------------------------------------- Mit securityheaders.io kann man herausfinden, welche Schutzfunktionen ein Server über die HTTP-Header scharf schaltet. --------------------------------------------- http://heise.de/-3095001

1 0

Tageszusammenfassung - Mittwoch 3-02-2016
by Daily end-of-shift report 03 Feb '16

03 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 02-02-2016 18:00 − Mittwoch 03-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** WordPress 4.4.2 Security and Maintenance Release *** --------------------------------------------- https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance… *** Cisco WebEx Meetings Server Multiple Cross-Site Scripting Vulnerabilities *** --------------------------------------------- A vulnerability in the web framework code of Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of the affected system. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Sauter moduWeb Vision Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for three vulnerabilities in Sauter's moduWeb Vision application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-033-01 *** GE SNMP/Web Interface Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for two vulnerabilities in the GE SNMP/Web Interface adapter. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-033-02 *** DMA Locker: New Ransomware, But No Reason To Panic *** --------------------------------------------- A new piece of ransomware which looks a little clumsy. --------------------------------------------- https://blog.malwarebytes.org/news/2016/02/draft-dma-locker-a-new-ransomwar… *** Enhanced Mitigation Experience Toolkit (EMET) version 5.5 is now available *** --------------------------------------------- The Enhanced Mitigation Experience Toolkit (EMET) benefits enterprises and all computer users by helping to protect against security threats and breaches that can disrupt businesses and daily lives. It does this by anticipating, diverting, .. --------------------------------------------- http://blogs.technet.com/b/srd/archive/2016/02/02/enhanced-mitigation-exper… *** DSA-3465 openjdk-6 - security update *** --------------------------------------------- Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in breakouts of the Java sandbox, information disclosure, denial of service and insecure cryptography. --------------------------------------------- https://www.debian.org/security/2016/dsa-3465 *** Bypassing Bitrix WAF via tiny regexp error *** --------------------------------------------- Bitrix24 is one of the first and most secure cross-platform corporate software with integrated WAF and RASP. Lets see how we can bypass them. --------------------------------------------- https://www.htbridge.com/blog/bypassing-bitrix-web-application-firewall-via… *** Smartphone-Security: Root-Backdoor macht Mediatek-Smartphones angreifbar *** --------------------------------------------- Eine Debug-Funktion für Vergleichstests im chinesischen Markt führt dazu, dass zahlreiche Smartphones mit Mediatek-Chipsatz verwundbar sind. Angreifer können eine lokale Root-Shell aktivieren. Auch Geräte auf dem deutschen Markt könnten betroffen sein. --------------------------------------------- http://www.golem.de/news/smartphone-security-root-backdoor-macht-mediatek-s… *** l+f: Neuland, USA *** --------------------------------------------- Das Milliardenprojekt F-35 verzögert sich um mindestens ein Jahr, weil Techniker aus Sicherheitsgründen nicht auf eine Datenbank zugreifen können. --------------------------------------------- http://heise.de/-3092005 *** MMD-0051-2016 - Debunking a tiny ELF remote backdoor (shellcode shellshock part 2) *** --------------------------------------------- In September 2014 during the shellshock exploitation was in the rush I analyzed a case (MMD-0027-2014) of an ELF dropped payload via shellshock attack, with the details can be read in-->[here] Today I found an interesting ELF x32 sample that was reported several hours back, the infection vector is also ShellShock, the .. --------------------------------------------- http://blog.malwaremustdie.org/2016/02/mmd-0051-2016-debungking-tiny-elf.ht… *** Comodo: "Sicherer" Browser mit groben Sicherheitsdefiziten *** --------------------------------------------- Google warnt vor der Verwendung - Hebelt Same Origin Policy des Browsers --------------------------------------------- http://derstandard.at/2000030313692 *** Thunderstrike 2: Sicherheitsforscher arbeiten inzwischen für Apple *** --------------------------------------------- Der Mac-Hersteller hat eine Sicherheitsfirma übernommen, die an der Entwicklung von "Thunderstrike 2" beteiligt war. Die Forscher zeigten Schwachstellen, die das Einschleusen eines Schädlings auf Firmware-Ebene ermöglichen – nicht nur auf Macs. --------------------------------------------- http://heise.de/-3092644 *** Phishing-Angriff: Nutzer sollen Amazon-Zertifikat installieren *** --------------------------------------------- Phishing-Angriffe gehören zu den nervigen Alltäglichkeiten von Internetnutzern. Eine spezielle Masche versucht jetzt, Android-Nutzer zur Installation eines angeblichen Sicherheitszertifikates zu bewegen. Komisch, dass das Zertifikat die Endung .apk aufweist. --------------------------------------------- http://www.golem.de/news/phishing-angriff-nutzer-sollen-amazon-zertifikat-i… *** Cisco Nexus 9000 Series ACI Mode Switch ICMP Record Route Vulnerability *** --------------------------------------------- A vulnerability in the ICMP implementation in the Cisco Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch could allow an unauthenticated, remote attacker to cause the switch to reload, resulting in a denial of service (DoS) condition. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Application Policy Infrastructure Controller Access Control Vulnerability *** --------------------------------------------- A vulnerability in the role-based access control (RBAC) of the Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated remote user to make configuration changes outside of their configured access privileges. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco ASA-CX and Cisco Prime Security Manager Privilege Escalation Vulnerability *** --------------------------------------------- A vulnerability in the role-based access control of Cisco ASA-CX and Cisco Prime Security Manager (PRSM) could allow an authenticated, remote attacker to change the password of any user on the system. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Bypass Windows AppLocker *** --------------------------------------------- AppLocker is a new feature in Windows 7 and Windows Server 2008 R2 that allows you to specify which users or groups can run particular applications in your organization based on unique identities of files. If you use AppLocker, you can create rules to allow or deny applications from running. --------------------------------------------- http://en.wooyun.io/2016/01/28/Bypass-Windows-AppLocker.html

1 0

Tageszusammenfassung - Dienstag 2-02-2016
by Daily end-of-shift report 02 Feb '16

02 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 01-02-2016 18:00 − Dienstag 02-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Cyberangriff auf A1 verursacht Ausfall des mobilen Netzes *** --------------------------------------------- Attacken seit Samstag - Zeitpunkt der Fehlerbehebung noch nicht in Sicht --------------------------------------------- http://derstandard.at/2000030190051 *** red|blue: A Soft-ish Introduction to Malware Analysis for Incident Responders *** --------------------------------------------- One of my resolutions for the New Year is to spend more time conducting behavioral and static analysis of malicious PE files. I recently spent time watching some of the Cybrary Malware Reverse Engineering material and wanted to document my efforts here and share my notes and additional thoughts with you. --------------------------------------------- http://www.redblue.team/2016/02/a-soft-introduction-to-malware-analysis.html *** Malwarebytes Anti-Malware Vulnerability Disclosure *** --------------------------------------------- In early November, a well-known and respected security researcher by the name of Tavis Ormandy alerted us to several security vulnerabilities in the consumer version of Malwarebytes Anti-Malware. Within days, we were able to fix several of the vulnerabilities server-side and are now internally .. --------------------------------------------- https://blog.malwarebytes.org/news/2016/02/malwarebytes-anti-malware-vulner… *** Massive Admedia/Adverting iFrame Infection *** --------------------------------------------- This past weekend we registered a spike in WordPress infections where hackers injected encrypted code at the end of all legitimate .js files. The distinguishing features of this malware are: 32 hex digit comments at the beginning and end of the malicious .. --------------------------------------------- https://blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection… *** Google plugs Android vulns *** --------------------------------------------- Happy days if you own a Nexus Five "critical," four "high" severity and one merely "moderate" bug make up the menu of Android security patches, which are now available for Nexus devices and .. --------------------------------------------- www.theregister.co.uk/2016/02/02/google_plugs_android_vulns/ *** Autonics DAQMaster 1.7.3 DQP Parsing Buffer Overflow Code Execution *** --------------------------------------------- The vulnerability is caused due to a boundary error in the processing of a project file, which can be exploited to cause a buffer overflow when a user opens e.g. a specially crafted .DQP project file with a large array of bytes inserted in the Description element. Successful exploitation could allow execution of arbitrary code on the affected machine. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5302.php *** Austrian Mobile Phone Signature is vulnerable against phishing and MitM attacks *** --------------------------------------------- Talking with various people about the Two Factor Authentication (2FA) which is used in Austria to access public services led to my impression that most people think that the system is really secure. While it is more secure than a simple user/password combination its by far not that secure. In this .. --------------------------------------------- http://robert.penz.name/1224/austrian-mobile-phone-signature-is-vulnerable-… *** Aktuelle Spamwelle (Dridex) *** --------------------------------------------- In den letzten Tagen gibt es vermehrt Berichte darüber, dass die Malware Dridex nach einer kurzen Winterpause wieder verstärkt aktiv ist. --------------------------------------------- http://www.cert.at/services/blog/20160202110607-1661.html *** Cyberbetrug bei FACC: Aktionäre fordern Konsequenzen *** --------------------------------------------- Rasinger: "Das schließt auch personelle Konsequenzen mit ein" – Zeitung: Ablöse von Finanzchefin zu erwarten --------------------------------------------- http://derstandard.at/2000030230502-375 *** Apache verpetzt möglicherweise Tor Hidden Services *** --------------------------------------------- In seiner Standard-Konfiguration liefert der beliebte Web-Server-Dienst Informationen, die die Anonymitäts-Versprechen eines Tor Hidden Services gefährden. Diese anonymen Tor-Dienste sind der Kern des oft zitierten "Dark Net". --------------------------------------------- http://heise.de/-3090218 *** Crash Safari Follow-Up *** --------------------------------------------- It's been a week since short links to crashsafari.com went viral, and Google has finally killed the most prevalent link (goo.gl/78uQHK). More than three-quarters of a million clicks were made before the short link was disabled for violating .. --------------------------------------------- https://labsblog.f-secure.com/2016/02/02/crash-safari-follow-up/ *** A1 kämpft seit Samstag gegen Hackerangriffe *** --------------------------------------------- Ausfälle nach DDoS-Attacken zuerst im mobilen Netz, danach im Festnetz-Internet --------------------------------------------- http://derstandard.at/2000030190051 *** Targeted IPv6 Scans Using pool.ntp.org *** --------------------------------------------- IPv6 poses a problem for systems like Shodan, who try to enumerate vulnerabilities Internet-wide. Tools like zmap can scan the IPv4 internet in minutes (or maybe hours), but for IPv6, the same approach will still fail. The smallest IPv6 subnet is a /64, or 18.4 Quintillion addresses. A tool like zmap would .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20681 *** Socat Warns Weak Prime Number Could Mean It's Backdoored *** --------------------------------------------- Socat published a security advisory warning users that a hard-coded 1024 Diffie-Hellman prime number was not prime, and that an attacker could listen and recover secrets from a key exchange. --------------------------------------------- http://threatpost.com/socat-warns-weak-prime-number-could-mean-its-backdoor… *** VU#719736: Fisher-Price Smart Toy platform allows some unauthenticated web API commands *** --------------------------------------------- The Fisher-Price Smart Toy bear is a new WiFi-connected Internet of Things (IoT) toy. The device utilizes network connectivity to provide more interactivity with children. --------------------------------------------- http://www.kb.cert.org/vuls/id/719736 *** Top Exploit Kits Round Up January Edition *** --------------------------------------------- A look at the top exploit kits.Categories: ExploitKits(Read more...) --------------------------------------------- https://blog.malwarebytes.org/exploitkits/2016/02/top-exploit-kits-round-up… *** MailPoet Newsletters <= 2.6.19 - Cross-Site Scripting (XSS) *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8373 *** Hacker wollen bei Nasa eingebrochen sein, um Chemtrails zu beweisen *** --------------------------------------------- Gruppierung "Anonsec" will 250 GB an Daten erbeutet und Kontrolle über eine Drohne übernommen haben --------------------------------------------- http://derstandard.at/2000030242744

1 0

Tageszusammenfassung - Montag 1-02-2016
by Daily end-of-shift report 01 Feb '16

01 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 29-01-2016 18:00 − Montag 01-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** FreeBSD Linux Support issetugid(2) Error Lets Local Users Gain Elevated Privileges *** --------------------------------------------- The Linux compatibility layer issetugid(2) system call may return incorrect information. A local user may be able to exploit an application that uses this system call to gain elevated privileges. --------------------------------------------- http://www.securitytracker.com/id/1034872 *** QEMU Firmware Configuration Processing Access Flaw Lets Local Users on a Guest System Gain Elevated Privileges on the Host System *** --------------------------------------------- A privileged local user with CAP_SYS_RAWIO capabilities on the guest system can trigger an out-of-bounds read/write access error when processing firmware configurations and cause denial of service conditions or gain elevated privileges on the host system. --------------------------------------------- http://www.securitytracker.com/id/1034858 *** HP integrated Lights Out (iLO) TLS Diffie-Hellman Export Cipher Downgrade Attack Lets Remote Users Decrypt Connections *** --------------------------------------------- A remote user that can conduct a man-in-the-middle attack can cause the target system to downgrade the Diffie-Hellman algorithm to 512-bit export-grade cryptography. The remote user may then be able to decrypt the connection. --------------------------------------------- http://www.securitytracker.com/id/1034884 *** Hippo CMS 10.1 XML External Entity Information Disclosure Vulnerability *** --------------------------------------------- XXE (XML External Entity) processing through upload of SVG images in the CMS, and through XML import in the CMS Console application. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5301.php *** Hippo CMS 10.1 Stored Cross-Site Scripting Vulnerability *** --------------------------------------------- Hippo CMS suffers from a stored XSS vulnerability. Input passed thru the POST parameters groupname and description is not sanitized allowing the attacker to execute HTML code into users browser session on the affected site. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5300.php *** HP Client Security Manager 8.3.4 Cross-Site Scripting Vulnerability *** --------------------------------------------- HP Client Security Manager is prone to XSS attacks because of lacking sanitization of data from HTML forms. It makes any site vulnerable even without XSS presence on the site. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5299.php *** Now VirusTotal can scan your firmware image for bad executables *** --------------------------------------------- VirusTotal presented a new malware scanning engine that allows users to analyze their firmware images searching for malicious codes. VirusTotal has recently announced the launch of a new malware scanning service for firmware .. --------------------------------------------- http://securityaffairs.co/wordpress/44097/malware/virustotal-firmware-scan.… *** 6 Millionen US-Dollar für Sicherheitslücken in Google-Produkten *** --------------------------------------------- Google zeigt sicher weiterhin spendabel, wenn Sicherheitsforscher neue Lücken in Chrome, Android & Co. an den Konzern melden. --------------------------------------------- http://heise.de/-3088182 *** DSA-3460 privoxy - security update *** --------------------------------------------- It was discovered that privoxy, a web proxy with advanced filteringcapabilities, contained invalid reads that could enable a remoteattacker to crash the application, thus causing a Denial of Service. --------------------------------------------- https://www.debian.org/security/2016/dsa-3460 *** Is security outfit Norse Corp dead or just temporarily TITSUP? *** --------------------------------------------- Imploding says Brian Krebs Security startup Norse Corp has gone ominously dark. --------------------------------------------- www.theregister.co.uk/2016/02/01/is_norse_corp_dead_or_just_temporarily_tit… *** LibreSSL emits new versions, says not vulnerable to OpenSSL bug *** --------------------------------------------- Ciscos pedalling hard to prepare patches too Corrected LibreSSL sysadmins should keep an eye on their mirrors for a soon-to-land update. --------------------------------------------- www.theregister.co.uk/2016/02/01/openbsd_rolls_in_libressl_bug_fixes/ *** DSA-3463 prosody - security update *** --------------------------------------------- It was discovered that insecure handling of dialback keys may allowa malicious XMPP server to impersonate another server. --------------------------------------------- https://www.debian.org/security/2016/dsa-3463 *** Schluss mit "123456": 1. Februar ist "Change your password"-Tag *** --------------------------------------------- Zahlreiche Nutzer verwenden noch immer haarsträubend unsichere Passwörter --------------------------------------------- http://derstandard.at/2000030144886 *** Aktuell im Umlauf: Trojaner-Mail im Namen des Kopierers verschickt *** --------------------------------------------- Kriminelle versenden dieser Tage gehäuft E-Mails mit Schadcode im Anhang über gefälschte Absenderadressen von Netzwerk-Kopierern. --------------------------------------------- http://heise.de/-3088536 *** GAME OVER: HOW A COLOURFUL GAME TURNED INTO A SUBSCRIPTION TRAP - App from the Google Play store automatically set up two subscriptions in the Netherlands *** --------------------------------------------- Premium SMS messages were the first attacks on Android users - almost six years ago, malware with this functionality was the primary risk. Since then of course, the malware landscape for mobile devices has moved on significantly. For this very .. --------------------------------------------- https://blog.gdatasoftware.com/blog/article/game-over-how-a-colourful-game-… *** Theres a lot of vulnerable OS X applications out there. *** --------------------------------------------- Lately, I was doing research connected with different updating strategies, and I tested a few applications working under Mac OS X. This short weekend research revealed that we have many insecure applications in the wild. As a result, I have found a vulnerability which allows an attacker take control of another computer on the same network (via MITM). --------------------------------------------- https://vulnsec.com/2016/osx-apps-vulnerabilities/ *** Illegaler Bezahldienst Liberty Reserve: Gründer bekennt sich der Geldwäsche schuldig *** --------------------------------------------- US-Behörden bezeichnen den 2013 abgestellten Onlinedienst Liberty Reserve als "die Bank der Wahl für die kriminelle Unterwelt". Der Gründer hat sich nun schuldig bekannt, über 250 Millionen US-Dollar gewaschen zu haben. --------------------------------------------- http://heise.de/-3088621

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily