=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 05-01-2016 18:00 − Donnerstag 07-01-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Ab Dienstag: Aus für Internet Explorer 8, 9 und 10 ***
---------------------------------------------
Microsoft stellt ab dem 12. Jänner den Support für die veralteten Internet-Explorer-Versionen 8,9 und 10 ein. Diese erhalten künftig keine Updates mehr.
---------------------------------------------
http://futurezone.at/produkte/ab-dienstag-aus-fuer-internet-explorer-8-9-un…https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support
*** Site Updates: ISC/DShield API and ipinfo_ascii.html Page, (Wed, Jan 6th) ***
---------------------------------------------
We are planning a couple of updates to the ways data can be retrieved automatically from this site. The main reason for this is to make it easier for us to maintain and support some of these features. The main idea will be that we focus automatic data retrieval to our API (isc.sans.edu/api or dshield.org/api). It should be the only place that is used to have scripts retrieve data. In the past, we had a couple of other pages that supported automatic data retrieval. For example, ipinfo_ascii.html...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20577&rss
*** How long is your password? HTTPS Bicycle attack reveals that and more ***
---------------------------------------------
Get your 2FA on, slackers A new attack on supposedly secure communication streams raises questions over the resilience of passwords, security researchers warn.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/01/06/https_bicyc…
*** Mozilla warns Firefox fans its SHA-1 ban could bork their security ***
---------------------------------------------
Protection mechanism screws other protection mechanisms. What a tangled web we weave Mozilla has warned Firefox users they may be cut off from more of the web than expected - now that the browser rejects new HTTPS certificates that use the weak SHA-1 algorithm.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/01/07/mozilla_war…https://blog.mozilla.org/security/2016/01/06/man-in-the-middle-interfering-…
*** MD5/SHA1: Sloth-Angriffe nutzen alte Hash-Algorithmen aus ***
---------------------------------------------
Neue Angriffe gegen TLS: Krypto-Forscher präsentieren mit Sloth mehrere Schwächen in TLS-Implementierungen und im Protokoll selbst. Am kritischsten ist ein Angriff auf Client-Authentifizierungen mit RSA und MD5.
---------------------------------------------
http://www.golem.de/news/md5-sha1-sloth-angriffe-nutzen-alte-hash-algorithm…
*** Encrypted Blackphone Patches Serious Modem Flaw ***
---------------------------------------------
msm1267 writes: Silent Circle, makers of the security and privacy focused Blackphone, have patched a vulnerability that could allow a malicious mobile application or remote attacker to access the devices modem and perform any number of actions. Researchers at SentinelOne discovered an open socket on the Blackphone that an attacker could abuse to intercept calls, set call forwarding, read SMS messages, mute the phone and more. Blackphone is marketed toward privacy-conscious users; it includes...
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/ocmLGjQf8XY/encrypted-black…
*** OS-X-Security-and-Privacy-Guide ***
---------------------------------------------
This is a collection of thoughts on securing a modern Apple Mac computer using OS X 10.11 "El Capitan", as well as steps to improving online privacy. This guide is targeted to "power users" who wish to adopt enterprise-standard security, but is also suitable for novice users with an interest in improving their privacy and security on a Mac.
---------------------------------------------
https://github.com/drduh/OS-X-Security-and-Privacy-Guide
*** Drupal - Insecure Update Process ***
---------------------------------------------
Just a few days after installing Drupal v7.39, I noticed there was a security update available: Drupal v7.41. This new version fixes an open redirect in the Drupal core. In spite of my Drupal update process checking for updates, according to my local instance, everything was up to date: Issue #1: Whenever the Drupal update process fails, Drupal states that everything is up to date instead of giving a warning.
---------------------------------------------
http://blog.ioactive.com/2016/01/drupal-insecure-update-process.html
*** Jetzt Update installieren: WordPress behebt XSS-Lücke ***
---------------------------------------------
Über eine Cross-Site-Scripting-Schwachstelle können Angreifer WordPress-Installationen kompromittieren. Betroffen sind alle Versionen bis einschließlich WordPress 4.4.
---------------------------------------------
http://heise.de/-3065193https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance…
*** AVM-Router: Fritzbox-Lücke erlaubt Telefonate auf fremde Kosten ***
---------------------------------------------
Durch eine kritische Lücke in den Fritzboxen können Angreifer etwa Telefonate auf fremde Rechnung führen und Code als Root ausführen. Die Lücke hat AVM bereits geschlossen, die Details wurden jedoch bis heute unter Verschluss gehalten.
---------------------------------------------
http://heise.de/-3065588
*** A new, open source tool proves: Even after patching, deserializing will still kill you ***
---------------------------------------------
Whats the problem here? ... When deserializing most objects, the code calls ObjectInputStream#resolveClass() as part of the process. This method is where all the patches and hardening against recent exploits take place. Because that method is never involved in deserializing Strings, anyone can use this to attack an application thats "fully patched" against the recent spate of attacks.
---------------------------------------------
https://www.contrastsecurity.com/security-influencers/java-deserializing-op…
*** rt-sa-2015-001 ***
---------------------------------------------
AVM FRITZ!Box: Remote Code Execution via Buffer Overflow
---------------------------------------------
https://www.redteam-pentesting.de/advisories/rt-sa-2015-001.txt
*** rt-sa-2014-014 ***
---------------------------------------------
AVM FRITZ!Box: Arbitrary Code Execution Through Manipulated Firmware Images
---------------------------------------------
https://www.redteam-pentesting.de/advisories/rt-sa-2014-014.txt
*** Bugtraq: [SYSS-2015-062] ownCloud Information Exposure Through Directory Listing (CVE-2016-1499) ***
---------------------------------------------
[SYSS-2015-062] ownCloud Information Exposure Through Directory Listing (CVE-2016-1499)
---------------------------------------------
http://www.securityfocus.com/archive/1/537244
*** DFN-CERT-2016-0023: Node.js-WS: Eine Schwachstelle ermöglicht das Ausspähen von Informationen ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0023/
*** DFN-CERT-2016-0028: Shotwell: Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0028/
*** DFN-CERT-2016-0004: Mozilla Thunderbird, Debian Icedove: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ***
---------------------------------------------
Version 3 (2016-01-05 17:52) | Debian stellt für die Distributionen Wheezy (old stable), Jessie (stable) und Stretch (testing) Sicherheitsupdates auf die Icedove Version 38.5.0 bereit. Die Schwachstellen CVE-2015-7210 und CVE-2015-7222 werden von diesen nicht adressiert.
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0004/
*** Security Advisory: QEMU vulnerability CVE-2012-3515 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/13/sol13405416.html?…
*** Security Advisory: Out-of-bounds memory vulnerability with the BIG-IP APM system CVE-2015-8098 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/43/sol43552605.html?…
*** DSA-3435 git - security update ***
---------------------------------------------
Blake Burkhart discovered that the Git git-remote-ext helper incorrectlyhandled recursive clones of git repositories. A remote attacker couldpossibly use this issue to execute arbitary code by injecting commandsvia crafted URLs.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3435
*** Advantech EKI Vulnerabilities (Update B) ***
---------------------------------------------
This updated advisory is a follow-up to the updated advisory titled ICSA-15-344-01A Advantech EKI Vulnerabilities that was published December 15, 2015, on the NCCIC/ICS-CERT web site. This advisory provides information regarding several vulnerabilities in Advantech's EKI devices.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-344-01
*** D-Link DCS-931L Arbitrary File Upload ***
---------------------------------------------
Topic: D-Link DCS-931L Arbitrary File Upload Risk: High Text:## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-f...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016010028
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 04-01-2016 18:00 − Dienstag 05-01-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** ProxieBack sneakily uses the victims server to bypass its own security ***
---------------------------------------------
Palo Alto Networks has come across a new family of proxy-creating malware, called ProxyBack, that the company believes has been in the wild since 2014 and may have more than 20 versions now running.
---------------------------------------------
http://www.scmagazine.com/proxieback-sneakily-uses-the-victims-server-to-by…
*** Hocus-pocus! The stupidity of cybersecurity predictions ***
---------------------------------------------
Every year, some publication asks me to come up with a list of my top 10 predictions for the security field, and every year I tell them they might as well just dust off an article I wrote a year earlier, with maybe a couple of buzzwords and a new technology added on. What you can generally expect in any given year is more of the same, with some slight variations.That doesn't stop people from making predictions, though. Vendors and supposed experts can't seem to control the urge, but...
---------------------------------------------
http://www.cio.com/article/3019071/security/hocus-pocus-the-stupidity-of-cy…
*** Matthew Garrett: Apple-Rechner eignen sich nicht für vertrauliche Arbeiten ***
---------------------------------------------
Zwar kann mit UEFI Secure Boot und TPMs der Startprozess von Windows- und Linux-Rechnern einigermaßen abgesichert werden - dies ließe sich aber verbessern, sagt Security-Experte Matthew Garrett. Katastrophal sei die Lage dagegen bei Apple.
---------------------------------------------
http://www.golem.de/news/matthew-garrett-apple-rechner-eignen-sich-nicht-fu…
*** Comcast Home Security System Vulnerable to Attack ***
---------------------------------------------
Comcast's Xfinity Home Security System is vulnerable to attacks that interfere with its ability to detect and alert to home intrusions.
---------------------------------------------
http://threatpost.com/comcast-home-security-system-vulnerable-to-attack/115…
*** Using IDAPython to Make Your Life Easier: Part 3 ***
---------------------------------------------
In the first two posts of this series (Part 1 and Part 2), we discussed using IDAPython to make your life as a reverse engineer easier. Now let's look at conditional breakpoints. While debugging in...
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2016/01/using-idapython-to-make-…
*** HTML5 Security Cheat Sheet ***
---------------------------------------------
This OWASP cheat sheet serves as a guide for implementing HTML5 in a secure fashion. Contents include:Communication APIsStorage APIsGeolocationWeb WorkersSandboxed FramesOffline ApplicationsAnd...
---------------------------------------------
http://www.net-security.org/secworld.php?id=19279
*** Nexus Security Bulletin - January 2016 ***
---------------------------------------------
We have released a security update to Nexus devices through an over-the-air (OTA) update as part of our Android Security Bulletin Monthly Release process. [...] The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files.
---------------------------------------------
https://source.android.com/security/bulletin/2016-01-01.html
*** DSA-3432 icedove - security update ***
---------------------------------------------
Multiple security issues have been found in Icedove, Debians version ofthe Mozilla Thunderbird mail client: Multiple memory safety errors,integer overflows, buffer overflows and other implementation errors maylead to the execution of arbitrary code or denial of service.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3432
*** Puppet Enterprise Configuration Error Lets Remote Non-Whitelisted Users Access the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1034550
*** Cisco Security Advisories ***
---------------------------------------------
*** Cisco Jabber STARTTLS Downgrade Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco IOS XR Software OSPF Link State Advertisement PCE Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Prime Infrastructure Frame Injection Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Unified Communications Manager SQL Injection Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** IBM Security Bulleins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSL affects Rational Tau (CVE-2015-3194) ***
http://www.ibm.com/support/docview.wss?uid=swg21973108
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Apache Commons affects IBM Kenexa LCMS Premier on Cloud (CVE-2015-7450) ***
http://www.ibm.com/support/docview.wss?uid=swg21972649
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSource Dojo ToolKit affects IBM InfoSphere Master Data Management ( CVE-2015-5654) ***
http://www.ibm.com/support/docview.wss?uid=swg21972787
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere Partner Gateway Advanced/Enterprise editions(CVE-2015-4872) ***
http://www.ibm.com/support/docview.wss?uid=swg21973241
---------------------------------------------
*** IBM Security Bulletin: The Elastic Storage Server and the GPFS Storage Server are affected by a vulnerability in IBM Spectrum Scale (CVE-2015-7456) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005574
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM TRIRIGA Application Platform (CVE-2015-7450) ***
http://www.ibm.com/support/docview.wss?uid=swg21972369
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Access Manager for Web and IBM Tivoli Access Manager for e-business ***
http://www.ibm.com/support/docview.wss?uid=swg21973135
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVE-2015-5006, CVE-2015-4872) ***
http://www.ibm.com/support/docview.wss?uid=swg21972446
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in the IBM Java SDK affects IBM Rational Application Developer for WebSphere Software (CVE-2015-4872) ***
http://www.ibm.com/support/docview.wss?uid=swg21973785
---------------------------------------------
*** IBM Security Bulletin: IBM Tealeaf Customer Experience allows unauthorized access to system files (CVE-2015-4988) ***
http://www.ibm.com/support/docview.wss?uid=swg21968868
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in the IBM Java SDK affects IBM Rational Application Developer for WebSphere Software (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931) ***
http://www.ibm.com/support/docview.wss?uid=swg21972455
---------------------------------------------
*** IBM Security Bulletin:Vulnerability in OpenSSL affects IBM PureApplication System. (CVE-2015-1788) ***
http://www.ibm.com/support/docview.wss?uid=swg21974116
---------------------------------------------
*** IBM Security Bulletin: IBM Tealeaf Customer Experience PCA Web UI PHP security issues ***
http://www.ibm.com/support/docview.wss?uid=swg21972384
---------------------------------------------
Next End-of-Shift report on 2016-01-07
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 31-12-2015 18:00 − Montag 04-01-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Identische SSH-Schlüssel auf Hetzner-Servern ***
---------------------------------------------
Aufgrund identischer SSH-Schlüssel können Angreifer verschlüsselte Verbindungen von Servern von Hetzner belauschen.
---------------------------------------------
http://heise.de/-3057777
*** Difficult to block JavaScript-based ransomware can hit all operating systems ***
---------------------------------------------
A new type of ransomware that still goes undetected by the great majority of AV solutions has been spotted and analyzed by Emsisoft researchers (via Google Translate). Ransom32 is delivered on the ...
---------------------------------------------
http://www.net-security.org/malware_news.php?id=3184http://blog.emsisoft.com/de/2016/01/01/meet-ransom32-the-first-javascript-r…
*** Apple had more CVEs than any single MS product in 2015, but it doesnt really matter ***
---------------------------------------------
Meaningless league table sparks silly schadenfreude A count of the number of CVEs issues on different platforms in 2015 has concluded that Apple was the most-advisoried operating system of the year, leading to gloating headlines that OS X is the "most vulnerable" of the lot.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/01/04/apple_had_m…
*** Cisco Jabbers in the clear due to STARTTLS bug ***
---------------------------------------------
Sysadmins get a belated Christmas present Twas the night before Christmas, when sysadmins probably werent watching their advisory feeds, that Cisco announced a vulnerability in its Jabber for Windows.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/01/04/cisco_jabbe…
*** BlackEnergy cyberespionage group adds disk wiper and SSH backdoor to its arsenal ***
---------------------------------------------
A cyberespionage group focused on companies and organizations in the energy sector has recently updated its arsenal with a destructive data-wiping component and a backdoored SSH server.The group is known in the security community as Sandworm or BlackEnergy, after its primary malware tool, and has been active for several years. It has primarily targeted companies that operate industrial control systems, especially in the energy sector, but has also gone after high-level government organizations,...
---------------------------------------------
http://www.cio.com/article/3018790/blackenergy-cyberespionage-group-adds-di…
*** The current state of boot security ***
---------------------------------------------
I gave a presentation at 32C3 this week. One of the things I said was "If any of you are doing seriously confidential work on Apple laptops, stop. For the love of god, please stop." I didnt really have time to go into the details of that at the time, but right now Im sitting on a plane with a ridiculous sinus headache and the pseudoephedrine hasnt kicked in yet so here we go.The basic premise of my presentation was that its very difficult to determine whether your system is in a...
---------------------------------------------
http://mjg59.dreamwidth.org/39339.html
*** A Tip For The Analysis Of MIME Files, (Sat, Jan 2nd) ***
---------------------------------------------
Ive written a diary entry about malicious MS Office documents stored as MIME files. A few days ago a reader contacted me for a problem he had analyzing such a maldoc MIME file. When he used emldump to analyze his sample (f67aa5a3ede3d31c5a68494c0678e2ee), it was not a multipart: $ ./emldump.py f67aa5a3ede3d31c5a68494c0678e2ee.vir 1: boundary=----=_NextPart_Jm9Ovypy.uUh6MCk charset=us-ascii $ You can make emldump skip this first line with option -H: $ ./emldump.py -H...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20561&rss
*** More Internet of Things irony: a security alarm with alarming security ***
---------------------------------------------
Imagine that a crook could change the text ALARM STATUS RED in your intruder alarm alerts to say ALARM STATUS GREEN...
---------------------------------------------
https://nakedsecurity.sophos.com/2016/01/03/more-internet-of-things-irony-a…
*** DFN-CERT-2016-0001: Mozilla Firefox, Network Security Services: Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen ***
---------------------------------------------
Bitte beachten Sie: Zur Behebung der hier genannten Schwachstelle hat Mozilla am 28. Dezember 2015 das Security Advisory MFSA2015-150 veröffentlicht, dieses aber kurze Zeit später, ohne Angaben von Gründen, wieder zurückgezogen. Zeitgleich wurde die Firefox Version 43.0.3 bereitgestellt. Ob die hier genannte Schwachstelle in der Version also tatsächlich behoben ist, ist unklar. In den Release Notes zur Firefox Version 43.0.3 wird die Schwachstelle nicht genannt.
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0001/
*** Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1034541
*** DFN-CERT-2016-0004: Mozilla Thunderbird: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0004/
*** Bugtraq: OSS-2016-03: Insufficient Integrity Protection in Winkhaus Bluesmart locking systems using Hitag S ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537223
*** Bugtraq: OSS-2016-02: Weak authentication in NXP Hitag S transponder allows an attacker to read, write and clone any tag ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537224
*** Bugtraq: Confluence Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537232
*** DSA-3433 samba - security update ***
---------------------------------------------
Several vulnerabilities have been discovered in Samba, a SMB/CIFS file,print, and login server for Unix. The Common Vulnerabilities andExposures project identifies the following issues:
---------------------------------------------
https://www.debian.org/security/2016/dsa-3433
*** PCRE Heap Overflow in pcre_compile2() in Processing Certain Regex Patterns May Let Remote Users Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1034555
*** #2015-012 Ganeti multiple issues ***
---------------------------------------------
Ganeti, an open source virtualization manager, suffers from multiple issues in its RESTful control interface (RAPI).
---------------------------------------------
http://www.ocert.org/advisories/ocert-2015-012.html
=======================
= End-of-Shift Report =
=======================
Timeframe: Dienstag 29-12-2015 18:00 − Mittwoch 30-12-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Microsoft may have your encryption key; here's how to take it back ***
---------------------------------------------
It doesnt require you to buy a new copy of Windows.
---------------------------------------------
http://arstechnica.com/information-technology/2015/12/microsoft-may-have-yo…
*** Actor using Rig EK to deliver Qbot - update, (Wed, Dec 30th) ***
---------------------------------------------
Introduction This diary is a follow-up to my previous diary on the actor using Rig exploit kit (EK) to deliver Qbot [1]. For this diary, Ive infected more Windows hosts from other compromised websites, so we have additional data on this actor. As previously noted, this actor has been delivering Qbot (also known as Qakbot) malware. The actor uses a gate to route traffic from the compromised website to the EK landing page. In this case, the gate returns a variable that is translated to a URL for...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20551&rss
*** The Truth is in Your Logs! ***
---------------------------------------------
[The post The Truth is in Your Logs! has been first published on /dev/random]Keeping an eye on logs is boring... but mandatory! Hopefully, sometimes it can reveal funny stuffs! It looks like people at the CCC are having some fun too while their annual conference is ongoing... Here is what I got in my Apache logs this morning: 151.217.177.200 - - [30/Dec/2015:06:51:22 +0100] "DELETE your logs. \ Delete your installations. Wipe everything clean. Walk out into the...
---------------------------------------------
https://blog.rootshell.be/2015/12/30/the-truth-is-in-your-logs/
*** Killed by Proxy: Analyzing Client-end TLS Interception Software ***
---------------------------------------------
Topic: Killed by Proxy: Analyzing Client-end TLS Interception Software Risk: Medium Text:Abstract—To filter SSL/TLS-protected traffic, some antivirus and parental-control applications interpose a TLS proxy in the...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2015120310
*** 32C3: Automatisierte Sicherheitstests für das Internet der Dinge ***
---------------------------------------------
Ein französisch-deutsches Forscherteam hat eine Emulationsumgebung entwickelt, mit der sich dynamische Penetrationstests von Firmware vernetzter Elektronikgeräte maschinell durchführen lassen. Erste Ergebnisse sprechen für sich.
---------------------------------------------
http://heise.de/-3056880
*** Cloud Computing: Attacks Vectors and Counter Measures ***
---------------------------------------------
I can bet that some of you might have missed the news about Star Wars, but there will be hardly any who do not know what Cloud computing is, as this has been the buzz for last several years. In this article, we will learn about various types of attacks that are possible in a...
---------------------------------------------
http://resources.infosecinstitute.com/cloud-computing-attacks-vectors-and-c…
*** Chrome: Google-Entwickler zerpflückt Antiviren-Addon ***
---------------------------------------------
Eine Chrome-Erweiterung des Antiviren-Herstellers AVG habe so viele Sicherheitslücken gehabt, dass es auch Malware hätte sein können, schreibt ein Google-Entwickler. Die Fehler sind zwar behoben, das Addon könnte aber trotzdem aus dem Chrome-Store verbannt werden.
---------------------------------------------
http://www.golem.de/news/chrome-google-entwickler-zerpflueckt-antiviren-add…
*** Misconfigured databases, a growing threat ***
---------------------------------------------
It has become commonplace to find misconfigured databases exposed to the public Internet. Last summer alone - 1,175 terabytes (approximately 1.1 petabytes) of data was left wide open for the amusement of inquiring minds and malicious hackers alike - ranging from SMBs to Fortune 500 companies.
---------------------------------------------
http://darkmatters.norsecorp.com/2015/12/29/misconfigured-databases-a-growi…
*** Mobile malware review for 2015 ***
---------------------------------------------
December 30, 2015 The last year proved to be another challenging period for the smartphones and tablets owners. Cybercriminals continued to target users of Android devices - thus, the majority of "mobile" threats and unwanted software discovered in 2015 were intended for this platform. In particular, banking Trojans, Android ransomware, advertising modules, and SMS Trojans expanded their activity. Besides, this year witnessed a growing number of malware pre-installed into...
---------------------------------------------
http://news.drweb.com/show/?i=9779&lng=en&c=9
*** Using IDAPython to Make Your Life Easier: Part 1 ***
---------------------------------------------
As a malware reverse engineer, I often find myself using IDA Pro in my day-to-day activities. It should come as no surprise, seeing as IDA Pro is the industry standard (although alternatives such as radare2...
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2015/12/using-idapython-to-make-…
*** The weird and wacky of 2015: strange security and privacy stories ***
---------------------------------------------
These wacky stories remind us how important cybersecurity and online privacy have become in all areas of our lives.
---------------------------------------------
https://nakedsecurity.sophos.com/2015/12/29/the-weird-and-wacky-of-2015-str…
*** Steam blows as games websites security collapse ***
---------------------------------------------
Christmas hiccup on gaming platform exposed user information to others
---------------------------------------------
http://www.scmagazine.com/steam-blows-as-games-websites-security-collapse/a…
*** 2755801 - Update for Vulnerabilities in Adobe Flash Player in Internet Explorer and Microsoft Edge - Version: 52.0 ***
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/2755801
*** PHP Class Name Format String Flaw Lets Remote Users Execute Arbitrary C ode ***
---------------------------------------------
http://www.securitytracker.com/id/1034543
*** Security Advisory: Apache HTTPD vulnerability CVE-2010-2791 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/23/sol23332326.html?…
*** Security Advisory: Apache vulnerability CVE-2011-3639 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/20/sol20979231.html?…
*** AVG Anti-Virus Flaws in Web TuneUp Chrome Extension Lets Remote Users Obtain Potentially Sensitive Information on the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1034547
Next End-of-Shift Report on 2016-01-04.
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 28-12-2015 18:00 − Dienstag 29-12-2015 18:00
Handler: L. Aaron Kaplan
Co-Handler: Stephan Richter
*** Security Updates Available for Adobe Flash Player (APSB16-01) ***
---------------------------------------------
A security bulletin (APSB16-01) has been published regarding security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an...
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1305
*** Quick Tips to Protect Your New (and old) Apple Devices ***
---------------------------------------------
Apple has projected yet another record holiday for sales, but this should come as no surprise to fellow "Macheads". I myself, am a huge fan of Apple and have been for a quite...read moreThe post Quick Tips to Protect Your New (and old) Apple Devices appeared first on Webroot Threat Blog.
---------------------------------------------
http://www.webroot.com/blog/2015/12/28/18251/
*** 2016 Reality: Lazy Authentication Still the Norm ***
---------------------------------------------
My PayPal account was hacked on Christmas Eve. The perpetrator tried to further stir up trouble by sending my PayPal funds to a hacker gang that recruits for the terrorist group ISIS. Although the intruder failed to siphon any funds, the successful takeover of the account speaks volumes about why most organizations -- including many financial institutions -- remain woefully behind the times in authenticating their customers and staying ahead of identity thieves.
---------------------------------------------
http://krebsonsecurity.com/2015/12/2016-reality-lazy-authentication-still-t…
*** An Overview of the Upcoming libModSecurity ***
---------------------------------------------
libModSecurity is a major rewrite of ModSecurity. It preserves the rich syntax and feature set of ModSecurity while delivering improved performance, stability, and a new experience in easy integration on different. libModSecurity - Motivations While ModSecurity version 2.9.0 is available...
---------------------------------------------
http://trustwave.com/Resources/SpiderLabs-Blog/An-Overview-of-the-Upcoming-…
*** Forscher: Herzschrittmacher für Hackerangriffe und Softwarefehler anfällig ***
---------------------------------------------
Forscherin und Patientin Marie Moe sprach auf dem Hackerkongress 32C3 über das Thema
---------------------------------------------
http://derstandard.at/2000028215506
*** Lets Encrypt: Ein kostenfreies Zertifikat, alle zwei Sekunden ***
---------------------------------------------
Der Start der neuen Certificate Authority Lets Encrypt hat offenbar recht gut funktioniert. Nach nur rund einem Monat im Betabetrieb ist das Projekt schon die fünftgrößte CA der Welt. Doch es gibt noch einige Aufgaben zu bewältigen.
---------------------------------------------
http://www.golem.de/news/let-s-encrypt-ein-kostenfreies-zertifikat-alle-zwe…
*** 32C3: pushTAN-App der Sparkasse nach wie vor angreifbar ***
---------------------------------------------
Zwischen Erlanger Sicherheitsforschern und dem Sparkassenverband hat sich ein Katz-und-Maus-Spiel um die Online-Banking-App "pushTAN" entwickelt. Die jüngste Version ließe sich weiter recht einfach angreifen, sagen Experten.
---------------------------------------------
http://heise.de/-3056667
*** 32C3: Verschlüsselung gängiger RFID-Schließanlagen geknackt ***
---------------------------------------------
RFID-Transponderkarten, die für die elektronische Zutrittskontrolle genutzt werden, lassen sich Sicherheitsexperten zufolge oft "trivial einfach" klonen.
---------------------------------------------
http://heise.de/-3056646
*** Geldautomaten-Skimming auf dem Rückzug ***
---------------------------------------------
Die Milliardeninvestitionen von Banken und Handel in mehr Sicherheit zeigen Wirkung: Datendiebe kommen am Geldautomat in Deutschland immer seltener zum Zug. Doch noch finden die Kriminellen Löcher im System.
---------------------------------------------
http://heise.de/-3056638
*** Microsoft Has Your Encryption Key If You Use Windows 10 ***
---------------------------------------------
An anonymous reader writes with this bit of news from the Intercept. If you login to Windows 10 using your Microsoft account, your computer automatically uploads a copy of your recovery key to a Microsoft servers. From the article: "The fact that new Windows devices require users to backup their recovery key on Microsofts servers is remarkably similar to a key escrow system, but with an important difference. Users can choose to delete recovery keys from their Microsoft accounts...
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/YfNKeGMMq1o/microsoft-has-y…
*** Voice over LTE: Angriffe auf mobile IP-Telefonie vorgestellt ***
---------------------------------------------
Talks, die Albträume über mobile Kommunikation auslösen, haben beim CCC Tradition. Dieses Mal haben zwei koreanische Studenten Angriffe auf Voice over LTE vorgeführt. In Deutschland soll das angeblich nicht möglich sein.
---------------------------------------------
http://www.golem.de/news/voice-over-lte-mobile-ip-telefonie-kann-abgehoert-…
*** Fixing JavaScripts Broken Random Number Generator ***
---------------------------------------------
szczys writes: It is surprising to learn how broken the JavaScript Random Number Generator has been for the past six years. The problem is compounded by the fact that Node.js uses the same broken Math.random() module. Learning about why this is broken is interesting, but perhaps even more interesting is how the bad code got there in the first place. It seems that a forum thread from way back in 1999 shared two versions of the code. If you read to the end of the thread you got the working
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/GG87DY0k6I4/fixing-javascri…
*** DFN-CERT-2015-2002: Roundcubemail: Zwei Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2015-2002/
*** libtiff bmp file Heap Overflow ***
---------------------------------------------
Topic: libtiff bmp file Heap Overflow Risk: High Text:Details = Product: libtiff Affected Versions: <= 4.0.6 Vulnerability Type: Heap Overflow Security Risk: High Vendor U...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2015120304
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 23-12-2015 18:00 − Montag 28-12-2015 18:00
Handler: L. Aaron Kaplan
Co-Handler: Stephan Richter
*** Malware-Driven Card Breach at Hyatt Hotels ***
---------------------------------------------
Hyatt Hotels Corporation said today it recently discovered malicious software designed to steal credit card data on computers that operate the payment processing systems for Hyatt-managed locations.
---------------------------------------------
http://krebsonsecurity.com/2015/12/malware-driven-card-breach-at-hyatt-hote…
*** Using WPScan: Finding WordPress Vulnerabilities ***
---------------------------------------------
When using WPScan you can scan your WordPress website for known vulnerabilities within the core version, plugins, and themes. You can also find out if any weak passwords, users, and security configuration issues are present. The database at wpvulndb.com is used to check for vulnerable software and the WPScan team maintains the ever-growing list ofRead More The post Using WPScan: Finding WordPress Vulnerabilities appeared first on Sucuri Blog.
---------------------------------------------
https://blog.sucuri.net/2015/12/using-wpscan-finding-wordpress-vulnerabilit…
*** NSA und GCHQ nutzen seit Jahren Hintertüren in Juniper-Firewalls ***
---------------------------------------------
Geheimes Dokument aus 2011 zeigt Zusammenarbeit der zwei Geheimdienste
---------------------------------------------
http://derstandard.at/2000028055853
*** Victims of the Gomasom Ransomware can now decrypt their files for free ***
---------------------------------------------
Fabian Wosar, security researcher at Emsisoft, created a tool for decrypting files locked by the Gomasom Ransomware. Ransomware are the most threatening cyber threats for end-users, but today I have a good news for victims of the Gomasom ransomware, victims can rescue their locked files. The news was spread by the security researcher Fabian Wosar that developed a...
---------------------------------------------
http://securityaffairs.co/wordpress/43074/malware/decrypt-gomasom-ransomwar…
*** Hacker zeigen massive Lücken bei Bankomatkarten ***
---------------------------------------------
Vor Publikum PIN ausgelesen, Prepaid-Karte aufgeladen und Zahlungen umgeleitet
---------------------------------------------
http://derstandard.at/2000028162750
*** 32C3: Hardware-Trojaner als unterschätzte Gefahr ***
---------------------------------------------
Fest in IT-Geräte und Chips eingebaute Hintertüren stellten eine "ernste Bedrohung" dar, warnten Sicherheitsexperten auf der Hackerkonferenz. Sie seien zwar nur mit großem Einwand einzubauen, aber auch schwer zu finden.
---------------------------------------------
http://heise.de/-3056452
*** 32C3: Dieselgate und die omninöse Akustik-Funktion ***
---------------------------------------------
Kann die Manipulation der Abgaswerte bei Volkswagen wirklich das Werk einzelner Ingenieure sein? Auf dem CCC-Congress erteilten ein Insider und ein Hacker dieser Legende eine Absage.
---------------------------------------------
http://heise.de/-3056438
*** 32C3: Automatische Zugsicherung und vernetzte Bahntechnik im Hackervisier ***
---------------------------------------------
Eine Hackergruppe, die sich auf Industrieanlagen konzentriert, hat diverse Angriffsflächen rund um vernetzte Systeme zur Zugkontrolle ausgemacht. Veraltete Software sowie unsichere Passwörter seien dort "überall" zu finden.
---------------------------------------------
http://heise.de/-3056484
*** DSA-3430 libxml2 - security update ***
---------------------------------------------
Several vulnerabilities were discovered in libxml2, a library providingsupport to read, modify and write XML and HTML files. A remote attackercould provide a specially crafted XML or HTML file that, when processedby an application using libxml2, would cause that application to use anexcessive amount of CPU, leak potentially sensitive information, orcrash the application.
---------------------------------------------
https://www.debian.org/security/2015/dsa-3430
*** GIT git-remote-ext Helper URL Processing Lets Remote Users Execute Arbitrary Commands on the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1034501
*** F5 Security Advisory: Apache vulnerability CVE-2010-0434 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/40/sol40284849.html?…
*** EMC Secure Remote Services Virtual Edition Directory Traversal Flaw Lets Remote Authenticated Users View Files on the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1034530
*** Cisco Jabber for Windows STARTTLS Downgrade Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Vuln: Dnsmasq CVE-2015-3294 Remote Denial of Service Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/74452
*** IDM 4.5 - 4.0.2 Midrange Driver Patch 4.0.2 ***
---------------------------------------------
Abstract: Identity Manager Midrange: IBM i (i5/OS and OS/400) driver patch for the Identity Manager versions 4.0.2 or higher. Driver version will show i5os Driver Version 4.0.2 IDM 4.0.2 Build Date 20151207_1437IDM 4.5.x Build Date 201512071006 To see the version run I5OSDRV/I5OSDRV OPTION(*VERSION)Document ID: 5230811Security Alert: YesDistribution Type: Field Test FileEntitlement Required: NoFiles:idm45-402midrangepatch2.tar.gz (96.31 MB)Products:Identity Manager 4.0.2Identity Manager...
---------------------------------------------
https://download.novell.com/Download?buildid=HsE3grsz-TU~
*** DFN-CERT-2015-1999: libvirt: Eine Schwachstelle ermöglicht die Manipulation von Dateien ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2015-1999/
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in Websphere Liberty Profile (WLP) affect Power Management Console (CVE-2015-2017, CVE-2015-1927, CVE-2015-4938) ***
http://www.ibm.com/support/docview.wss?uid=nas8N1021040
---------------------------------------------
*** IBM Security Bulletin: Information disclosure vulnerability affects IBM Sterling B2B Integrator (CVE-2015-7410) ***
http://www.ibm.com/support/docview.wss?uid=swg21972676
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Linux-PAM affects PowerKVM (CVE-2015-3238) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022880
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in pam affect Power Management Console (CVE-2015-3238) ***
http://www.ibm.com/support/docview.wss?uid=nas8N1021041
---------------------------------------------
*** IBM Security Bulletin: A denial of service vulnerability affects IBM Sterling B2B Integrator (CVE-2014-0050) ***
http://www.ibm.com/support/docview.wss?uid=swg21972944
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK including Logjam affect IBM PureApplication System. (CVE-2015-4000, CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, and CVE-2015-1931) ***
http://www.ibm.com/support/docview.wss?uid=swg21973591
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Synergy (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931 and CVE-2015-4872) ***
http://www.ibm.com/support/docview.wss?uid=swg21973439
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM Integration Designer and WebSphere Integration Developer (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931, CVE-2015-4872) ***
http://www.ibm.com/support/docview.wss?uid=swg21972087
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities affects multiple IBM Rational products based on IBM Jazz technology (CVE-2015-4962, CVE-2015-4946) ***
http://www.ibm.com/support/docview.wss?uid=swg21973404
---------------------------------------------
*** IBM Security Bulletin: Malformed ECParameters causes infinite loop (CVE-2015-1788) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023038
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities affect AppScan Enterprise ***
http://www.ibm.com/support/docview.wss?uid=swg21972830
---------------------------------------------
*** IBM Security Bulletin: Clickjack vulnerability affects multiple IBM Rational products based on IBM Jazz technology (CVE-2015-1928) ***
http://www.ibm.com/support/docview.wss?uid=swg21973200
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Content Manager Enterprise Edition (CVE-2015-1788) ***
http://www.ibm.com/support/docview.wss?uid=swg21973416
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect the IBM Tivoli Storage Manager Client and IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware (CVE-2014-3569, CVE-2014-3570, CVE-2014-3572, CVE-2014-8275, ***
http://www.ibm.com/support/docview.wss?uid=swg21973383
---------------------------------------------
*** IBM Security Bulletin: Privilege escalation coverage gap in IBM SPSS Statistics (CVE-2015-7489) ***
http://www.ibm.com/support/docview.wss?uid=swg21973502
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Spectrum Scale RAID/IBM GPFS Native RAID (CVE-2015-4843, CVE-2015-4805, CVE-2015-4810, CVE-2015-4806, CVE-2015-4871, CVE-2015-4902) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023034
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Spectrum Scale RAID/IBM GPFS Native RAID (CVE-2015-4843, CVE-2015-4805, CVE-2015-4810, CVE-2015-4806, CVE-2015-4871, CVE-2015-4902) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005474
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM i. ***
http://www.ibm.com/support/docview.wss?uid=nas8N1021047
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Tivoli Monitoring clients (CVE-2015-2590 plus additional CVEs.) ***
http://www.ibm.com/support/docview.wss?uid=swg21964027
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 22-12-2015 18:00 − Mittwoch 23-12-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** 2015 Ransomware Wrap-Up ***
---------------------------------------------
Heres a rundown of the innovative ransomware that frightened users and earned attackers big bucks this year.
---------------------------------------------
http://www.darkreading.com/endpoint/2015-ransomware-wrap-up/d/d-id/1323424
*** 3-in-1 Malware Infection through Spammed JavaScript Attachments ***
---------------------------------------------
Recently weve observed a massive uptick of malicious spam with JavaScript attachments with an intention to spread and infect Windows systems with variety of malicious executables. The spam usually contains a ZIP file attachment containing only one JavaScript file. The ..
---------------------------------------------
https://www.trustwave.com/Resources/SpiderLabs-Blog/3-in-1-Malware-Infectio…
*** IT bloke: Crooks stole my bikes after cycling app blabbed my address ***
---------------------------------------------
Brit suffers from GPS accuracy An IT manager in Manchester, England, says thieves stole his bikes after a smartphone cycling app pinpointed the location of his garage ..
---------------------------------------------
www.theregister.co.uk/2015/12/22/it_manager_loses_bikes_after_cycling_app_p…
*** Xen Project blunder blows own embargo with premature bug report ***
---------------------------------------------
Malicious guest could eat your virtual rigs from the inside The Xen Project has reported a new bug, XSA-169, that means 'A malicious guest could cause repeated logging to the hypervisor console, leading to a Denial of Service attack.' ..
---------------------------------------------
www.theregister.co.uk/2015/12/23/xen_blunder_blows_own_embargo_with_prematu…
*** Expect Phishers to Up Their Game in 2016 ***
---------------------------------------------
Expect phishers and other password thieves to up their game in 2016: Both Google and Yahoo! are taking steps to kill off the password as we know it.New authentication methods now offered by Yahoo! and to a beta group of Google users let customers log in just by supplying their email address, and then responding to a notification sent to their mobile device.
---------------------------------------------
http://krebsonsecurity.com/2015/12/expect-phishers-to-up-their-game-in-2016
*** Why it's harder to forge a SHA-1 certificate than it is to find a SHA-1 collision ***
---------------------------------------------
It's well known that SHA-1 is no longer considered a secure cryptographic hash function. Researchers now believe that finding a hash collision (two values that result in the same value when SHA-1 is applied) is inevitable and likely to happen in a matter of months. This poses a potential threat to trust on the web, as many websites use certificates that are digitally signed with algorithms that rely on SHA-1. Luckily for everyone, finding a hash collision is not enough to forge a digital
---------------------------------------------
https://blog.cloudflare.com/why-its-harder-to-forge-a-sha-1-certificate-tha…
*** Cyberangriffe auf türkische Internetserver ***
---------------------------------------------
Unklare Hintergründe - Steckt Russland dahinter? Oder Anonymous?
---------------------------------------------
http://derstandard.at/2000028013290
*** Hacker: Filmstars mit Problemen im Netz ***
---------------------------------------------
Brandneue Spielfilme wie der jüngste Western von Quentin Tarantino sind im Internet aufgetaucht. Eine Reihe weiterer Stars hat ganz andere Probleme: Ein Hacker ist an Sexvideos und persönliche Daten von ihnen gelangt - er wurde allerdings nun verhaftet.
---------------------------------------------
http://www.golem.de/news/hacker-filmstars-mit-problemen-im-netz-1512-118179…
*** How a security director used a rootkit to rig the lottery and steal millions of dollars ***
---------------------------------------------
Not too long ago, Eddie Tipton was convicted of hacking into the Multi-State Lottery Association's computer system in order to rig a nearly $17 million jackpot in Iowa. Now comes word that an investigation into Tipton's hacking activities is expanding to include a number of other states. Thus far, lottery officials from Colorado, Wisconsin and Oklahoma have indicated that Tipton may have also gamed lottery jackpots in their respective states.
---------------------------------------------
https://bgr.com/2015/12/23/lottery-hacker-rootkit-stolen-numbers-investigat…
*** Siemens RUGGEDCOM ROX-based Devices NTP Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for NTP daemon vulnerabilities in the Siemens RUGGEDCOM ROX-based devices.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-356-01
Aufgrund der Weihnachtsfeiertage erscheint der nächste End-of-Shift Report erst am 28.12.2015.
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 21-12-2015 18:00 − Dienstag 22-12-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** IBM Security Bulletin: Blind SQL injection vulnerability in IBM OpenPages GRC Platform API (CVE-2015-5049) ***
---------------------------------------------
A blind SQL injection vulnerability has been found in the OpenPages GRC Platform API that could allow retrival or manipulation of information in the database.
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21970590
*** Cisco IOS XE Software Packet Processing Denial of Service Vulnerability ***
---------------------------------------------
The vulnerability is due to incorrect processing of packets that have a source MAC address of 0000:0000:0000. An attacker could exploit this vulnerability by sending a frame that has a source MAC address of all zeros to an affected device. A successful exploit could allow the attacker to cause the device to reload.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** [20151207] - Core - SQL Injection ***
---------------------------------------------
Inadequate filtering of request data leads to a SQL Injection vulnerability.
---------------------------------------------
https://developer.joomla.org/security-centre/640-20151207-core-sql-injectio…
*** [20151206] - Core - Session Hardening ***
---------------------------------------------
The Joomla Security Strike team has been following up on the critical security vulnerability patched last week. Since the recent update it has become clear that the root cause is a bug in PHP itself. This was fixed by PHP in September of 2015 with the releases of PHP 5.4.45, 5.5.29, 5.6.13 (Note that this is fixed in all versions of PHP 7 and has been back-ported in some specific Linux LTS versions of PHP 5.3). This fixes the bug across all supported PHP versions.
---------------------------------------------
https://developer.joomla.org/security-centre/639-20151206-core-session-hard…
*** First Exploit Attempts For Juniper Backdoor Against Honeypot ***
---------------------------------------------
We are detecting numerous login attempts against our ssh honeypots using the ScreenOSbackdoor password. Our honeypot doesnt emulate ScreenOS beyond the login banner, so we do not know what the attackers are up to, but some of the attacks appear to be manual in that we do see the attacker trying different ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20525
*** Protecting Your Sites from Apache.Commons Vulnerabilities ***
---------------------------------------------
A few weeks ago, FoxGlove Security released this important blog post that includes several Proof-of-Concepts for exploiting Java unserialize vulnerabilities. A remote attacker can gain Remote Code Execution by sending specially crafted payload to any endpoint expecting a serialized ..
---------------------------------------------
https://www.trustwave.com/Resources/SpiderLabs-Blog/Protecting-Your-Sites-f…
*** Oracle muss Java-Updates nachbessern ***
---------------------------------------------
Alte Java-Versionen müssen restlos von Computern verschwinden. Dafür muss Oracle sorgen.
---------------------------------------------
http://heise.de/-3052761
*** Shopshifting: Sicherheitsforscher decken Lücken im elektronischen Zahlungsverkehr auf ***
---------------------------------------------
Bezahl-Terminals sprechen übers Netz mit ihrer Kasse und dem Bezahldienstleister. Beide Kommunikationskanäle weisen Schwächen auf, die ein Angreifer nutzen kann, um Kunden oder Ladeninhaber auszuplündern.
---------------------------------------------
http://heise.de/-3052165
*** rt-sa-2015-013 ***
---------------------------------------------
https://www.redteam-pentesting.de/advisories/rt-sa-2015-013.txt
*** Juniper backdoors ***
---------------------------------------------
Juniper hat in einem Advisory (hier unsere unsere Warnung dazu) der Welt gesagt, dass sie bei einem Code-Audit zwei Hintertüren in ScreenOS gefunden haben.Die eine ist eine technisch ziemlich triviale Sache: ein konstantes Passwort erlaubt den Login per ssh oder telnet. Angeblich hat es nur 6 Stunden gebraucht, um dieses ..
---------------------------------------------
http://www.cert.at/services/blog/20151222153859-1646.html
*** IBM Security Bulletin: Multiple XSS Vulnerabilities in IBM UrbanCode Deploy (CVE-2015-7415) ***
---------------------------------------------
IBM UrbanCode Deploy is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker ..
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21970811
*** Bericht: Hacker haben Teile des US-Stromnetzes infiltriert ***
---------------------------------------------
In rund zwölf Fällen sollen Cyberangriffe auf Kontrollzentren von Energieversorgern in den USA während der vergangenen zehn Jahre erfolgreich gewesen sein. Der Hack des Anbieters Calpine ging wohl vom Iran aus.
---------------------------------------------
http://heise.de/-3054887
*** Call for Papers: VB2016 Prague ***
---------------------------------------------
VB seeks submissions for the 26th Virus Bulletin Conference.Virus Bulletin is seeking submissions from those wishing to present papers at VB2016, which will take place 5 to 7 October 2016 at the Hyatt Regency Denver Hotel in Denver, Colorado, USA.Originally started as an annual gathering of anti-virus experts, the ..
---------------------------------------------
http://www.virusbtn.com/blog/2015/12_22.xml
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 18-12-2015 18:00 − Montag 21-12-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Update für Crimeware Kit Microsoft Word Intruder ***
---------------------------------------------
Über Sicherheitslücken in Microsoft Word kann ein Dateianhang schon beim Öffnen Windows-Systeme infizieren. Der Autor des im Untergrund beliebten Crimeware Kits MWI legt jetzt mit neuen Exploits nach.
---------------------------------------------
http://heise.de/-3049547
*** VMSA-2015-0009 ***
---------------------------------------------
VMware product updates address a critical deserialization vulnerability
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2015-0009.html
*** VMSA-2015-0003.15 ***
---------------------------------------------
VMware product updates address critical information disclosure issue in JRE
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2015-0003.html
*** Avira Registry Cleaner DLL Hijacking ***
---------------------------------------------
avira_registry_cleaner_en.exe, available from
<https://www.avira.com/en/download/product/avira-registry-cleaner>
to clean up remnants the uninstallers of their snakeoil products
fail to remove, is vulnerable: it loads and executes WTSAPI32.dll,
UXTheme.dll and RichEd20.dll from its application directory
(tested and verified under Windows XP SP3 and Windows 7 SP1).
---------------------------------------------
https://cxsecurity.com/issue/WLB-2015120223
*** PUPs Masquerade as Installer for Antivirus and Anti-Adware ***
---------------------------------------------
If youre looking for download sites of programs you wish to install onto your machine or simply try out, you, dear Reader, would be better off dropping by their official websites.
---------------------------------------------
https://blog.malwarebytes.org/online-security/2015/12/pups-masquerade-as-in…
*** Joomla 0-Day Exploited In the Wild (CVE-2015-8562) ***
---------------------------------------------
A recent new 0-day in Joomla discovered by Sucuri (Sucuri Blog) has drawn a lot of attention from the Joomla community, as well as attackers. Using knowledge gained from our recent research on Joomla (CVE-2015-7857, SpiderLabs Blog Post) and information ..
---------------------------------------------
https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-0-Day-Exploited-…
*** Google Chrome: Abschied von SHA-1-siginierten SSL-Zertifikaten ***
---------------------------------------------
Ab Anfang nächsten Jahres wird Google Chrome keine neu ausgestellten SHA-1-signierten SSL-Zertifikate von öffentlichen CAs mehr akzeptieren. SHA-1 gilt seit zehn Jahren als unsicher, wird aber immer noch von HTTPS-Sites verwendet.
---------------------------------------------
http://heise.de/-3049749
*** The EPS Awakens - Part 2 ***
---------------------------------------------
https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-t…
*** Facebook hammers another nail into Flashs coffin ***
---------------------------------------------
The Social NetworkTM bins Adobes malware-magnet for video, adopts HTML5 Facebook has hammered puts another nail in to the coffin of Adobe Flash, by switching from the bug-ridden plug-in to HTML5 for all videos on the site.
---------------------------------------------
www.theregister.co.uk/2015/12/21/facebook_dumps_flash_for_video/
*** Hello Kitty: Kinderdaten ungeschützt im Netz ***
---------------------------------------------
Eine MongoDB-Datenbank mit den privaten Informationen zahlreicher Hello-Kitty-Fans wurde veröffentlicht. Vor allem Kinder dürften davon betroffen sein - und sollten ihre Passwörter bei anderen Diensten überprüfen.
---------------------------------------------
http://www.golem.de/news/security-hello-kitty-gehackt-1512-118123.html
*** XXX is Angler EK ***
---------------------------------------------
http://malware.dontneedcoffee.com/2015/12/xxx-is-angler-ek.html
*** Schnüffelcode in Juniper-Netzgeräten: Weitere Erkenntnisse und Spekulationen ***
---------------------------------------------
Die Analysen der ScreenOS-Updates fördern vogelwilde Dinge zu Tage. So gab es zwei unabhängige Hintertüren. Die SSH-Backdoor kann dank des veröffentlichten Passworts jeder ausnutzen; die komplexere VPN-Lücke beruht wohl auf einer bekannten NSA-Backdoor.
---------------------------------------------
http://heise.de/-3051260
*** The many attacks on Zengge WiFi lightbulbs ***
---------------------------------------------
In August I decided to check out the cool new Internet Of Things. I bought a WiFi-enabled colorful LED lightbulb. It was a cheap Chinese one that costs almost nothing on Alibaba, but I paid probably around $50 on Amazon. It's built by a company called Zengge. It turned out that my new lightbulb was a router, an HTTP server, an HTTP proxy, and a lot more.
---------------------------------------------
http://blog.viktorstanchev.com/2015/12/20/the-many-attacks-on-zengge-wifi-l…
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 17-12-2015 18:00 − Freitag 18-12-2015 18:00
Handler: Stephan Richter
Co-Handler: Alexander Riepl
*** JSA10713 - 2015-12 Out of Cycle Security Bulletin: ScreenOS: Multiple Security issues with ScreenOS (CVE-2015-7755) ***
---------------------------------------------
http://kb.juniper.net/index?page=content&id=JSA10713
*** JSA10712 - 2015-12 Out of Cycle Security Bulletin: ScreenOS: Crafted SSH negotiation may trigger system crash (CVE-2015-7754) ***
---------------------------------------------
http://kb.juniper.net/index?page=content&id=JSA10712
*** Cisco Model DPQ3925 Wireless Residential Gateway Information Disclosure Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Schneider Electric Modicon M340 Buffer Overflow Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a buffer overflow vulnerability in Schneider Electric's Modicon M340 PLC product line.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-351-01
*** Motorola MOSCAD SCADA IP Gateway Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for Remote File Inclusion and Cross-Site Request Forgery vulnerabilities in Motorola Solutions MOSCAD IP Gateway.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-351-02
*** eWON Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for several vulnerabilities in the eWON sa industrial router.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-351-03
*** Microsoft will stop trusting certificates from 20 Certificate Authorities ***
---------------------------------------------
Starting on January 2016, Microsofts Trusted Root Certificate Program will no longer include twenty currently trusted CAs and will remove their root certificates removed from the Trusted ..
---------------------------------------------
http://www.net-security.org/secworld.php?id=19252
*** Docker and Enterprise Security: Establishing Best Practices ***
---------------------------------------------
Virtualization containers, with their extraordinarily efficient hardware utilization, can be like a dream come true for development teams. While containerization will probably ..
---------------------------------------------
http://resources.infosecinstitute.com/docker-and-enterprise-security-establ…
*** IBM Security Bulletins ***
---------------------------------------------
*** Infosphere BigInsights is affected by a vulnerability in DB2 (CVE-2015-1947) ***
http://www.ibm.com/support/docview.wss?uid=swg21967131
---------------------------------------------
*** IBM InfoSphere Balanced Warehouse C3000, C4000, IBM Smart Analytics System 1050, 2050 and 5710 are affected by multiple vulnerabilities in OpenSSL ***
http://www.ibm.com/support/docview.wss?uid=swg21971298
---------------------------------------------
*** Multiple vulnerabilities in current releases of IBM SDK for Node.js in IBM Bluemix ***
http://www.ibm.com/support/docview.wss?uid=swg21973447
---------------------------------------------
*** Multiple Security Vulnerabilities affect IBM Security Privileged Identity Manager Virtual Appliance ***
http://www.ibm.com/support/docview.wss?uid=swg21972496
---------------------------------------------
*** Multiple vulnerabilities in IBM Java SDK affect Rational Functional Tester (CVE-2015-4872, CVE-2015-4734, CVE-2015-5006) ***
http://www.ibm.com/support/docview.wss?uid=swg21972844
---------------------------------------------
*** A vulnerability in lighttpd affects IBM Security Virtual Server Protection for VMware (CVE-2015-3200) ***
http://www.ibm.com/support/docview.wss?uid=swg21973291
---------------------------------------------
*** IBM Multiple vulnerabilities in IBM Java SDK affect IBM API Management ***
http://www.ibm.com/support/docview.wss?uid=swg21972828
---------------------------------------------
*** Citrix XenServer Multiple Security Updates ***
---------------------------------------------
A number of security vulnerabilities have been identified in Citrix XenServer that could, in certain configurations, allow a malicious administrator of a guest VM to compromise the host or obtain potentially sensitive information from other guest VMs. In addition, a vulnerability has been identified that would allow certain applications running on a guest to cause that guest to crash.
---------------------------------------------
https://support.citrix.com/article/CTX203879
*** Vuln: Microsoft Windows Environment Variable Expansion in PATH Security Bypass Weakness ***
---------------------------------------------
http://www.securityfocus.com/bid/44484
*** Cisco IOS and IOS XE Software IKEv1 State Machine Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** SSA-472334 (Last Update 2015-12-18): NTP Vulnerabilities in RUGGEDCOM ROX-based Devices ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-472334…
*** SSA-396873 (Last Update 2015-12-18): TLS Vulnerability in Ruggedcom ROS- and ROX-based Devices ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-396873…
*** iOS banking apps security still not good enough, says researcher ***
---------------------------------------------
Repeat test throws up improved results from 2013 but problems remain The security of mobile banking apps has improved over the ..
---------------------------------------------
www.theregister.co.uk/2015/12/18/ios_banking_app_audit/