Daily

daily@lists.cert.at

1 participants
3154 discussions

Tageszusammenfassung - Montag 8-06-2015
by Daily end-of-shift report 08 Jun '15

08 Jun '15

======================= = End-of-Shift report = ======================= Timeframe: Freitag 05-06-2015 18:00 − Montag 08-06-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a *** �UnfriendAlert� wants your Facebook Credentials *** --------------------------------------------- For our first "PUP Friday" post, we talked about UnfriendAlert, a program that purports to notify users .. --------------------------------------------- https://blog.malwarebytes.org/online-security/2015/06/unfriendalert-wants-y… *** Changes in Oracle Database 12c password hashes *** --------------------------------------------- Oracle has made improvements to user password hashes within Oracle Database 12c. By using a PBKDF2-based SHA512 hashing algorithm, instead of simple SHA1 hash, password .. --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/Changes-in-Oracle-Database-1… *** [Honeypot Alert] Fritz!Box � Remote Command Execution Exploit Attempt *** --------------------------------------------- Our web honeypots picked up some exploit attempts for a remote command execution vulnerability in FRITZ!Box, a series of routers produced by AVM. This exploit targets router .. --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/-Honeypot-Alert--Fritz!Box-%… *** Checking for BACNet devices inside corporate networks *** --------------------------------------------- Building automation Networks are very common today for intelligent buildings. They interconnect several type of devices like escalators, elevators, power circuits, heating, ventilating and air conditioning (HVAC) to the main control .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19771 *** Insider vs. Outsider Threats: Identify and Prevent *** --------------------------------------------- In my last article, we discussed on a step-by-step approach on APT attacks. The origin of any kind of cyber-attack is through an external or an internal source. Multiple sophisticated insider attacks resulted in the exfiltration of .. --------------------------------------------- http://resources.infosecinstitute.com/insider-vs-outsider-threats-identify-… *** Antiquated environment and bad security practices aided OPM hackers *** --------------------------------------------- By now, youve all heard about the massive breach at the US Office of Personnel Managements (OPM), and that the attackers have accessed (and likely made off with) personal information .. --------------------------------------------- http://www.net-security.org/secworld.php?id=18484 *** Plex verschl�sselt Verbindung zur eigenen Medienzentrale *** --------------------------------------------- Den bisher größte Einsatz von Sicherheitszertifikaten heftet sich die Medienzentrale Plex auf die eigenen Fahnen. In einer Kooperation mit DigiCert bekommen sämtliche Nutzer der Software ein kostenloses SSL/TLS-Zertifikat für ihren Server ausgestellt. --------------------------------------------- http://derstandard.at/2000017144835 *** DSA-3281 - Debian Security Team PGP/GPG key change notice *** --------------------------------------------- This is a notice that the Debian Security Team has changed its PGP/GPGcontact key because of a periodic regular key rollover. --------------------------------------------- https://www.debian.org/security/2015/dsa-3281 *** Matryoshka dolls: analysing a packer for CTB locker *** --------------------------------------------- We recently encountered a phishing campaign distributing CTB locker. Victims were sent an e-mail that appeared to be from a Dutch webshop, with the e-mail describing a Fifa15 order for Playstation 3. While no one uses PS3 anymore , there were users who .. --------------------------------------------- https://www.dearbytes.com/en/nieuws/matroesjka-poppen-ctb-locker/ *** Raub im Zug: Datendiebstahl - ganz analog *** --------------------------------------------- Banden stehlen Handys und Laptops von Managern, um die Besitzer oder deren Firmen mit den erbeuteten Daten zu erpressen. --------------------------------------------- http://www.golem.de/news/raub-im-zug-datendiebstahl-ganz-analog-1506-114530… *** Malware zapft Kreditkartendaten von Oracle-Kassensystemen ab *** --------------------------------------------- Ein weiterer Schädling nistet sich in Point-of-Sales-Terminals ein und kopiert die Daten ahnungsloser Kreditkarten-Nutzer. MalaumPOS hat es auf ein weit verbreitetes Kassensystem von Oracle abgesehen. --------------------------------------------- http://heise.de/-2680638 *** Bugtraq: strongswan security update *** --------------------------------------------- Alexander E. Patrakov discovered an issue in strongSwan, an IKE/IPsec suite used to establish IPsec protected links. When an IKEv2 client authenticates the server with certificates and the client authenticates itself to the server using pre-shared key or EAP, the constraints on the .. --------------------------------------------- http://www.securityfocus.com/archive/1/535708 *** Zeus Isn�t Dead, New Version Evades All Antivirus Detection Tools *** --------------------------------------------- The venerable Zeus banking Trojan has been killed off many times; disappearing from the global Internet time and time again only to reappear with new modifications designed .. --------------------------------------------- http://www.pcrisk.com/internet-threat-news/9068-zeus-evades-all-antivirus-d… *** Many Drug Pumps Open to Variety of Security Flaws *** --------------------------------------------- In April, a security researcher disclosed a litany of severe vulnerabilities in the PCA3 drug-infusion pump manufactured by a company named Hospira. He went so far as to .. --------------------------------------------- http://threatpost.com/many-drug-pumps-open-to-variety-of-security-flaws/113…

1 0

Tageszusammenfassung - Freitag 5-06-2015
by Daily end-of-shift report 05 Jun '15

05 Jun '15

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 03-06-2015 18:00 − Freitag 05-06-2015 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Zero-Day Disclosed in Unity Web Player *** --------------------------------------------- A zero-day vulnerability has been disclosed in the popular Unity Web Player browser plugin. The flaw allows an attacker crossdomain access to websites and services using the victims credentials. --------------------------------------------- http://threatpost.com/zero-day-disclosed-in-unity-web-player/113124 *** PCI Council releases PA-DSS 3.1, nixes SSL, early TLS *** --------------------------------------------- The PCI Security Standards Council revisions to PA-DSS addresses SSL vulnerabilities. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/Ybnmzlufdo4/ *** Embedded: Geldautomaten sollen von XP auf Windows 10 updaten *** --------------------------------------------- Die Branchenorganisation ATM Industry Association ruft die Hersteller dazu auf, bei Geldautomaten Windows 8 und 8.1. zu überspringen. Auf Windows XP ausruhen sollen sie sich nicht. --------------------------------------------- http://www.golem.de/news/embedded-geldautomaten-sollen-von-xp-auf-windows-1… *** ICS Amsterdam 2015 *** --------------------------------------------- SANS ICS Amsterdam 2015 hosts five dedicated training courses for those tasked with securing Industrial Control Systems as well as a two day ICS Security Summit. This specialist training event takes place at the Radisson Blue Amsterdam, from September 22nd - 28th. --------------------------------------------- https://www.sans.org/event/ics-amsterdam-2015 *** Critical vulnerabilities in JSON Web Token libraries *** --------------------------------------------- Great. So, what's wrong with that? ... Meet the "none" algorithm. --------------------------------------------- http://ab0files.com/critical-vulnerabilities-in-json-web-token-libraries *** Achtung: Offene Intranets verraten zu viel *** --------------------------------------------- Viele Organisationen haben ein eigenes Intranet. Manche stellen versehentlich vertrauliche Dokumente online, die über Google auffindbar sind. Wir haben uns per Google Beispiele herausgepickt. --------------------------------------------- http://heise.de/-2680058 *** Asprox / Kuluoz Botnet Analysis *** --------------------------------------------- Introduction Kuluoz, aka Asprox, is a spam botnet that emerged in 2007. It has been known for sending mass of phishing emails used in conjunction with social engineering lures (e.g. booking confirmations, postal-themed spam, etc.) This article presents a view on the malware and its capabilities, how it communicates with the CnC, encryption schemes used,... --------------------------------------------- http://resources.infosecinstitute.com/asprox-kuluoz-botnet-analysis/ *** WLAN-Trick soll Apple-Pay-Nutzern Kreditkartendaten entlocken *** --------------------------------------------- Angreifer können die automatische WLAN-Verbindungsaufnahme von iOS dazu nutzen, um mit einem manipulierten Apple-Pay-Dialog auf Kreditkartenfang zu gehen, warnt eine Sicherheitsfirma. --------------------------------------------- http://heise.de/-2680369 *** IBM Security Bulletins *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/?lang=en_us *** McAfee ePolicy Orchestrator SSL/TLS spoofing *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/103610 *** Vulnerabilities in Cisco Products *** --------------------------------------------- *** Cisco FireSIGHT Management Center XSS and HTML Injection Vulnerabilities *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39171 *** Cisco ONS 15454 System Software Denial of Service Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39172 *** Cisco Edge 340 Privilege Escalation Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39187 *** Cisco TelePresence SX20 HTTP Response Splitting Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39210 *** XZERES 442SR Wind Turbine CSRF Vulnerability *** --------------------------------------------- This advisory provides mitigation details for a cross-site request forgery vulnerability in XZERES's 442SR turbine generator operating system. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-155-01 *** Bugtraq: CA20150604-01: Security Notice for CA Common Services *** --------------------------------------------- http://www.securityfocus.com/archive/1/535684

1 0

Tageszusammenfassung - Mittwoch 3-06-2015
by Daily end-of-shift report 03 Jun '15

03 Jun '15

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 02-06-2015 18:00 − Mittwoch 03-06-2015 18:00 Handler: Stephan Richter Co-Handler: n/a *** Your Website Hacked but No Signs of Infection *** --------------------------------------------- Imagine for a moment, you have a suspicion that you have somehow been hacked. You see that something is off, but you feel as if you are missing something. This is the emotionally draining world that many live in, with a paranoia and concern that grips you once you see and recognize that something is not right. --------------------------------------------- http://feedproxy.google.com/~r/sucuri/blog/~3/0D6hUcbKq34/your-website-hack… *** Holy SSH-it! Microsoft promises secure logins for Windows PowerShell *** --------------------------------------------- Now that the door has hit Ballmer on the way out, OpenSSH support is go Microsoft has finally decided to add support for SSH to PowerShell, allowing people to log into Windows systems and use software remotely over an encrypted connection. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2015/06/02/openssh_win… *** Bug des Tages: Skype hat eine "SMS des Todes" *** --------------------------------------------- Sending the characters "http://:" (without the quotes) crashes Skype, and receiving a message with those characters makes it crash any time you try to sign in again. --------------------------------------------- http://blog.fefe.de/?ts=ab900965 *** Good Patch Management Is Crucial to Cybersecurity in ICS *** --------------------------------------------- A good cybersecurity strategy for industrial control systems (ICS) must include both a systematic approach to patch management and compensating cybersecurity controls for when patching is not an option. Patch management resolves bugs, operability, reliability,... --------------------------------------------- http://feedproxy.google.com/~r/PaloAltoNetworks/~3/tK1mqdG1qkA/ *** IoT Devices Hosted On Vulnerable Clouds In Bad Neighborhoods *** --------------------------------------------- OpenDNS report finds that organizations may be more susceptible to Internet of Things devices than they realize. --------------------------------------------- http://www.darkreading.com/cloud/iot-devices-hosted-on-vulnerable-clouds-in… *** Mass break-in: researchers catch 22 more routers for the SOHOpeless list *** --------------------------------------------- A business model ripe for the bin Yet another disclosure tips 22 SOHO routers in the security bin, with everything from privilege escalation and authentication bypass to hard-coded credential backdoors. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2015/06/03/mass_breaki… *** Piwik: Unberechtigte können Webseiten-Statistiken abrufen *** --------------------------------------------- Installationen der Google-Analytics-Alternative Piwik sind häufig nicht korrekt konfiguriert und Dritte können ohne viel Aufwand Abrufstatistiken einsehen und sogar herunterladen. --------------------------------------------- http://heise.de/-2678572 *** SSH: Sechs Jahre alter Bug bedroht Github-Repositories *** --------------------------------------------- Ein Debian-Bug aus dem Jahr 2008 hinterlässt immer noch Spuren. Eine Analyse der öffentlichen SSH-Schlüssel bei Github zeigt: Mittels angreifbarer Schlüssel hätten Angreifer die Repositories von Projekten wie Python und Firmen wie Spotify oder Yandex manipulieren können. --------------------------------------------- http://www.golem.de/news/ssh-sechs-jahre-alter-bug-bedroht-github-repositor… *** Emergency Security Band-Aids with Systemtap *** --------------------------------------------- Software security vulnerabilities are a fact of life. So is the subsequent publicity, package updates, and suffering service restarts. Administrators are used to it, and users bear it, and it's a default and traditional method. On the other hand, in... --------------------------------------------- https://securityblog.redhat.com/2015/06/03/emergency-security-band-aids-wit… *** Krypto-Trojaner überlegt es sich anders und entschlüsselt alles wieder *** --------------------------------------------- Der Erpressungs-Trojaner Locker ist erst seit wenigen Tagen im Umlauf. Und schon ist seine Karriere wieder vorbei: Er hat vergangenen Dienstag den Befehl erhalten, alle verschlüsselten Dateien wiederherzustellen. --------------------------------------------- http://heise.de/-2678669 *** Hackers Scan All Tor Hidden Services To Find Weaknesses In The Dark Web *** --------------------------------------------- If you go down to the deep web today, you'll be following hot on the heels of a digital beast. In a matter of hours last week, the entire semi-anonymising Tor network, where activists and criminals alike try to hide from the gaze of their respective authorities, was traversed by PunkSPIDER, an automated scanner that pokes websites to uncover vulnerabilities. --------------------------------------------- http://www.forbes.com/sites/thomasbrewster/2015/06/01/dark-web-vulnerabilit… *** DSA-3277 wireshark - security update *** --------------------------------------------- Multiple vulnerabilities were discovered in the dissectors/parsers forLBMR, web sockets, WCP, X11, IEEE 802.11 and Android Logcat, which couldresult in denial of service. --------------------------------------------- https://www.debian.org/security/2015/dsa-3277 *** Vulnerabilities in Cisco Products *** --------------------------------------------- *** Cisco Unified MeetingPlace Microsoft Outlook Reflected Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39161 *** Cisco Unified MeetingPlace Session ID Information Disclosure Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39162 *** Cisco AnyConnect Secure Mobility Client Privilege Escalation Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39158 *** Cisco Adaptive Security Appliance XAUTH Bypass Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39157 *** Cisco Unified MeetingPlace Arbitrary File Download Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39163 *** Beckwith Electric TCP Initial Sequence Vulnerability *** --------------------------------------------- This advisory provides mitigation details for a TCP initial sequence numbers vulnerability in multiple Beckwith Electric products. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-153-01 *** Moxa SoftCMS Buffer Overflow Vulnerability *** --------------------------------------------- This advisory provides mitigation details for a buffer overflow vulnerability in the Moxa SoftCMS software package. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-153-02 *** [HTB23258]: Local PHP File Inclusion in ResourceSpace *** --------------------------------------------- Product: ResourceSpace v7.1.6513Vulnerability Type: PHP File Inclusion [CWE-98]Risk level: High Creater: Montala LimitedAdvisory Publication: May 6, 2015 [without technical details]Public Disclosure: June 3, 2015 CVE Reference: CVE-2015-3648 CVSSv2 Base Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) Vulnerability Details: High-Tech Bridge Security Research Lab discovered vulnerability in ResourceSpace, which can be exploited to include arbitrary local PHP file, execute PHP code, and compromise --------------------------------------------- https://www.htbridge.com/advisory/HTB23258 *** USN-2626-1: Qt vulnerabilities *** --------------------------------------------- Ubuntu Security Notice USN-2626-13rd June, 2015qt4-x11, qtbase-opensource-src vulnerabilitiesA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.04 Ubuntu 14.10 Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummaryQt could be made to crash or run programs as your login if it opened aspecially crafted file.Software description qt4-x11 - Qt 4 libraries qtbase-opensource-src - Qt 5 libraries DetailsWolfgang Schenk discovered that Qt incorrectly handled certain malformedGIF... --------------------------------------------- http://www.ubuntu.com/usn/usn-2626-1/ Next End-of-Shift report on 2015-06-05

1 0

Tageszusammenfassung - Dienstag 2-06-2015
by Daily end-of-shift report 02 Jun '15

02 Jun '15

======================= = End-of-Shift report = ======================= Timeframe: Montag 01-06-2015 18:00 − Dienstag 02-06-2015 18:00 Handler: Stephan Richter Co-Handler: n/a *** Understanding Flash Exploitation and the Alleged CVE-2015-0359 Exploit *** --------------------------------------------- What follows is a detailed analysis of the root cause of a vulnerability we call CVE-2015-X, as well as a step-by-step explanation of how to trigger it. For more on Flash vulnerabilities, we also invite you... --------------------------------------------- http://feedproxy.google.com/~r/PaloAltoNetworks/~3/JsuXUOWrYYM/ *** DYRE Banking Malware Upsurges; Europe and North America Most Affected *** --------------------------------------------- Online banking users in Europe and North America are experiencing the upsurge of DYRE, a malware family notorious for the multiple ways it steals data and its ties to parcel mule scams, among others. There has been a 125% increase of DYRE-related infections worldwide this quarter compared to the last, proving that cybercriminal interest in... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/HyDW9pkWWws/ *** Malvertising infected millions of users in 2015 *** --------------------------------------------- New research from Malwarebytes has found that malvertising is one of the primary infection vectors used to reach millions of consumers this year. The analysis looked at the three large scale zero-... --------------------------------------------- http://feedproxy.google.com/~r/HelpNetSecurity/~3/9go1s-jFKtc/malware_news.… *** Playing with IP Reputation with Dshield & OSSEC *** --------------------------------------------- [This blogpost has also been published as a guest diary on isc.sans.org] When investigating incidents or searching for malicious activity in your logs, IP reputation is a nice way to increase the reliability of generated alerts. It can help to prioritize incidents. Let's take an example with a WordPress blog. It will, sooner or later, be targeted by a brute-force attack on the default /wp-admin page. In... --------------------------------------------- http://blog.rootshell.be/2015/06/02/playing-with-ip-reputation-with-dshield… *** Bugtraq: WebDrive 12.2 (B4172) - Buffer Overflow Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/535663 *** Red Hat JBoss Fuse and A-MQ XML External Entity Processing Flaw Lets Remote Users Obtain Potentially Sensitive Files *** --------------------------------------------- http://www.securitytracker.com/id/1032442 *** Xen Security Advisories XSA-128, XSA-129, XSA-130, XSA-131 *** --------------------------------------------- Potential unintended writes to host MSI message data field via qemu, PCI MSI mask bits inadvertently exposed to guests, Guest triggerable qemu MSI-X pass-through error messages, Unmediated PCI register access in qemu --------------------------------------------- http://xenbits.xen.org/xsa/ *** USN-2625-1: Apache HTTP Server update *** --------------------------------------------- Ubuntu Security Notice USN-2625-12nd June, 2015apache2 updateA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.04 LTSSummarySeveral security improvements have been made to the Apache HTTP Server.Software description apache2 - Apache HTTP server DetailsAs a security improvement, this update makes the following changes tothe Apache package in Ubuntu 12.04 LTS:Added support for ECC keys and ECDH ciphers.The SSLProtocol configuration directive now allows specifying --------------------------------------------- http://www.ubuntu.com/usn/usn-2625-1/ *** USN-2624-1: OpenSSL update *** --------------------------------------------- Ubuntu Security Notice USN-2624-11st June, 2015openssl updateA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.04 Ubuntu 14.10 Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummaryThe export cipher suites have been disabled in OpenSSL.Software description openssl - Secure Socket Layer (SSL) cryptographic library and tools DetailsAs a security improvement, this update removes the export cipher suitesfrom the default cipher list to prevent their use in possible --------------------------------------------- http://www.ubuntu.com/usn/usn-2624-1/ *** Cisco Headend Digital Broadband Delivery System Cross-Site Request Forgery Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39133 *** HPSBGN03269 rev.2 - HP StoreAll OS, Remote Code Execution *** --------------------------------------------- A potential security vulnerability has been identified with HP StoreAll OS. This is the GNU C Library (glibc) vulnerability known as "GHOST" which could be exploited remotely resulting in execution of code. --------------------------------------------- https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04599438 *** PCRE Heap Overflow in Regex Processing Lets Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1032453

1 0

Tageszusammenfassung - Montag 1-06-2015
by Daily end-of-shift report 01 Jun '15

01 Jun '15

======================= = End-of-Shift report = ======================= Timeframe: Freitag 29-05-2015 18:00 − Montag 01-06-2015 18:00 Handler: Stephan Richter Co-Handler: n/a *** Which malware lures work best? *** --------------------------------------------- More often than not, malware peddlers main goal is to deliver their malicious wares to the maximum number of users possible. Choosing the right lure is crucial to achieving that goal. Two researc... --------------------------------------------- http://feedproxy.google.com/~r/HelpNetSecurity/~3/SXwL_z3NcUM/malware_news.… *** New Android NFC Attack Could Steal Money From Credit Cards Anytime Your Phone Is Near *** --------------------------------------------- Your NFC capable Android smartphone could be the newest weapon hackers use to steal money from the credit cards in your pocket, researchers find. In a presentation at Hack In The Box Security Conference in Amsterdam, security researchers Ricardo J. Rodriguez and Jose Vila presented a demo of a real world attack, to which all NFC capable Android phones are vulnerable. This attack, delivered through poisoned apps, exploits the NFC feature allowing unethical hackers to steal money from... --------------------------------------------- http://www.idigitaltimes.com/new-android-nfc-attack-could-steal-money-credi… *** Crypto flaws in Blockchain Android app sent Bitcoins to the wrong address *** --------------------------------------------- A comedy of programming errors could prove catastrophic for affected users. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/9dMUjIT6yyo/ *** HITB Amsterdam Wrap-Up Day #2 *** --------------------------------------------- I left Amsterdam after the closing keynote and I just arrived at home. This is my quick wrap-up for the second day of Hack in the Box! The second keynote was presented by John Matherly: "The return of the Dragons". John is the guy behind Shodan, the popular devices search engine. Shodan started because Nmap was not designed to scan the whole Internet. With Shodan, Stateless... --------------------------------------------- http://blog.rootshell.be/2015/05/29/hitb-amsterdam-wrap-up-day-2-2/ *** Adventures in Social Engineering: The Evil Reference *** --------------------------------------------- I recently completed a social engineering gig targeting four bank locations. After a phone call and a few e-mails, I was able to grab some victims NTLMv2 domain hashed credentials. The Approach I developed a fictitious persona to help me... --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/Adventures-in-Social-En… *** Locker Ransomware Author Allegedly Releases Database Dump of Private Keys *** --------------------------------------------- Allegedly, the author of the "Locker" ransomware has uploaded a dump of the C2 server database, releasing private keys of infected hosts to the public. Allegedly, the author of the "Locker" ransomware has uploaded a dump of the C2 server database, releasing private keys of infected hosts worldwide to the public. The "author" claims that... --------------------------------------------- http://securityaffairs.co/wordpress/37346/cyber-crime/locker-ransomware-db-… *** Malware Evolution Calls for Actor Attribution? *** --------------------------------------------- What makes one novel strain of malicious software more dangerous or noteworthy than another? Is it the sheer capability and feature set of the new malware, or are these qualities meaningless without also considering the skills, intentions and ingenuity of the person wielding it? Most experts probably would say it's important to consider attribution insofar as it is knowable, but it's remarkable how seldom companies that regularly publish reports on the latest criminal innovations go... --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/8rYlMnG_kmU/ *** Intelligente Städte: "Smart wäre, wenn man den ganzen Quatsch lassen würde" *** --------------------------------------------- Der White-Hat-Hacker Felix Lindner ist entsetzt, wie wenig Wert Politik und Industrie auf den Schutz der digital vernetzten Stadt vor Cyberattacken legen. --------------------------------------------- http://www.heise.de/newsticker/meldung/Intelligente-Staedte-Smart-waere-wen… *** Researchers discover hidden shell in Hola VPN software *** --------------------------------------------- Hola, an Israeli company that develops a browser plug-in promoted heavily as a means to bypass region locks on Web-based content and anonymous surfing, faced a considerable amount of backlash last week - after it was discovered they were selling access to their users connections in what one researcher called "a poorly secured botnet."On Friday, 24-hours after the quasi-botnet operation was disclosed, a group of researchers released details on a number of critical vulnerabilities in... --------------------------------------------- http://www.csoonline.com/article/2929192/data-protection/researchers-discov… *** Unzählige Apps speichern private Daten unsicher in der Cloud *** --------------------------------------------- Auf den Cloud-Servern von Apple und Co. schlummern 56 Millionen nicht optimal geschützte Datensätze. Angreifer könnten vergleichsweise einfach Fotos, Adressdaten und weitere Infos abgreifen. --------------------------------------------- http://heise.de/-2671988 *** Blue Coat: SSL Visibility Appliance web based vulnerabilities, (Sun, May 31st) *** --------------------------------------------- Blue Coat has released a security advisory for SSL Visibility Appliance. The SSL Visibility Appliance is susceptible to multiple web-based vulnerabilities in the administration console. A remote attacker can use these vulnerabilities to obtain administrative access to the SSL Visibility Appliance. All versions of SSL Visibility prior to 3.8.4 are vulnerable. The vulnerabilities exist in the WebUI are: Cross-Site Request Forgery (CVE-2015-2852): Cross-site request forgery (CSRF) vulnerability... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19749&rss *** JSA10681 - 2015-05 Out of Cycle Security Bulletin: "Logjam" passive attack on sub-1024 DH groups, and active downgrade attack of TLS to DHE_EXPORT (CVE-2015-4000) *** --------------------------------------------- Affected Products: Junos OS (XNM-SSL)*, WXOS --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10681&actp=RSS *** Vulnerabilities in Cisco Products *** --------------------------------------------- *** Cisco Headend Digital Broadband Delivery System HTTP Response-Splitting Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=38863 *** Cisco Conductor for Videoscape and Cisco Headend System Release HTTP Injection Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=38945 *** Cisco Headend System Release Archive File Download Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=38944 *** Cisco Headend System Release UDP TFTP and DHCP Denial of Service Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=38938 *** Cisco Unified MeetingPlace XML Processing Information Disclosure Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39130 *** Multiple Cisco Products TCP Flood Denial of Service Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=38943 *** Security Advisory: cURL and libcurl vulnerability CVE-2015-3148 *** --------------------------------------------- (SOL16707) --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/16000/700/sol16707.htm… *** Security Advisory: cURL and libcurl vulnerability CVE-2015-3143 *** --------------------------------------------- (SOL16704) --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/16000/700/sol16704.htm… *** Novell Messenger 3.0 Support Pack 1 *** --------------------------------------------- Abstract: Novell Messenger 3.0 Support Pack 1 has been released. Please be aware that there are security fixes to Messengers server and client components (see the change log below and the Readme documentation on the web). It is recommended that they are updated on an expedited basis.Document ID: 5211030Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:consoleone1.3.6h_windows.zip (46.82 MB)nm301_full_linux_multi.tar.gz (269.53 MB)nm301_client_mac_multi.zip (40.61 --------------------------------------------- https://download.novell.com/Download?buildid=j6RbJAJrtC4~ *** IDM 4.5 MSGW Driver 4.0.1.0 *** --------------------------------------------- Abstract: This is a patch for the Managed System Gateway Driver (MSGW) for Identity Manager. It installs on Identity Manager version 4.5 but can be used on IDM 4.0.2. The version of this driver is 4.0.1.0Document ID: 5211010Security Alert: YesDistribution Type: Field Test FileEntitlement Required: NoFiles:IDM45_MSGW_4010.zip (4.68 MB)Products:Identity Manager 4.0.2Identity Manager 4.5Superceded Patches:IDM 4.0.2 MSGW Driver Version 4.0.0.6 --------------------------------------------- https://download.novell.com/Download?buildid=UQgGwYtht9c~ *** PHP Integer Overflows Let Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1032433 *** PHP Multipart POST Request Processing Flaw Lets Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1032432 *** PHP Functions That Permit Null Characters in Path Values May Let Remote Users Bypass Access Controls *** --------------------------------------------- http://www.securitytracker.com/id/1032431 *** Security Notice - Statement on Security Researchers Revealing Security Vulnerabilities in Huawei SOHO Products on Packet Storm Website *** --------------------------------------------- May 30, 2015 17:23 --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-notices… *** Huawei Wimax CPE Bm632w Hidden Backdoor *** --------------------------------------------- Topic: Huawei Wimax CPE Bm632w Hidden Backdoor Risk: High Text:Exploit Title : Huawei Wimax CPE Bm632w Hidden Backdoor Date : 30 May 2015 Exploit Author : Koorosh Ghorbani Site : http://8... --------------------------------------------- http://cxsecurity.com/issue/WLB-2015050183 *** Security Notice - Statement on Security Researchers Revealing Security Vulnerability in Huawei CPE Products on cxsecurity Website *** --------------------------------------------- Jun 01, 2015 14:48 --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-notices… *** DSA-3275 fusionforge - security update *** --------------------------------------------- Ansgar Burchardt discovered that the Git plugin for FusionForge, aweb-based project-management and collaboration software, does notsufficiently validate user provided input as parameter to the method tocreate secondary Git repositories. A remote attacker can use this flawto execute arbitrary code as root via a specially crafted URL. --------------------------------------------- https://www.debian.org/security/2015/dsa-3275 *** DSA-3276 symfony - security update *** --------------------------------------------- Jakub Zalas discovered that Symfony, a framework to create websites andweb applications, was vulnerable to restriction bypass. It wasaffecting applications with ESI or SSI support enabled, that use theFragmentListener. A malicious user could call any controller via the/_fragment path by providing an invalid hash in the URL (or removingit), bypassing URL signing and security rules. --------------------------------------------- https://www.debian.org/security/2015/dsa-3276 *** ESC 8832 Data Controller Session Hijacking *** --------------------------------------------- Topic: ESC 8832 Data Controller Session Hijacking Risk: Medium Text:=begin # Exploit Title: ESC 8832 Data Controller multiple vulnerabilities # Date: 2014-05-29 # Platform: SCADA / Web Applica... --------------------------------------------- http://cxsecurity.com/issue/WLB-2015050181

1 0

Tageszusammenfassung - Freitag 29-05-2015
by Daily end-of-shift report 29 May '15

29 May '15

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 28-05-2015 18:00 − Freitag 29-05-2015 18:00 Handler: Stephan Richter Co-Handler: n/a *** The Empire Strikes Back Apple - how your Mac firmware security is completely broken *** --------------------------------------------- [...] What is that hole after all? Is Dark Jedi hard to achieve on Macs? No, it's extremely easy because Apple does all the dirty work for you. What the hell am I talking about? Well, Apple's S3 suspend-resume implementation is so f*cked up that they will leave the flash protections unlocked after a suspend-resume cycle. --------------------------------------------- https://reverse.put.as/2015/05/29/the-empire-strikes-back-apple-how-your-ma… *** HITB Amsterdam Wrap-Up Day #1 *** --------------------------------------------- The HITB crew is back in the beautiful city of Amsterdam for a new edition of their security conference. Here is my wrap-up for the first day! The opening keynote was assigned to Marcia Hofmann who worked for the EFF (the Electronic Frontier Foundation). Her keynote title was: "Fighting for Internet Security in the New Crypto Wars". EFF always fight for more privacy and she reviewed the history of encryption and... --------------------------------------------- http://blog.rootshell.be/2015/05/28/hitb-amsterdam-wrap-up-day-1-2/ *** Sicherheitslücken: Fehler in der Browser-Logik *** --------------------------------------------- Mit relativ simplen Methoden ist es dem 18-jährigen Webentwickler Bas Venis gelungen, schwerwiegende Sicherheitslücken im Chrome-Browser und im Flash-Plugin aufzudecken. Er ruft andere dazu auf, nach Bugs in der Logik von Browsern zu suchen. --------------------------------------------- http://www.golem.de/news/sicherheitsluecken-fehler-in-der-browser-logik-150… *** Tor: Hidden Services leichter zu deanonymisieren *** --------------------------------------------- Das Tor-Protokoll erlaubt es Angreifern relativ einfach, die Kontrolle über die Verzeichnisserver sogenannter Hidden Services zu erlangen. Dadurch ist die Deanonymisierung von Traffic deutlich einfacher als beim Zugriff auf normale Webseiten. --------------------------------------------- http://www.golem.de/news/tor-hidden-services-leichter-zu-deanonymisieren-15… *** Crypto flaws in Blockchain Android app sent Bitcoins to the wrong address *** --------------------------------------------- A comedy of programming errors could prove catastrophic for affected users. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/9dMUjIT6yyo/ *** ZyXEL schützt seine Router vor NetUSB-Lücke *** --------------------------------------------- Mit Sicherheits-Updates schließt der Netzwerkausrüster ZyXEL die kritische NetUSB-Lücke in allen betroffenen Modellen. --------------------------------------------- http://heise.de/-2671364 *** Lessons learned from Flame, three years later *** --------------------------------------------- Three years ago, on May 28th 2012, we announced the discovery of a malware known as Flame. Since that, we reported on many other advanced malware platform. Looking back at the discovery of Flame, here are some lessons we learned. --------------------------------------------- http://securelist.com/blog/opinions/70149/lessons-learned-from-flame-three-… *** Phishing Gang is Audacious Manipulator *** --------------------------------------------- Cybercriminals who specialize in phishing -- or tricking people into giving up usernames and passwords at fake bank and ecommerce sites -- arent generally considered the most sophisticated crooks, but occasionally they do exhibit creativity and chutzpah. Thats most definitely the case with a phishing gang that calls itself the "Manipulaters Team", whose Web site boasts that it specializes in brand research and development. --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/qKqrwDK8oQ8/ *** A Drafty House: Analysis of the Current Use of AWS EC2 Security Groups *** --------------------------------------------- After a very confusing set of results from a survey we ran and exploring the new world of threat detection and incident response in AWS, we decided to go out and do a little research to see how the world was faring with the new security features in Amazon AWS. In short, we can safely say there is a good chunk of the EC2 users who left their front door open (actually with this analogy they also left their back door, side window, and garage open). Our analysis showed that users are: Using... --------------------------------------------- https://feeds.feedblitz.com/~/93538286/0/alienvault-blogs~A-Drafty-House-An… *** Stegosploit hides malicious code in images, this is the future of online attacks *** --------------------------------------------- Stegosploit is the technique developed by the security researcher Saumil Shah that allows an attacker to embed executable JavaScript code within an image. The security researcher Saumil Shah from Net Square security has presented at Hack In The Box conference in Amsterdam his Stegosploit project which allows an attacker to embed executable JavaScript code within an... --------------------------------------------- http://securityaffairs.co/wordpress/37302/hacking/stegosploit-malware-image… *** Statistics on botnet-assisted DDoS attacks in Q1 2015 *** --------------------------------------------- One popular DDoS scenario is a botnet-assisted attack. In Q1 2015, 23,095 botnet-assisted DDoS attacks were reported. These statistics refer to those botnets which were detected and analyzed by Kaspersky Lab. --------------------------------------------- http://securelist.com/blog/research/70071/statistics-on-botnet-assisted-ddo… *** Linux Kernel __driver_rfc4106_decrypt() Buffer Overflow May Let Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1032416 *** Pivotal Cloud Foundry directory traversal *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/103449 *** IBM Security Bulletins *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/?lang=en_us *** IBM Cognos Business Intelligence Developer 10.2.1 (backURL) Open Redirect *** --------------------------------------------- Input passed via the backURL GET parameter in /p2pd/servlet/dispatch is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5244.php *** DSA-3274 virtualbox - security update *** --------------------------------------------- Jason Geffner discovered a buffer overflow in the emulated floppydisk drive, resulting in potential privilege escalation. --------------------------------------------- https://www.debian.org/security/2015/dsa-3274 *** IDS RTU 850 Directory Traversal Vulnerability *** --------------------------------------------- This advisory provides mitigation details for a directory traversal vulnerability in IDS RTU 850C. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-148-01 *** Security Notice - Statement on Security Researchers Revealing Security Issues on Huawei Products in HITB SecConf *** --------------------------------------------- May 29, 2015 17:47 --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-notices… *** Security Notice-Statement on the Wooyun-disclosed XSS Vulnerability in Huawei Smartphone Browser *** --------------------------------------------- May 29, 2015 17:43 --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-notices… *** SSL-TLS Implementations Cipher Block Chaining Padding Information Disclosure Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=36740 *** HPSBGN03332 rev.1 - HP Operations Analytics running SSLv3, Remote Denial of Service (DoS), Disclosure of Information *** --------------------------------------------- A potential security vulnerability has been identified in HP Operations Analytics running SSLv3. This is the SSLv3 vulnerability known as "Padding Oracle on Downgraded Legacy Encryption" or "Poodle", which could be exploited remotely resulting in Denial of Service (DoS) or disclosure of information. --------------------------------------------- https://h20566.www2.hp.com/hpsc/doc/public/display?ac.admitted=143290405142… *** HPSBMU03267 rev.2 - HP Matrix Operating Environment and HP CloudSystem Matrix running OpenSSL, Remote Disclosure of Information *** --------------------------------------------- Potential security vulnerabilities have been identified with the HP Matrix Operating Environment and HP CloudSystem Matrix running OpenSSL. These vulnerabilities comprise the SSLv3 vulnerability known as "Padding Oracle on Downgraded Legacy Encryption" or "POODLE", which could be exploited remotely to allow disclosure of information. --------------------------------------------- https://h20566.www2.hp.com/hpsc/doc/public/display?ac.admitted=143290406517… *** HPSBMU03263 rev.3 - HP Insight Control running OpenSSL, Remote Disclosure of Information *** --------------------------------------------- Potential security vulnerabilities have been identified with HP Insight Control running OpenSSL. These vulnerabilities include the SSLv3 vulnerability known as "Padding Oracle on Downgraded Legacy Encryption" or "POODLE", which could be exploited remotely to allow disclosure of information. --------------------------------------------- https://h20566.www2.hp.com/hpsc/doc/public/display?ac.admitted=143290408721… *** HPSBMU03261 rev.2 - HP Systems Insight Manager running OpenSSL on Linux and Windows, Remote Disclosure of Information *** --------------------------------------------- Potential security vulnerabilities have been identified with HP Systems Insight Manager running OpenSSL on Linux and Windows. These vulnerabilities are related to the SSLv3 vulnerability known as "Padding Oracle on Downgraded Legacy Encryption" or "POODLE", which could be exploited remotely to allow disclosure of information. --------------------------------------------- https://h20566.www2.hp.com/hpsc/doc/public/display?ac.admitted=143290410464…

1 0

Tageszusammenfassung - Donnerstag 28-05-2015
by Daily end-of-shift report 28 May '15

28 May '15

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 27-05-2015 18:00 − Donnerstag 28-05-2015 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** Multiple vulnerabilities in Cisco products *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39012 http://tools.cisco.com/security/center/viewAlert.x?alertId=39013 http://tools.cisco.com/security/center/viewAlert.x?alertId=39015 http://tools.cisco.com/security/center/viewAlert.x?alertId=38349 http://tools.cisco.com/security/center/viewAlert.x?alertId=39041 http://tools.cisco.com/security/center/viewAlert.x?alertId=39042 *** Microsoft to Detect Search Protection Code as Malware *** --------------------------------------------- Microsoft security products will begin detecting software containing search protection functions and classifying it as malicious on June 1. --------------------------------------------- http://threatpost.com/microsoft-to-detect-search-protection-code-as-malware… *** ZDI-15-246: (0Day) Wavelink Emulation ConnectPro TermProxy WLTermProxyService.exe HTTP Request Headers Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Wavelink Emulation ConnectPro TermProxy. User interaction is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-15-246/ *** ZDI-15-245: (0Day) Wavelink Emulation License Server LicenseServer.exe HTTP Request Headers Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Wavelink Emulation License Server. User interaction is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-15-245/ *** Ransomware threat Locker has sleeper component *** --------------------------------------------- KnowBe4 is alerting IT managers to be vigilant of a new ransomware threat that leverages a sleeper function. --------------------------------------------- http://www.scmagazine.com/alert-warns-it-managers-of-locker-ransomware/arti… *** Apple iOS Notification Processing Flaw Lets Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1032408 *** Angler exploit kit pushing CryptoWall 3.0, (Thu, May 28th) *** --------------------------------------------- In the past two days, Ive infected two hosts from Angler exploit kit (EK) domains at 216.245.213.0/24. Both hosts were infected with CryptoWall 3.0 ransomware using the same bitcoin address for the ransom payment: 16Z6sidfLrfNoxJNu4qM5zhRttJEUD3XoB On Tuesday, 2015-05-26 at 15:17 UTC, .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19737 *** APPLE-SA-2015-05-27-1 OS X: Flash Player plug-in blocked *** --------------------------------------------- http://prod.lists.apple.com/archives/security-announce/2015/May/msg00002.ht… *** Splunk Enterprise 6.1.8, 6.0.9, and 5.0.13 address multiple vulnerabilities *** --------------------------------------------- Splunk Enterprise 6.1.8, 6.0.9, and 5.0.13 address multiple vulnerabilities Multiple vulnerabilities in OpenSSL versions before 1.0.1m and 0.9.8zf (SPL-98351) At the time of this announcement, Splunk is not aware of any cases where these vulnerabilities have been actively exploited. Previous Product Security Announcements can be found on .. --------------------------------------------- http://www.splunk.com/view/SP-CAAAN4P *** Grabit and the RATs *** --------------------------------------------- Not so long ago, Kaspersky clients in the United States approached Kaspersky researchers with a request to investigate a new type of malicious software that they were able to recover from their organizations' servers. The malware calls itself Grabit. --------------------------------------------- http://securelist.com/blog/research/70087/grabit-and-the-rats/ *** Trend Micro Discovers Apache Cordova Vulnerability that Allows One-Click Modification of Android Apps *** --------------------------------------------- We've discovered a vulnerability in the Apache Cordova app framework that allows attackers to modify the behavior of apps just by clicking a URL. The extent of the modifications can range from causing nuisance for app users to crashing the .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-disc… *** SAP HANA Log Injection *** --------------------------------------------- Under certain conditions the SAP HANA XS engine is vulnerable to arbitrary log injection, allowing remote authenticated attackers to write arbitrary information in log files. This could be .. --------------------------------------------- http://cxsecurity.com/issue/WLB-2015050172 *** SAP HANA Information Disclosure *** --------------------------------------------- Under certain conditions some SAP HANA Database commands could be abused by a remote authenticated attacker to access information which is restricted. This could be used to gain access .. --------------------------------------------- http://cxsecurity.com/issue/WLB-2015050171 *** SOPHOS WAF JSON Filter Bypass *** --------------------------------------------- Topic: SOPHOS WAF JSON Filter Bypass Risk: Low Text:SECURITYLABS INTELLIGENT RESEARCH - SECURITY ADVISORY http://www.securitylabs.com.br/ ADVISORY/0115 - SOPHOS WAF (WEBSERV... --------------------------------------------- http://cxsecurity.com/issue/WLB-2015050169 *** Phishers register domain names, hammer traditional targets *** --------------------------------------------- The number of domain names used for phishing reached an all-time high, according to a new report by the the Anti-Phishing Working Group (APWG). Many of these were registered by .. --------------------------------------------- http://www.net-security.org/secworld.php?id=18429 *** Crash-Benachrichtigung für iOS-Geräte: Apple stellt Bugfix in Aussicht *** --------------------------------------------- Apple will den 'Unicode of Death'-Fehler, der iPhone und iPad durch eine bestimmte Zeichenfolge zum Absturz bringt, mit einem Software-Update beheben - das Problem betrifft weit mehr als nur iMessage. --------------------------------------------- http://heise.de/-2669432 *** Oracle PeopleSoft admin credentials open to hackers *** --------------------------------------------- SAP Security experts discovered a number of unpatched vulnerabilities and weaknesses in Oracle PeopleSoft that could be exploited to obtain admin passwords. The SAP security experts, Alexander Polyakov and Alexey Tyurin, revealed that Oracle .. --------------------------------------------- http://securityaffairs.co/wordpress/37270/hacking/oracle-peoplesoft-vulnera… *** Bugtraq: [SEARCH-LAB advisory] More than fifty vulnerabilities in D-Link NAS and NVR devices *** --------------------------------------------- http://www.securityfocus.com/archive/1/535626 *** IDS, IPS and UTM - What's the Difference? *** --------------------------------------------- In our last webcast, we learned about lingering and general confusion over these crazy acronyms IDS and IPS, and how they are like or unlike UTM software modules. Everyone likes primers and simple descriptive definitions, .. --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/ids-ips-and-utm-whats-…

1 0

Tageszusammenfassung - Mittwoch 27-05-2015
by Daily end-of-shift report 27 May '15

27 May '15

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 26-05-2015 18:00 − Mittwoch 27-05-2015 18:00 Handler: Stephan Richter Co-Handler: n/a *** This is not the UEFI backdoor you are looking for *** --------------------------------------------- This is currently the top story on the Linux subreddit. It links to this Tweet which demonstrates using a System Management Mode backdoor to perform privilege escalation under Linux. This is not a story.But first, some background. System Management Mode (SMM) is a feature in most x86 processors since the 386SL back in 1990. It allows for certain events to cause the CPU to stop executing the OS, jump to an area of hidden RAM and execute code there instead, and then hand off back to the OS... --------------------------------------------- http://mjg59.dreamwidth.org/35110.html *** Breach detection: Five fatal flaws and how to avoid them *** --------------------------------------------- When the Sarbanes-Oxley Act of 2002 was passed, it fell on corporate security teams to translate its requirements into technical controls. That threw the IT Security function into the deep end of the ... --------------------------------------------- http://feedproxy.google.com/~r/HelpNetSecurity/~3/uoHRSOyKltE/article.php *** Five Mistakes MSSPs Should Avoid *** --------------------------------------------- MSSPs, or Managed Security Service Providers, are at an exciting point where market acceptance, awareness and demand have converged. I view this as a positive for a potential MSSP but also for the customers and businesses they will protect, enhancing security for everyone. However, excitement and the prospect of profits can create haste, and with haste comes an increased risk of mistakes. In my role at AlienVault, Ive been fortunate enough to work with and help ensure the success of a number of... --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/five-mistakes-mssps-sh… *** Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities *** --------------------------------------------- Docker Hub is a central repository for Docker developers to pull and push container images. We performed a detailed study on Docker Hub images to understand how vulnerable they are to security threats. Surprisingly, we found that more than 30% of official repositories contain images that are highly susceptible to a variety of security attacks (e.g., Shellshock, Heartbleed, Poodle, etc.). For general images... --------------------------------------------- http://www.banyanops.com/blog/analyzing-docker-hub/ *** Jetzt patchen: Synology-NAS über Fotoalbum angreifbar *** --------------------------------------------- Synologys Web-Fotoalbum Photo Station gewährt Angreifern ungewollt Zugriff auf DiskStation NAS-Systeme. Wer nicht will, dass Fremde beliebigen Code auf dem eigenen NAS ausführen, sollte den Patch des Herstellers jetzt einspielen. --------------------------------------------- http://heise.de/-2668853 *** How to Prevent a Domain Name Theft *** --------------------------------------------- 1. Introduction The domain names may cost far more than a real estate. For instance, Facebook paid USD 8.5 million to buy fb.com. The high prices of the domain names attract not only businesses, but also thieves. The domain name theft can be huge trouble for companies because it effects their brand and reputation. This... --------------------------------------------- http://resources.infosecinstitute.com/how-to-prevent-a-domain-name-theft/ *** SQL-Injection-Lücke in xt:Commerce *** --------------------------------------------- Sicherheitsupdates schließen in der Shop-Software eine Lücke, durch die Angreifer potenziell Datenbankbefehle einschleusen können. --------------------------------------------- http://heise.de/-2667569 *** Possible Wordpress Botnet C&C: errorcontent.com, (Tue, May 26th) *** --------------------------------------------- Thanks to one of our readers, for sending us this snipped of PHP he found on a Wordpress server (I added some line breaks and comments in red for readability): #2b8008# ">">/* turn off error reporting */ @ini_set(display_errors ">/* do not display errors to the user */ $wp_mezd8610 = @$_SERVER[HTTP_USER_AGENT">/* only run the code if this is Chrome or IE and not a bot */ if (( preg_match (/Gecko|MSIE/i, $wp_mezd8610) !preg_match (/bot/i, $wp_mezd8610))) { --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19733&rss *** Researchers Exploit Patched Windows Group Policy Bug *** --------------------------------------------- Researchers from Core Security were able to exploit a security vulnerability in Windows group policy -- MS15-011 -- that was patched by Microsoft in February. --------------------------------------------- http://threatpost.com/researchers-exploit-patched-windows-group-policy-bug/… *** Online-Dienst erstellt maßgeschneiderte Krypto-Trojaner *** --------------------------------------------- Die Einstiegshürde für angehende Online-Erpresser ist erneut gesunken: Ein Dienst im Tor-Netz erstellt nach wenigen Klicks den individuellen Erpressungs-Trojaner. Falls ein Opfer das geforderte Lösegeld zahlt, verdienen die Betreiber mit. --------------------------------------------- http://heise.de/-2668860 *** Security: Zwei neue Exploits auf Router entdeckt *** --------------------------------------------- Unsichere Router sind aktuell von gleich zwei Versionen von Malware bedroht. Die eine verteilt Spam über soziale Medien, die andere leitet Anfragen auf manipulierte Webseiten um. (Router, Virus) --------------------------------------------- http://www.golem.de/news/security-zwei-neue-exploits-auf-router-entdeckt-15… *** extjs Arbitrary File Read / ssrf Vulnerability *** --------------------------------------------- Topic: extjs Arbitrary File Read / ssrf Vulnerability Risk: High Text:Hi all： Baidu Security Team found a vulnerability in extjs,with this vulnerability we can read arbitrary file and request... --------------------------------------------- http://cxsecurity.com/issue/WLB-2015050162 *** USN-2622-1: OpenLDAP vulnerabilities *** --------------------------------------------- Ubuntu Security Notice USN-2622-126th May, 2015openldap vulnerabilitiesA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.04 Ubuntu 14.10 Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummaryOpenLDAP could be made to crash if it received specially crafted networktraffic.Software description openldap - OpenLDAP utilities DetailsIt was discovered that OpenLDAP incorrectly handled certain search queriesthat returned empty attributes. A remote attacker could use this issue tocause... --------------------------------------------- http://www.ubuntu.com/usn/usn-2622-1/ *** Cisco IP Phone 7861 Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39011 *** ZDI-15-240: Dell NetVault Backup Heap Buffer Overflow Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Dell NetVault Backup. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/y6osEWmyti0/ *** ZDI-15-244: Arcserve Unified Data Protection Management Service EdgeServiceImpl getBackupPolicies Information Disclosure Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to disclose information on vulnerable installations of Arcserve Unified Data Protection. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/NFGleCbsATc/ *** ZDI-15-243: Arcserve Unified Data Protection Management Service EdgeServiceImpl getBackupPolicy Information Disclosure Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to disclose information on vulnerable installations of Arcserve Unified Data Protection. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/OV8j2fD9GSM/ *** ZDI-15-242: Arcserve Unified Data Protection Management Service exportServlet Directory Traversal Information Disclosure and Denial of Service Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to disclose and delete files on vulnerable installations of Arcserve Unified Data Protection. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/CxxqPV5u-0s/ *** ZDI-15-241: Arcserve Unified Data Protection Management Service reportFileServlet Directory Traversal Information Disclosure and Denial of Service Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to disclose and delete files on vulnerable installations of Arcserve Unified Data Protection. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/MNmtjnSQ_b4/ *** SAP NetWeaver XML External Entity Processing Flaw Lets Remote Users Obtain Potentially Sensitive Information *** --------------------------------------------- SAP NetWeaver XML External Entity Processing Flaw Lets Remote Users Obtain Potentially Sensitive Information --------------------------------------------- http://www.securitytracker.com/id/1032402 *** Security Advisory: Point-to-Point Protocol (PPP) vulnerability CVE-2015-3310 *** --------------------------------------------- (SOL16686) --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/16000/600/sol16686.htm… *** lighttpd Input Validation Flaw Lets Remote Users Inject Log File Entries *** --------------------------------------------- lighttpd Input Validation Flaw Lets Remote Users Inject Log File Entries --------------------------------------------- http://www.securitytracker.com/id/1032405 *** Rockwell Automation RSView32 Weak Encryption Algorithm on Passwords *** --------------------------------------------- This advisory was originally posted to the US-CERT secure Portal library on May 12, 2015, and is being released to the NCCIC/ICS-CERT web site. This advisory provides mitigation details for a password encryption vulnerability in RSView32. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-132-02 *** Thycotic Password Manager Secret Server iOS Application MITM *** --------------------------------------------- Topic: Thycotic Password Manager Secret Server iOS Application MITM Risk: Medium Text:Thycotic Password Manager Secret Server iOS Application - MITM SSL Certificate Vulnerability -- http://www.info-sec.ca/adviso... --------------------------------------------- http://cxsecurity.com/issue/WLB-2015050167

1 0

Tageszusammenfassung - Dienstag 26-05-2015
by Daily end-of-shift report 26 May '15

26 May '15

======================= = End-of-Shift report = ======================= Timeframe: Freitag 22-05-2015 18:00 − Dienstag 26-05-2015 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Annual Privacy Forum 2015: Call for Papers and latest news *** --------------------------------------------- The Annual Privacy Forum (APF) meeting will be taking place on the 7th and 8th of October 2015 in Luxembourg, during its Presidency of the Council of the EU. This year, the main focus of the APF will be on privacy of electronic communications. Current open calls:... --------------------------------------------- http://www.enisa.europa.eu/media/news-items/annual-privacy-forum-2015-call-… *** Securing Web APIs: The Basics with Node.js Examples *** --------------------------------------------- Introduction Public-facing APIs have tremendously increased in the last couple of years. Businesses have seen that sharing their business data with the public can be beneficial. There are many reasons for this: such as the fact that it allows the API users to create something new and interesting with the shared data, and that APIs... --------------------------------------------- http://resources.infosecinstitute.com/securing-web-apis-the-basics-with-nod… *** Android: Schlüssel werden auf zurückgesetzten Smartphones nicht gelöscht *** --------------------------------------------- Auf zurückgesetzten Android-Smartphones lassen sich Daten wiederherstellen, auch auf solchen, die zuvor verschlüsselt wurden. Anwender können kaum etwas dagegen tun. --------------------------------------------- http://www.golem.de/news/android-schluessel-werden-auf-zurueckgesetzten-sma… *** Recent Breaches a Boon to Extortionists *** --------------------------------------------- The recent breaches involving the leak of personal data on millions of customers at online hookup site Adult Friend Finder and mobile spyware maker mSpy give extortionists and blackmailers plenty of ammunition with which to ply their trade. And there is some evidence that neer-do-wells are actively trading this data and planning to abuse it for financial gain. --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/spK0KOTLf64/ *** Travel smart: Tips for staying secure on the road *** --------------------------------------------- Cybercriminals dont take vacations. In fact, they feast on tourists and travelers, taking advantage of people when their guards are down or when theyre distracted by other pursuits. Wombat Security Technologies pulled together four essential tips from our security awareness and training materials that you can use to stay safe when you travel --------------------------------------------- http://www.net-security.org/secworld.php?id=18421 *** How to Pass-the-Hash with Mimikatz *** --------------------------------------------- A hidden gem in mimikatz is its ability to create a trust relationship from a username and password hash. --------------------------------------------- http://blog.cobaltstrike.com/2015/05/21/how-to-pass-the-hash-with-mimikatz/ *** Windows Functions in Malware Analysis - Cheat Sheet - Part 1 *** --------------------------------------------- In this article, we will learn briefly about the various windows functions commonly encountered by malware analysts. Windows Functions Accept: This function is used to listen for incoming connections. This function indicates that the program will listen for incoming connections on a socket. It is mostly used by malware to communicate with their Command and... --------------------------------------------- http://resources.infosecinstitute.com/windows-functions-in-malware-analysis… *** Exploit-Kit greift über 50 Router-Modelle an *** --------------------------------------------- Wer einen unsicher konfigurierten Router betreibt, könnte schon bald Probleme bekommen: Ein Virenforscher hat ein Exploit-Kit entdeckt, das zahlreiche Router-Modelle bekannter Hersteller angreifen kann. --------------------------------------------- http://heise.de/-2665387 *** How often should companies conduct web penetration testing? *** --------------------------------------------- Following our previous blog post "How long does website penetration testing take" we received a lot of questions from our customers and partners about the recommended frequency of penetration testing for their web applications. In this blog post we will answer that question. --------------------------------------------- https://www.htbridge.com/blog/how_often_conduct_web_penetration_testing.html *** Cisco Unified Communications Manager Multiple Vulnerabilities *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=38964 *** Cisco HCS Administrative Web Interface Arbitrary Command Execution Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=38969 *** IBM Security Bulletins *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/?lang=en_us *** PostgreSQL Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information *** --------------------------------------------- http://www.securitytracker.com/id/1032396 *** Cacti Input Validation Flaw in graph.php Lets Remote Authenticated Users Inject SQL Commands *** --------------------------------------------- http://www.securitytracker.com/id/1032385 *** VU#551972: Synology Cloud Station sync client for OS X allows regular users to claim ownership of system files *** --------------------------------------------- Vulnerability Note VU#551972 Synology Cloud Station sync client for OS X allows regular users to claim ownership of system files Original Release date: 26 May 2015 | Last revised: 26 May 2015 Overview The Synology Cloud Station sync client for OS X contains a setuid root executable that allows regular users to claim ownership of system files. Description CWE-276: Incorrect Default Permissions - CVE-2015-2851The Synology Cloud Station sync client for OS X contains an executable named --------------------------------------------- http://www.kb.cert.org/vuls/id/551972 *** Bugtraq: Synology Photo Station multiple Cross-Site Scripting vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/535607 *** Bugtraq: Reflected Cross-Site Scripting in Synology DiskStation Manager *** --------------------------------------------- http://www.securityfocus.com/archive/1/535606 *** Bugtraq: Command injection vulnerability in Synology Photo Station *** --------------------------------------------- http://www.securityfocus.com/archive/1/535605 *** HP SiteScope Unspecified Flaw Lets Remote Authenticated Users Gain Elevated Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1032395 *** GigPress <= 2.3.8 - Authenticated SQL Injection *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8003 *** NewStatPress 0.9.8 - XSS and SQL Injection *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8004

1 0

Tageszusammenfassung - Freitag 22-05-2015
by Daily end-of-shift report 22 May '15

22 May '15

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 21-05-2015 18:00 − Freitag 22-05-2015 18:00 Handler: Stephan Richter Co-Handler: n/a *** Fake jQuery Scripts in Nulled WordPress Plugins *** --------------------------------------------- We recently investigated some random redirects on a WordPress website that would only happen to certain visitors. Traffic analysis showed us that it was not a server-side redirect, rather it happened due to some script loaded by the web pages. A quick look through the HTML code revealed this script: It was very suspicious for... --------------------------------------------- http://feedproxy.google.com/~r/sucuri/blog/~3/NmLDakrD_1U/fake-jquery-scrip… *** Researchers publish developer guidance for medical device security *** --------------------------------------------- The guidance is organized into 10 categories, and serves as "starting point for a more complete code," report authors said. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/jvWoZydXqwc/ *** Researchers observe SVG files being used to distribute ransomware *** --------------------------------------------- When downloaded and executed, the SVG files cause websites to open up that download what appears to be CryptoWall ransomware. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/Aa-yVI5Bd-A/ *** Exploring CVE-2015-1701 - A Win32k Elevation of Privilege Vulnerability Used in Targeted Attacks *** --------------------------------------------- Our analysis of the win32k.sys vulnerability used in a recent targeted attack reveals that it opens up an easy way to bypass the sandbox, making it a bigger threat than originally thought. As mentioned in Microsoft security bulletin MS15-051, CVE-2015-1701 is an elevation of privilege vulnerability that exists when the Win32k.sys kernel-mode driver improperly handles... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/RuzGqW0kQdY/ *** Digital Agenda Seminar: European Cyber Security Month *** --------------------------------------------- Within the context of European Cyber Security Month (ECSM) preparations, the ENISA team is organising several seminars and trainings in order to build up the coalition for Cybersecurity Education action. You are invited to participate in the second seminar in Berlin, Germany on June 5th, 2015. In this half-day seminar we discuss and provide the latest information on Digital Agenda topics such as e-skills, Network Information Security, educational tools and advocacy initiatives. To participate it is necessary to confirm participation to daria.catalui(a)enisa.europa.eu by June 4th, 2015. --------------------------------------------- http://www.enisa.europa.eu/media/news-items/digital-agenda-seminar-european… *** Daten von Millionen zurückgesetzten Android-Smartphones wiederherstellbar *** --------------------------------------------- Wer sein Android-Smartphone verkauft hat, muss befürchten, dass trotz gelöschten Gerätespeichers noch private Daten wie etwa Nachrichten und Log-in-Daten im Speicher schlummern, die unter Umständen wiedergehergestellt werden können. --------------------------------------------- http://heise.de/-2663267 *** Forensic Analysis of Smartphone Factory Reset Function *** --------------------------------------------- ADISA, the organisation that sets security standards around the secure disposal of IT Assets, has released new research into the forensic analysis of smartphone factory reset functions. Written by Steve Mellings, Founder of ADISA, and Professor Andrew Blyth of the University of South Wales, the white paper explores how effective smartphone factory reset functions actually are at removing data. This data is then used to offer businesses and individual users advice on how best to protect their... --------------------------------------------- http://www.informationsecuritybuzz.com/forensic-analysis-of-smartphone-fact… *** When Security Makes Users Asleep! *** --------------------------------------------- It's a fact, in industries or on building sites, professional people make mistakes or, worse, get injured. Why? Because their attention is reduced at a certain point. When you're doing the same job all day long, you get tired and lack of concentration. The same can apply in information security! For a long time, more and more solutions are deployed in companies to protect their data and users. Just... --------------------------------------------- http://blog.rootshell.be/2015/05/22/when-security-makes-users-asleep/ *** Citrix Security Advisory for DHE_EXPORT TLS Vulnerability CVE-2015-4000 *** --------------------------------------------- A TLS protocol vulnerability has been recently disclosed that could result in attackers being able to intercept and modify SSL/TLS encrypted traffic ... --------------------------------------------- http://support.citrix.com/article/CTX201114 *** Citrix Security Advisory for CVE-2015-3456 *** --------------------------------------------- Citrix is aware of the recent vulnerability that has been reported against the Xen hypervisor. This issue is known as the ... --------------------------------------------- http://support.citrix.com/article/CTX201078 *** python-kerberos checkPassword() spoofing *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/103310 *** Cisco Access Control Server Representational State Transfer Application Programming Interface Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=38946 *** ICU Buffer Overflows in resolveImplicitLevels() Let Remote Users Deny Service and Potentially Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1032366 *** Schneider Electric OFS Server Vulnerability *** --------------------------------------------- This advisory provides mitigation details for a DLL hijacking vulnerability in the Schneider Electric OPC Factory Server (OFS) server application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-141-01 *** Emerson AMS Device Manager SQL Injection Vulnerability *** --------------------------------------------- This advisory was originally posted to the US-CERT secure Portal library on April 21, 2015, and is being released to the NCCIC/ICS-CERT web site. This advisory provides mitigation details for an SQL injection vulnerability in the Emerson AMS Device Manager application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-111-01 *** OleumTech WIO Family Vulnerabilities (Update A) *** --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-14-202-01 OleumTech WIO Family Vulnerabilities that was published July 21, 2014. This advisory provides vulnerability details in the OleumTech WIO family including the sensors and the DH2 data collector. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-14-202-01A *** HPSBMU03336 rev.1- HP Helion OpenStack affected by VENOM, Denial of Service (DoS), Execution of Arbitrary Code *** --------------------------------------------- A potential security vulnerability has identitfied with HP Helion OpenStack. The vulnerability could be exploited resulting in Denial of Service (DoS) or execution of arbitrary code. --------------------------------------------- https://h20566.www2.hp.com/hpsc/doc/public/display?calledBy=&docId=emr_na-c… *Next End-of-Shift report on 2015-05-26*

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily