=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 14-07-2015 18:00 − Mittwoch 15-07-2015 18:00
Handler: Robert Waldner
Co-Handler: Otmar Lendl
*** July 2015 Security Updates ***
---------------------------------------------
Today we released security updates for Microsoft Windows, Microsoft Office, Microsoft SQL Server, and Internet Explorer. As a best practice, we encourage customers to apply security updates as soon as they are released. For more information about this month's security updates and advisories visit the Security TechNet Library. You can also follow the Microsoft Security Response Center (MSRC) team on Twitter at @MSFTSecResponse MSRC Team
---------------------------------------------
http://blogs.technet.com/b/msrc/archive/2015/07/14/july-2015-security-updat…https://technet.microsoft.com/en-us/library/security/MS15-JUL
*** TA15-195A: Adobe Flash and Microsoft Windows Vulnerabilities ***
---------------------------------------------
Original release date: July 14, 2015 Systems Affected Microsoft Windows systems with Adobe Flash Player installed. Overview Used in conjunction, recently disclosed vulnerabilities in Adobe Flash and Microsoft Windows may allow a remote attacker to execute arbitrary code with system privileges. Since attackers continue to target and find new vulnerabilities in popular, Internet-facing software, updating is not sufficient, and it is important to use exploit mitigation and other defensive
---------------------------------------------
https://www.us-cert.gov/ncas/alerts/TA15-195A
*** Microsoft Patch Tuesday July 2015 ***
---------------------------------------------
Julys Patch Tuesday is here and brings with it a rather large 14 bulletins with 4 Critical and 10 Important rated patches. All combined this months release patches 59 vulnerabilities 29 of which are in the old stalwart Internet Explorer....
---------------------------------------------
http://trustwave.com/Resources/SpiderLabs-Blog/Microsoft-Patch-Tuesday-July…
*** Adobe, MS, Oracle Push Critical Security Fixes ***
---------------------------------------------
This being the second Tuesday of the month, its officially Patch Tuesday. But its not just Windows users who need to update today: Adobe has released fixes for several products, including a Flash Player bundle that patches two vulnerabilities for which exploit code is available online. Separately, Oracle issued a critical patch update that plugs more than two dozen security holes in Java.
---------------------------------------------
http://feedproxy.google.com/~r/KrebsOnSecurity/~3/GZ70l-ulAqw/
*** Oracle Critical Patch Update dichtet 193 Lücken ab ***
---------------------------------------------
Wie üblich bei Oracles quartalsweisen Updates stopft die Firma massenweise Lücken in fast allen ihrer Produkte. Sogar die Ghost-Lücke vom Januar feiert ein Comeback. Besonders die Updates für Java und MySQL sollten baldigst installiert werden.
---------------------------------------------
http://heise.de/-2750641
*** Microsoft Ends Support for Windows Server 2003, Migration a Must ***
---------------------------------------------
End-of-life fun times are coming to infosec departments everywhere again. Just a year after the announcement of Windows XP's end-of-life, we see another body in the OS graveyard: Windows Server 2003. After July 14th, servers running this venerable OS will no longer be receiving any more security updates. This would leave you out in the cold
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/sr3phsOSoFM/
*** Microsoft Security Essentials is no longer available for Windows XP ***
---------------------------------------------
We strongly recommend that you complete your migration to a supported operating system as soon as possible so that you can receive regular security updates to help protect your computer from malicious attacks.
---------------------------------------------
http://windows.microsoft.com/en-us/windows/security-essentials-download?os=…
*** Cisco Packet Data Network Gateway IP Stack Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=39907
*** Cisco Identity Services Engine Cross-Site Request Forgery Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=39872
*** Unit 42 Technical Analysis: Seaduke ***
---------------------------------------------
Earlier this week Symantec released a blog post detailing a new Trojan used by the "Duke" family of malware. Within this blog post, a payload containing a function named "forkmeiamfamous" was mentioned. While performing some ...
---------------------------------------------
http://feedproxy.google.com/~r/PaloAltoNetworks/~3/y_CGsjS6Bio/
*** An In-Depth Look at How Pawn Storm's Java Zero-Day Was Used ***
---------------------------------------------
Operation Pawn Storm is a campaign known to target military, embassy, and defense contractor personnel from the United States and its allies. The attackers behind Operation Pawn Storm have been active since at least 2007 and they continue to launch new campaigns. Over the past year or so, we have seen numerous techniques and tactics
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/gJtU9nel0NM/
*** Hideouts for Lease: The Silent Role of Bulletproof Hosting Services in Cybercriminal Operations ***
---------------------------------------------
What do LeaseWeb, Galkahost, and Spamz have in common? All of them, at one point or another, have functioned as cybercriminal hideouts in the form of bulletproof hosting services (BPHS). Simply put, BPHS is any hosting facility that can store any type of malicious content like phishing sites, pornography, and command-and-control (C&C) infrastructure.
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/Ojxl_6lsUjU/
*** DFN-CERT-2015-1068/ BlackBerry Link: Eine Schwachstelle ermöglicht das Ausführen beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2015-1068/
*** Rootkits: User Mode ***
---------------------------------------------
In this article, we will learn about what rootkits are and how they operate. The focus will be on two types of Rootkits exploits: User Mode & Kernel Mode, what are the various ways in which rootkits exploit in both modes.
---------------------------------------------
http://resources.infosecinstitute.com/rootkits-user-mode-kernel-mode-part-1/
*** Rootkits: Kernel Mode ***
---------------------------------------------
We have learned in part one of this series about the Rootkits and how they operate in User Mode, in this part of the series we will up the ante and look at the other part where rootkits operate, i.e. Kernel Mode.
---------------------------------------------
http://resources.infosecinstitute.com/rootkits-user-mode-kernel-mode-part-2/
*** Rootkits: User Mode & Kernel Mode-Part 2 ***
---------------------------------------------
We have learned in part one of this series about the Rootkits and how they operate in User Mode, in this part of the series we will up the ante and look at the other part where rootkits operate, i.e. Kernel Mode.
---------------------------------------------
http://resources.infosecinstitute.com/rootkits-user-mode-kernel-mode-part-2/
*** FBI paid Hacking Team to identify Tor users ***
---------------------------------------------
Documents leaked online after the Hacking Team data breach revealed that the company supported the FBI in the investigation on Tor users. While the security experts are continuing to analyze the impressive amount of data stolen from the Hacking Team, new revelation are circulating over the Internet. Among the clients of the Italian security firm, there ...
---------------------------------------------
http://securityaffairs.co/wordpress/38601/cyber-crime/fbi-hacking-team-tor.…
*** Government Grade Malware: a Look at HackingTeam's RAT ***
---------------------------------------------
We have our hands on the code repositories of HackingTeam, and inside of them we've found the source code for a cross-platform, highly-featured, government-grade RAT (Remote Access Trojan). It's rare that we get to do analysis of complex malware at the source-code level, so I couldn't wait to write a blog about it!
---------------------------------------------
http://labs.bromium.com/2015/07/10/government-grade-malware-a-look-at-hacki…
*** Epic Games, Epic Fail: Forumers info blown into dust by hack ***
---------------------------------------------
Company sorry for the inconvenience caused. Great Epic Games, known for its Unreal Engine and the Games of War series, sent a grovelling letter to its forum users this morning explaining that a hack "may have resulted in unauthorised access to your username, email address, password, and the date of birth you provided at registration."
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2015/07/15/epic_games_…
*** Details on Internet-wide Scans from SBA ***
---------------------------------------------
To clarify what we are scanning on the Internet, here are some details on the project and which tools we use. Most importantly: if you want your IP to be excluded from future scans, please send an email to abuse(a)sba-research.org. For quite some time now we scan Internet-wide for well-known ports that use TLS, most ...
---------------------------------------------
https://www.sba-research.org/2015/07/15/details-on-internet-wide-scans-from…
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 13-07-2015 18:00 − Dienstag 14-07-2015 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Been hacked? Now to decide if you chase the WHO or the HOW ***
---------------------------------------------
Imagine a security researcher has plucked your customer invoice database from a command and control server. Youre nervous and angry. Your boss will soon be something worse and will probably want you to explain who pulled off the heist, and how. But only one of these questions, the how, is worth your precious resources; security experts say the who is an emotional distraction.
---------------------------------------------
http://www.theregister.co.uk/2015/07/14/attribution_feature/
*** Hacking Team Uses UEFI BIOS Rootkit to Keep RCS 9 Agent in Target Systems ***
---------------------------------------------
Hacking Team uses a UEFI BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets' systems. This means that even if the user formats the hard disk, reinstalls the OS, and even buys a new hard disk, the agents are implanted after Microsoft Windows is up and running. They have written a procedure specifically for Insyde BIOS (a very popular BIOS vendor for laptops). However, the code can very likely work on AMI BIOS as well. A Hacking Team slideshow...
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-use…
*** Lowering Defenses to Increase Security ***
---------------------------------------------
Starting at WhiteHat was a career change for me. I wasn't sure exactly what to expect, but I knew there was a lot of unfamiliar terminology: "MD5 signature", "base64", "cross-site request forgery", "'Referer' header", to name a few. When I started testing real websites, I was surprised that a lot of what I was doing...
---------------------------------------------
https://blog.whitehatsec.com/lowering-defenses-to-increase-security/
*** Adobe Updates Flash Player, Shockwave and PDF Reader, (Tue, Jul 14th) ***
---------------------------------------------
In a warm up to patch Tuesday, it looks like we have a new version for Adobe Flash Player, Shockwave Player and PDF Reader. Given that some of the exploits against the vulnerabilities patchedare public, you may want to expedite patching and review your Flash Player and browser configuration. the latest (patched) versions are (thanks Dave!): - FlashPlayer 18.0.0.209 - Flash Player EST 13.0.0.305 - Reader 10.1.15 - Reader 11.0.12 - Shockwave Player">12.1.9.159 Bulletins:
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19917&rss
*** Adobe: Look, honestly, we really do take Flash security seriously ***
*** Mozilla: Right, THATS IT. You, Flash, behind the shed with me. *snick snack* ***
*** FLASH MUST DIE, says Facebook security chief ***
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2015/07/14/adobe_respo…http://go.theregister.com/feed/www.theregister.co.uk/2015/07/14/firefox_blo…http://go.theregister.com/feed/www.theregister.co.uk/2015/07/14/facebook_fl…
*** Security Bulletins Posted ***
---------------------------------------------
Security Bulletins for Adobe Acrobat and Reader (APSB15-15), Adobe Shockwave Player (APSB15-17) and Adobe Flash Player (APSB15-18) have been published. These updates address critical vulnerabilities, and Adobe recommends users update their product installations to the latest versions using the instructions referenced...
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1247
*** SSA-632547 (Last Update 2015-07-14): Authentication Bypass Vulnerability in SICAM MIC ***
---------------------------------------------
https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit…
*** VU#919604: Kaseya Virtual System Administrator contains multiple vulnerabilities ***
---------------------------------------------
Vulnerability Note VU#919604 Kaseya Virtual System Administrator contains multiple vulnerabilities Original Release date: 13 Jul 2015 | Last revised: 13 Jul 2015 Overview Kaseya Virtual System Administrator (VSA), versions R9 and possibly earlier, contains arbitrary file download and open redirect vulnerabilities. Description CWE-22: Improper Limitation of Pathname to a Restricted Directory (Path Traversal) - CVE-2015-2862Kaseya VSA is an IT management platform with a help desk ticketing
---------------------------------------------
http://www.kb.cert.org/vuls/id/919604
*** Cisco Vulnerability Alerts ***
---------------------------------------------
*** Cisco Identity Services Engine Cross-Frame Scripting Vulnerability ***
http://tools.cisco.com/security/center/viewAlert.x?alertId=39871
*** Cisco TelePresence Integrator C Series Multiple Request Parameter Vulnerability ***
http://tools.cisco.com/security/center/viewAlert.x?alertId=39880
*** Cisco Identity Services Engine Cross-Site Scripting Vulnerability ***
http://tools.cisco.com/security/center/viewAlert.x?alertId=39873
*** Cisco Unified Communications Manager Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/viewAlert.x?alertId=39877
*** Cisco FireSIGHT Management Center Cross-Site Scripting Vulnerabilities ***
http://tools.cisco.com/security/center/viewAlert.x?alertId=39879
*** Cisco Unified Communications Manager ccmivr Page Cross-Site Scripting Vulnerability ***
http://tools.cisco.com/security/center/viewAlert.x?alertId=39905
*** IBM Security Bulletins ***
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/?lang=en_us
*** Moodle Bugs Permit Cross-Site Scripting and Open Redirect Attacks and Let Remote Authenticated Users Modify Data ***
---------------------------------------------
http://www.securitytracker.com/id/1032877
*** F5 Security Advisory: Multiple PHP CDF vulnerabilities CVE-2014-0237 and CVE-2014-0238 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/16000/900/sol16954.htm…
*** DFN-CERT-2015-1009: Django: Mehrere Schwachstellen ermöglichen u.a. Denial-of-Service-Angriffe ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2015-1009/
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 10-07-2015 18:00 − Montag 13-07-2015 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Government Grade Malware: a Look at HackingTeam's RAT ***
---------------------------------------------
Security researchers the world over have been digging through the massive HackingTeam dump for the past five days, and what we've found has been surprising. I've heard this situation called many things, and there's one description that I can definitely agree with: it's like Christmas for hackers. "On the fifth day of Christmas Bromium sent to...
---------------------------------------------
http://labs.bromium.com/2015/07/10/government-grade-malware-a-look-at-hacki…
*** Pawn Storm Update: Trend Micro Discovers New Java Zero-Day Exploit ***
---------------------------------------------
Analysis and data by Brooks Li (Threats Analyst) and Feike Hacquebord (Senior Threat Researcher) Zero-day exploits continued to be used in targeted attacks because they are effective, given that software vendors have yet to create patches for them. Throughout our on-going investigation and monitoring of a targeted attack campaign, Operation Pawn Storm, we found suspicious URLs that...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/5OzXdZhhVhc/
*** New Zero-Day Vulnerability (CVE-2015-5123) in Adobe Flash Emerges from Hacking Team Leak ***
---------------------------------------------
After two Adobe Flash player zero-days disclosed in a row from the leaked data of Hacking Team, we discovered another Adobe Flash Player zero-day (assigned with CVE number, CVE-2015-5123) that surfaced from the said leak. Adobe has already released a security advisory after we reported the said zero-day. This vulnerability is rated as critical and...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/rV5yri4x48E/
*** Mit Windows 10 kommen Updates automatisch ***
---------------------------------------------
Windows 10-Kunden können sich künftig nur noch sehr begrenzt aussuchen, wann sie ein Update erhalten.
---------------------------------------------
http://futurezone.at/produkte/mit-windows-10-kommen-updates-automatisch/141…
*** Jump List Files Are OLE Files, (Sun, Jul 12th) ***
---------------------------------------------
Jump List files are another type of files that are actually OLE files. They can contain useful data for forensic investigations. There are a couple of tools that can extract information from these files. Here you can see oledump analyzing an automatic Jump List file: The stream DestList contains the Jump List data: There are several sites on the Internet explaining the format of this data, like this one. I used this information to code a plugin for Jump List files: The plugin takes an option...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19911&rss
*** Identifying the five principal methods of network attacks ***
---------------------------------------------
Companies are underestimating the risk of failing to provide security training to non-technical staff. A new Intel Security study, which surveyed IT decision makers in European-based companies, fo...
---------------------------------------------
http://feedproxy.google.com/~r/HelpNetSecurity/~3/gSbxVIXvO94/secworld.php
*** Mobile SSL failures: More common than they should be ***
---------------------------------------------
Securing your mobile application traffic is apparently more difficult than it should be, as researchers Anthony Trummer and Tushar Dalvi discovered when looking into SSL/TLS usage on the Android opera...
---------------------------------------------
http://feedproxy.google.com/~r/HelpNetSecurity/~3/dY8mHp2RDC4/article.php
*** Identifying and exploiting IBM WebSphere Application Server ***
---------------------------------------------
IBM WebSphere is application server similar to Tomcat, JBoss and WebLogic. Therefore, it should be interesting to any penetration tester doing enterprise scale work where Websphere might be present. It should be also interesting to anyone who is working on securing enterprise environment since Websphere allows deploying own (malicious or not) code to the server. I have written NSE scripts to identify IBM Websphere consoles of application servers and to brute force any usernames and passwords. I...
---------------------------------------------
https://k0st.wordpress.com/2015/07/13/identifying-and-exploiting-ibm-websph…
*** Start Secure 2015 - Sicherheits-Start-ups gesucht ***
---------------------------------------------
Der Wettbewerb "Start Secure 2015" wird gemeinsam vom Innenministerium und der futurezone veranstaltet. Als Organisationspartner fungieren SBA Research, das die Sieger-Start-ups auf Wunsch auch als Inkubator bei der Investorensuche berät, sowie das Kuratorium Sicheres Österreich.
---------------------------------------------
http://futurezone.at/thema/start-ups/sicherheits-start-ups-gesucht/139.420.…
*** Common Assessment Tool Cheatsheets ***
---------------------------------------------
I have an unhealthy obsession for time savers when im doing pentest work. Since a lot of my time is spent on the command line I love cheatsheets. I thought id use this thread to post some of the more awesome cheat sheets I find...
---------------------------------------------
https://forum.bugcrowd.com/t/common-assessment-tool-cheatsheets/502
*** Tunneling Data and Commands Over DNS to Bypass Firewalls ***
---------------------------------------------
No matter how tightly you restrict outbound access from your network, you probably allow DNS queries to at least one server. Adversaries can abuse this "hole" in your firewall to exfiltrate data and establish stealthy Command and Control (C2) channels that are very difficult to block. ... I am struggling to come up with a solution to plug this firewall "hole", but I have a few risk mitigation recommendations:...
---------------------------------------------
https://zeltser.com/c2-dns-tunneling/
*** Google Photo App Uploads Your Images To Cloud, Even After Uninstalling ***
---------------------------------------------
Have you ever seen any mobile application working in the background silently even after you have uninstalled it completely? I have seen Google Photos app doing the same. Your Android smartphone continues to upload your phone photos to Google servers without your knowledge, even if you have already uninstalled the Google Photos app from your device. Nashville Business...
---------------------------------------------
http://feedproxy.google.com/~r/TheHackersNews/~3/yxF2id-ZsHg/google-photo-a…
*** "Forkmeiamfamous": Seaduke, latest weapon in the Duke armory ***
---------------------------------------------
Low-profile information-stealing Trojan is used only against high-value targets
---------------------------------------------
http://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest-weapon…
*** BGP Hijacking - why you need to care! ***
---------------------------------------------
This came across our desk this morning when we were putting together Dragon News Bytes. There is lots of talk about what has been discovered in the recent reporting on the data dump from the Hacking Team incident. A lot of the reporting discusses the ethics of the company's services and whom they have been selling them to. Concentrating for a moment on the technology deployed in this activity, it is suggested that BGP hijacking was involved. This is described the article entitled...
---------------------------------------------
https://blog.team-cymru.org/2015/07/bgp-hijacking-why-do-you-need-to-care/
*** Allerletzter Aufruf: Support fÜr Windows 2003 Server endet ***
---------------------------------------------
Am 14. Juli ist endgÜltig Schluss. FÜr Windows 2003 Server liefert Microsoft keine Updates mehr aus, auch nicht bei Sicherheitsproblemen. Wobei auch hier zu gelten scheint: Ausnahmen bestÄtigen die Regel.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Allerletzter-Aufruf-Support-fuer-Win…
*** Hacking Team 0-day Flash Wave with Exploit Kits ***
---------------------------------------------
https://www.f-secure.com/weblog/archives/00002819.html
*** New PHP Releases Fix BACRONYM MySQL Flaw ***
---------------------------------------------
Several new versions of PHP have been released, all of which contain a number of bug fixes, most notably a patch for the so-called BACKRONYM vulnerability in MySQL. That bug in MySQL is caused by a problem with the way that the database software handles requests for secure connections. Researchers at Duo Security disclosed the...
---------------------------------------------
http://threatpost.com/new-php-releases-fix-bacronym-mysql-flaw/113740
*** The Adobe Flash Conundrum: Old Habits Die Hard ***
---------------------------------------------
Is it time to hop off the endless cycle of Flash vulnerabilities and updates? Last week has not been great for Adobe Flash. The 440GB of leaked Hacking Team emails has become a treasure trove for vulnerability hunters. Over the past 7 days, Flash was hit by three separate vulnerabilities: CVE-2015-5119 CVE-2015-5122 CVE-2015-5123 At this time, only the...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/AmkybOPif7Y/
*** Bugtraq: ESA-2015-115: EMC RecoverPoint for Virtual Machines (VMs) Restriction Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/535981
*** Cisco Mobility Services Engine Control And Provisioning Information Disclosure Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=39825
*** Juniper Security Advisories ***
---------------------------------------------
*** Juniper Junos IPv6 SEND Processing Flaw Lets Remote Users Deny Service ***
http://www.securitytracker.com/id/1032849
*** Juniper Junos SRX Network Security Daemon Bug Lets Remote Users Deny Service ***
http://www.securitytracker.com/id/1032848
*** Juniper Junos EX4600 and QFX Series Unspecified Flaw Lets Remote Users Deny Service ***
http://www.securitytracker.com/id/1032847
*** Juniper Junos J-Web Bugs Let Remote Users Conduct Cross-Site Scripting and Denial of Service Attacks ***
http://www.securitytracker.com/id/1032846
*** Bugtraq: [security bulletin] HPSBGN03373 rev.1 - HP Release Control running TLS, Remote Disclosure of Information ***
---------------------------------------------
http://www.securityfocus.com/archive/1/535983
*** Cisco WebEx Meeting Center Reflected Cross-Site Scripting Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=39782
*** F5 Security Advisories ***
---------------------------------------------
*** Security Advisory: Boost memory allocator vulnerability CVE-2012-2677 ***
https://support.f5.com:443/kb/en-us/solutions/public/16000/900/sol16946.htm…
*** Security Advisory: Multiple SQLite vulnerabilities ***
https://support.f5.com:443/kb/en-us/solutions/public/16000/900/sol16950.htm…
*** Security Advisory: Mailx vulnerabilities CVE-2004-2771 and CVE-2014-7844 ***
https://support.f5.com:443/kb/en-us/solutions/public/16000/900/sol16945.htm…
*** Security Advisory: Expat vulnerabilities CVE-2012-0876 and CVE-2012-1148 ***
https://support.f5.com:443/kb/en-us/solutions/public/16000/900/sol16949.htm…
*** Splunk Enterprise and Splunk Light Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1032859
*** Squid CONNECT Method Peer Response Processing Flaw Lets Remote Users Bypass Security Controls ***
---------------------------------------------
http://www.securitytracker.com/id/1032873
*** PHP 5.x Security Updates, (Sun, Jul 12th) ***
---------------------------------------------
PHP 5.6.11, 5.5.27 and 5.4.43 were updated fixing numerous bugs in the various components of PHP including CVE-2015-3152. PHP recommend testing and upgrading to the current release. The binaries and packages are available here and the release notes here. [1] http://www.php.net/ChangeLog-5.php [2] http://windows.php.net/download/ ----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19907&rss
*** Joomla J2Store 3.1.6 SQL Injection ***
---------------------------------------------
Topic: Joomla J2Store 3.1.6 SQL Injection Risk: Medium Text:J2Store v3.1.6, a Joomla! extension that adds basic store functionality to a Joomla! instance, suffered from two unauthenticate...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015070053
*** DFN-CERT-2015-0907 FreeRADIUS: Eine Schwachstelle ermÖglicht das Umgehen von Sicherheitsvorkehrungen ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2015-0907/
*** DFN-CERT-2015-1030 strongSwan: Zwei Schwachstellen ermöglichen das Ausspähen von Informationen und Denial-of-Service-Angriffe ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2015-1030/
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 09-07-2015 18:00 − Freitag 10-07-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Multiple vulnerabilities in Cisco TelePresence products ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=39798http://tools.cisco.com/security/center/viewAlert.x?alertId=39802http://tools.cisco.com/security/center/viewAlert.x?alertId=39801http://tools.cisco.com/security/center/viewAlert.x?alertId=39795http://tools.cisco.com/security/center/viewAlert.x?alertId=39796http://tools.cisco.com/security/center/viewAlert.x?alertId=39800http://tools.cisco.com/security/center/viewAlert.x?alertId=39797
*** VMSA-2015-0005 ***
---------------------------------------------
VMware Workstation, Player and Horizon View Client for Windows do not set a discretionary access control list (DACL) for one of their processes. This may allow a local attacker to elevate their privileges and execute code in the security context of the affected process.
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2015-0005.html
*** The Massive OPM Hack Actually Hit 21 Million People ***
---------------------------------------------
The massive hack that struck the US Office of Personnel Management affected some 21.5 million people, all of them people who had information stolen about them from a backgrounds investigation database used for evaluating people who sought classified clearances from the government.
---------------------------------------------
http://www.wired.com/2015/07/massive-opm-hack-actually-affected-25-million/
*** Yubikeys Zwei-Faktor-Authentifizierung unter Linux nutzen ***
---------------------------------------------
Mit Hilfe des Yubikeys lässt sich eine verschlüsselte Systempartition unter Linux zusätzlich per Zwei-Faktor-Authentifizierung absichern. In dieser Kombination kann auch ein bequemeres Kennwort genutzt werden.
---------------------------------------------
http://www.golem.de/news/systemverschluesselung-yubikeys-zwei-faktor-authen…
*** Magento-Patch: Update soll Kundendaten-Leck stopfen ***
---------------------------------------------
Im Shop-System Magento klaffen Lücken, die es Angreifern erlauben, Admin-Konten zu kapern und Kundendaten auszulesen. Der Hersteller hat jetzt einen Patch veröffentlicht, der Abhilfe schaffen soll.
---------------------------------------------
http://heise.de/-2747984
*** Hacking Team Shows the World How Not to Stockpile Exploits ***
---------------------------------------------
Bank robber Willie Sutton’s famous line about why he robs banks—“because that’s where the money is”—was particularly apt this week after the Italian firm Hacking Team was hacked and at least two zero-day exploits the firm possessed were spilled to the public, along with about 400 gigabytes of company emails and other data.
---------------------------------------------
http://www.wired.com/2015/07/hacking-team-shows-world-not-stockpile-exploit…
*** Rootkits: User Mode & Kernel Mode - Part 1 ***
---------------------------------------------
In this article, we will learn about what rootkits are and how they operate. The focus will be on two types of Rootkits exploits: User Mode & Kernel Mode, what are the various ways in which rootkits exploit in both modes. In this Part we will learn ..
---------------------------------------------
http://resources.infosecinstitute.com/rootkits-user-mode-kernel-mode-part-1/
*** Programmier-Tipps für die BIOS-Backdoor ***
---------------------------------------------
Der Hacker Cr4sh erklärt, wie er eine Hintertür in die UEFI-Firmware eines Intel-Mainboards einbaut. Dabei zeigen sich einmal mehr kritische Lücken in der x86-Plattform, vor allem beim System Management Mode.
---------------------------------------------
http://heise.de/-2748219
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 08-07-2015 18:00 − Donnerstag 09-07-2015 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** Hacking Team Flash Zero-Day Tied To Attacks In Korea and Japan... on July 1 ***
---------------------------------------------
Earlier this week several vulnerabilities were disclosed as part of the leak of information from the Italian company Hacking Team. We've noted that this exploit is now in use by various exploit kits. However, feedback provided by the Smart Protection Network also indicates that this exploit was also used in limited attacks in Korea and Japan....
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/Ys8noghmsHc/
*** Ding! Your RAT has been delivered ***
---------------------------------------------
Talos is constantly observing malicious spam campaigns delivering various different types of payloads. Common payloads include things like Dridex, Upatre, and various versions of Ransomware. One less common payload that Talos analyzes periodically are Remote Access Trojans or RATs. A recently observed spam campaign was using freeware remote access trojan DarkKomet (a.k.a DarkComet). This isn't a novel approach since threat actors have been leveraging tools like DarkKomet or Hawkeye...
---------------------------------------------
http://blogs.cisco.com/security/talos/darkkomet-rat-spam
*** Finnland: 17-jähriger Botnetz-Betreiber verurteilt ***
---------------------------------------------
Über 50.000 Rechner für ein Botnetz gekapert, DDoS-Attacken geritten und Kreditkartendaten geklaut: Ein 17-jähriger Finne, angeblich Mitglied der Hackergruppe Lizard Squad, wird zu zwei Jahren auf Bewährung verurteilt.
---------------------------------------------
http://heise.de/-2745646
*** Detecting Random - Finding Algorithmically chosen DNS names (DGA), (Thu, Jul 9th) ***
---------------------------------------------
Most normal user traffic communicates via a hostname and not an IP address. So looking at traffic communicating directly by IP with no associated DNS request is a good thing do to. Some attackers use DNS names for their communications. There is also malware such as Skybot and the Styx exploit kit that use algorithmically chosen host name rather than IP addresses for their command and control channels. This malware uses what has been called DGA or Domain Generation Algorithms to create random...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19893&rss
*** Happy Video Game Day 2015 ***
---------------------------------------------
Gamers are being targeted more and more by malware, trojans, and keyloggers, especially those that participate in pay-to-play games and MMORPGs (Massively Multiplayer Online Role-Playing Game). Your accounts, personal identity, banking information and even credit card numbers can be stolen if you are playing without a cyber-security solution. The PC gaming market is increasing rapidly and is expected to reach $30.9 Billion in 2016, and with that, the targets are getting bigger and more...
---------------------------------------------
http://www.webroot.com/blog/2015/07/08/happy-video-game-day-2015
*** Cisco PSIRT reporting Customers affected by ASA VPN DoS attacks, (Thu, Jul 9th) ***
---------------------------------------------
Patch your firewalls! 2015-July-08 UPDATE:">Cisco PSIRT is aware of disruption to some Cisco customers with Cisco ASA devices affected by CVE-2014-3383, the Cisco ASA VPN Denial of Service Vulnerability that was disclosed in this Security Advisory. Traffic causing the disruption was isolated to a specific source IPv4 address. Cisco has engaged the provider and owner of that device and determined that the traffic was sent with no malicious intent. Cisco strongly recommends that customers...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19895&rss
*** Sicherheitslücke: OpenSSL akzeptiert falsche Zertifikate ***
---------------------------------------------
Ein OpenSSL-Update behebt eine kritische Sicherheitslücke. Mittels einiger Tricks kann ein Angreifer damit ein gewöhnliches Zertifikat zu einer Zertifizierungsstelle machen. Betroffen sind vor allem Clients.
---------------------------------------------
http://www.golem.de/news/sicherheitsluecke-openssl-akzeptiert-falsche-zerti…
*** OpenSSL CVE-2015-1793: Man-in-the-Middle Attack ***
---------------------------------------------
As announced at the beginning of this week, OpenSSL has released the fix for CVE-2015-1793.
---------------------------------------------
https://ma.ttias.be/openssl-cve-2015-1793-man-middle-attack/
*** OpenSSL Security Advisory [9 Jul 2015] ***
---------------------------------------------
An error in the implementation of the alternative certificate chain logic could allow an attacker to cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. (original advisory). Reported by Adam Langley and David Benjamin (Google/BoringSSL).
---------------------------------------------
https://openssl.org/news/secadv_20150709.txt
*** Administration Views - Critical - Information Disclosure - SA-CONTRIB-2015-132 ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2015-132Project: Administration Views (third-party module)Version: 7.xDate: 2015-July-08Security risk: 15/25 ( Critical) AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Information DisclosureDescriptionAdministration Views module replaces overview/listing pages with actual views for superior usability.The module does not check access properly under certain circumstances. Anonymous users could get access to read information they should not have
---------------------------------------------
https://www.drupal.org/node/2529378
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 07-07-2015 18:00 − Mittwoch 08-07-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Security Advisory for Adobe Flash Player (APSA15-03) ***
---------------------------------------------
A Security Advisory (APSA15-03) has been published regarding a critical vulnerability (CVE-2015-5119) in Adobe Flash Player 18.0.0.194 and earlier versions for Windows, ..
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1223
*** Security Updates Available for Adobe Flash Player (APSB15-16) ***
---------------------------------------------
A security bulletin (APSB15-16) has been published regarding security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially ..
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1228
*** Multiple vulnerabilities in Cisco products ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=39675http://tools.cisco.com/security/center/viewAlert.x?alertId=39643http://tools.cisco.com/security/center/viewAlert.x?alertId=39641http://tools.cisco.com/security/center/viewAlert.x?alertId=39623
*** CVE-2015-5119 (HackingTeam 0d - Flash up to 18.0.0.194) and Exploit Kits ***
---------------------------------------------
http://malware.dontneedcoffee.com/2015/07/hackingteam-flash-0d-cve-2015-xxx…
*** When ‘int’ is the new ‘short’ ***
---------------------------------------------
This is going to be a quick post, just describing a particularly interesting Chrome issue that I found last month; how I found it; and what is interesting about it�I was looking through some Chrome networking code; and I noticed an interesting API design ..
---------------------------------------------
http://googleprojectzero.blogspot.com/2015/07/when-int-is-new-short.html
*** Windows 10 kann WLAN-Passwörter an Kontakte verteilen ***
---------------------------------------------
In Windows 10 lässt sich das WLAN-Passwort automatisch an Facebook-Freunde oder Skype-Kontakte verteilen. Das erspart das lästige Diktieren von Kennwörtern bei Besuch, bringt aber auch Risiken mit sich.
---------------------------------------------
http://www.golem.de/news/it-sicherheit-windows-10-kann-wlan-passwoerter-an-…
*** Schwachstelle in Nameserversoftware BIND 9 ***
---------------------------------------------
Ein Angreifer, der einen Nameserver mit aktivierter DNSSEC-Validierung dazu bringen kann, eine Zone mit speziellem Inhalt abzufragen, kann den Nameserver zum Absturz bringen.
---------------------------------------------
https://cert.at/warnings/all/20150708.html
*** "Zero-Day"-Sicherheitslücke in Adobe Flash Player (aktiv ausgenützt) - Patches jetzt verfügbar ***
---------------------------------------------
Durch Ausnutzen dieser Lücke kann ein Angreifer vermutlich vollständige Kontrolle über betroffene Systeme erlangen. Damit sind alle Daten auf diesen Systemen, sowie alle durch diese erreichbaren (etwa durch Login, VPN etc.) Daten und Systeme gefährdet.
---------------------------------------------
https://cert.at/warnings/all/20150708-2.html
*** Dyre Banking Trojan Exploits CVE-2015-0057 ***
---------------------------------------------
CVE-2015-0057 is a Use-After-Free vulnerability that exists in the win32k.sys component of the Windows Kernel which can be exploited to perform local privilege escalation. The vulnerability was reported to Microsoft by Udi Yavo, and, after the patch ..
---------------------------------------------
https://www.fireeye.com/blog/threat-research/2015/07/dyre_banking_trojan.ht…
*** Prenotification: Upcoming Security Updates for Adobe Acrobat and Reader (APSB15-15) ***
---------------------------------------------
A prenotification security advisory has been posted regarding upcoming Adobe Acrobat and Reader updates scheduled for Tuesday, July 14, 2015. We will continue to provide updates on the upcoming release via the Security Bulletins and Advisories page as well ..
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1232
*** Wild Neutron – Economic espionage threat actor returns with new tricks ***
---------------------------------------------
A powerful threat actor known as “Wild Neutron” (also known as “Jripbot” and “Morpho”) has been active since at least 2011, infecting high profile companies for several years by using a combination of exploits, watering holes and multi-platform malware.
---------------------------------------------
https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-…
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 06-07-2015 18:00 − Dienstag 07-07-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Security Advisory: BIG-IQ remote authentication vulnerability CVE-2015-4637 ***
---------------------------------------------
When remote authentication is configured on the BIG-IQ system for a LDAP server that allows anonymous BIND operations, a unauthenticated user may obtain an authentication token from the REST API for any known (or guessed) LDAP user account and will receive all the access and privileges of that user account for REST API calls. (CVE-2015-4637)
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/16000/800/sol16861.htm…
*** Fraudulent BatteryBot Pro App Yanked from Google Play ***
---------------------------------------------
A malicious Android app spoofing the popular BatteryBot Pro app has been pulled from Google Play. Researchers at Zscaler reported the app, which had a package name of com.polaris.BatteryIndicatorPro. The app requested excessive permissions from the user in an attempt to get full control of an ..
---------------------------------------------
http://threatpost.com/fraudulent-batterybot-pro-app-yanked-from-google-play…
*** Malvertisement - A Nuclear EK Tale ***
---------------------------------------------
Over the past couple of years delivering malware via advertisements, or "malvertisement," has become one of the most popular methods of distribution for exploit kits. Like most trends in the world of Internet security, the longer it endures - the ..
---------------------------------------------
https://www.trustwave.com/Resources/SpiderLabs-Blog/Malvertisement-%e2%80%9…
*** Social Engineering - A Case Study ***
---------------------------------------------
In this article, I am going to illustrate a real life social engineering hack that I did it for my friend. My friend saw some property ads on internet. He filled the query form for that ad, and after a day he got a call fraudulent call ..
---------------------------------------------
http://resources.infosecinstitute.com/social-engineering-a-case-study/
*** Two major IT-Security Myths debunked ***
---------------------------------------------
There are two statements G DATA’s security experts hear and read time and again: “I do not surf on porn websites, my computer can’t get infected” as well as “my computer does not hold anything valuable and I have nothing to hide – why should I be a target?” It would be a pleasure to confirm this, but, unfortunately, we do not live in an ideal world. The company’s latest Malware Report underlines why such sentences should be regarded as myths and IT-Security is important for everyone.
---------------------------------------------
https://blog.gdatasoftware.com/blog/article/two-major-it-security-myths-deb…
*** NewStatPress <= 1.0.4 - Reflected Cross-Site Scripting (XSS) ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8081
*** NewStatPress <= 1.0.4 - SQL Injection ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8080
*** Safer Internet ***
---------------------------------------------
Anna is the director of a small kindergarten in Zurich. To give the kindergarten a home on the Internet, she registered a domain name and put up a website where parents can get up-to-date information about the kindergarten. A friend ..
---------------------------------------------
http://securityblog.switch.ch/2015/07/07/safer-internet/
*** Kritischer OpenSSL-Patch voraus ***
---------------------------------------------
Mit einer kurzen Notiz verkündet Mark J. Cox, dass man Donnerstag, den 9. Juli, ein Sicherheits-Update für OpenSSL veröffentlichen wolle. Dies sei der höchsten Sicherheitsstufe zuzurechnen (high). Das bedeutet, dass gängige Konfigurationen betroffen sind und die Lücke sich wahrscheinlich ausnutzen lässt, um Denial-of-Service-Angriffe durchzuführen, Daten zu klauen oder sogar betroffene System zu kapern.
---------------------------------------------
http://heise.de/-2739804
*** Landeskriminalamt Salzburg warnt vor gefälschten Paketdienst-E-Mails ***
---------------------------------------------
In Salzburg sind derzeit verstärkt Internet-Betrüger aktiv. Die Polizei warnt akut vor gefälschten E-Mails im Namen bekannter Paketdienste, die vorgeben, dass eine Postsendung unterwegs sei. Über einen Link könne man den aktuellen Paketstatus abrufen. Ein Klick darauf installiert in Wirklichkeit aber die Schadsoftware "CryptoLocker", welche die auf der Festplatte gespeicherten Daten verschlüsselt.
---------------------------------------------
http://derstandard.at/2000018700461
*** Fuzzing: Auf Fehlersuche mit American Fuzzy Lop ***
---------------------------------------------
Programme testweise mit massenhaft fehlerhaften Daten zu füttern, ist eine effektive Methode, um Fehler zu finden. Das sogenannte Fuzzing ist schon seit Jahrzehnten bekannt, doch bessere Tools und einige spektakuläre Funde von Sicherheitslücken haben zuletzt das Interesse daran erneut geweckt.
---------------------------------------------
http://www.golem.de/news/fuzzing-auf-fehlersuche-mit-american-fuzzy-lop-150…
*** New Android Malware Family Evades Antivirus Detection by Using Popular Ad Libraries ***
---------------------------------------------
Unit 42 discovered a new family of Android malware that successfully evaded all antivirus products on the VirusTotal web service. We named this malware family 'Gunpoder' based on the main malicious component name, ..
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2015/07/new-android-malware-fami…
*** Hacked Hacking Team ***
---------------------------------------------
Wie ja seit gestern gross durch die diversen Medien getrommelt wird (siehe etwa heise.de, derstandard.at), wurde das Unternehmen "Hacking Team" anscheinend selbst Opfer eines Angriffs. In den dabei geleakten Daten sind auch etliche Hinweise auf bislang unbekannte Exploits ("0-days") zu finden. Leider fehlt uns die Kapazität, die gesamten geleakten Daten (gut 160.000 Dateien mit insg. rund 400GB!) in endlicher Zeit selbst zu analysieren, daher müssen wir uns dabei auf die Community verlassen.
---------------------------------------------
http://www.cert.at/services/blog/20150707141314-1556.html
*** Attack of the Zombie Orkut Phishing Pages ***
---------------------------------------------
Sometimes long dead websites are targeted by phishing pages. When those sites made use of single sign-on, the danger will never quite go away. Orkut may be gone, but the fake login pages persist ..
---------------------------------------------
https://blog.malwarebytes.org/fraud-scam/2015/07/attack-of-the-zombie-orkut…
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 03-07-2015 18:00 − Montag 06-07-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** [20150602] - Core - CSRF Protection ***
---------------------------------------------
http://developer.joomla.org/security-centre/618-20150602-core-remote-code-e…
*** [20150601] - Core - Open Redirect ***
---------------------------------------------
http://developer.joomla.org/security-centre/617-20150601-core-open-redirect…
*** This 20-year-old Student Has Written 100 Malware Programs in Two Years ***
---------------------------------------------
Security firm Trend Micro has identified a 20-year-old Brazilian college student responsible for developing and distributing over 100 Banking Trojans selling each for around ..
---------------------------------------------
http://thehackernews.com/2015/07/student-hacker.html
*** A .BUP File Is An OLE File ***
---------------------------------------------
Yesterday I mentioned that McAfee quarantine files on Windows (.BUP extension) are actually OLE files. Im going to write a couple of diary entries highlighting some file types that are OLE files, and ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19869
*** MMD-0036-2015 - KINS (or ZeusVM) v2.0.0.0 tookit (builder & panel) leaked. ***
---------------------------------------------
The background KINS (or ZeusVM to be precised) v2.0.0.0 tookit (builder & panel) was leaked and spread all over the internet. On Jun 26th 2015 we were informed about this and after several internal discussion, considering that: "so ..
---------------------------------------------
http://blog.malwaremustdie.org/2015/07/mmd-0036-2015-kins-or-zeusvm-v2000.h…
*** A fileless Ursnif doing some POS focused reco ***
---------------------------------------------
http://malware.dontneedcoffee.com/2015/07/a-fileless-ursnif-doing-some-pos.…
*** BizCN gate actor changes from Fiesta to Nuclear exploit kit ***
---------------------------------------------
Introduction An actor using gates registered through BizCN recently switched from Fiesta to Nuclear exploit kit (EK). This happened around last month, and we first noticed the change on 2015-06-15. I started writing about this actor in 2014 ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19875
*** Don't Be Fooled By Phony Online Reviews ***
---------------------------------------------
The Internet is a fantastic resource for researching the reputation of companies with which you may wish to do business. Unfortunately, this same ease-of-use can lull the unwary into falling for marketing scams originally perfected ..
---------------------------------------------
http://krebsonsecurity.com/2015/07/dont-be-fooled-by-phony-online-reviews/
*** Spionagefirma Hacking Team: "Feind des Internets" selbst gehackt ***
---------------------------------------------
Die italienische Überwachungsfirma Hacking Team wurde selbst Opfer eines massiven Hacks: Eindringlinge konnten rund 480 GB an internen Daten übernehmen und diese als Download bereitstellen. Auch der Twitter-Account des Unternehmens wurde übernommen und in "Hacked Team" umbenannt. Die veröffentlichten Informationen ..
---------------------------------------------
http://derstandard.at/2000018630550
*** Blue-Pill-Lücke in Xen geschlossen ***
---------------------------------------------
In der langen Liste der Sicherheits-Verbesserungen von Xen 4.5.1 finden sich auch eine Lücke, die den Ausbruch aus einer virtuellen Maschine erlaubt - und ein geheimnisvoller, noch undokumentierte Eintrag.
---------------------------------------------
http://heise.de/-2736158
*** ManageEngine Password Manager Pro 8.1 SQL Injection ***
---------------------------------------------
An authenticated user (even the guest user) is able to execute arbitrary SQL code using a forged request to the SQLAdvancedALSearchResult.cc. The SQL query is build manually and is not escaped properly in the AdvanceSearch.class of AdventNetPassTrix.jar.
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015070020
*** Insider Threats Defined ***
---------------------------------------------
According to the second annual SANS survey on the security of the financial services sector, the number one threat companies are concerned about doesn’t relate to nation-states, organised criminal gangs or ‘APTs’. Rather the main worry revolves around insider threats – but what exactly is an insider threat and what can be done to detect and respond to these threats?
---------------------------------------------
https://www.alienvault.com/blogs/security-essentials/insider-threats-defined
*** How to Deal with Reverse Domain Name Hijacking ***
---------------------------------------------
The fact that one owns a trademark which is identical or confusingly similar to a domain name does not necessarily mean that she is entitled to that domain name. For ..
---------------------------------------------
http://resources.infosecinstitute.com/how-to-deal-with-reverse-domain-name-…
*** Rätselaufgaben gegen DDoS-Angriffe auf TLS ***
---------------------------------------------
Ein Akamai-Mitarbeiter beschreibt, wie mit einfachen Rechenaufgaben DDoS-Angriffe durch Clients auf TLS-Verbindungen minimiert werden könnten. Die Idee ist zwar noch ein Entwurf, könnte aber als Erweiterung für TLS 1.3 standardisiert werden.
---------------------------------------------
http://www.golem.de/news/ietf-raetselaufgaben-gegen-ddos-angriffe-auf-tls-1…
*** AWS Best Practices for DDoS Resiliency (PDF) ***
---------------------------------------------
http://d0.awsstatic.com/whitepapers/DDoS_White_Paper_June2015.pdf
*** No one expect command execution ! ***
---------------------------------------------
Unix is a beautiful world where your shell gives you the power of launching any command you like. But sometimes, command can be used to launch another commands, and thats sometimes unexpected.
---------------------------------------------
http://0x90909090.blogspot.fr/2015/07/no-one-expect-command-execution.html
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 02-07-2015 18:00 − Freitag 03-07-2015 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** Security Advisory: PHP vulnerability CVE-2015-4024 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/16000/800/sol16826.html
*** Angler Exploit Kit Evasion Techniques Keep Cryptowall Thriving ***
---------------------------------------------
Since the Angler Exploit Kit began pushing the latest version of Cryptowall ransomware, the kit has gone to great lengths to evade detection from IDS and other security technologies. The latest tactic is an almost-daily change to URL patterns used by the kit in HTTP GET requests for the Angler landing ..
---------------------------------------------
http://it.slashdot.org/story/15/07/02/1829244/angler-exploit-kit-evasion-te…
*** Plex: Foren des Media Servers gehackt ***
---------------------------------------------
Unbekannten Angreifern ist es offenbar gelungen das zum Service gehörige Forum zu hacken, und Zugriff auf sensible Daten zu erhalten. Neben Mail-Adressen sollen dabei auch Passwort-Hashes, private Nachrichten und IP-Adressen abgegriffen worden sein. ... So wurden alle betroffenen User mittlerweile per ..
---------------------------------------------
http://derstandard.at/2000018475799/Plex-Foren-des-Media-Servers-gehackt
*** Cisco Adaptive Security Appliance Software OSPFv2 Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=39612
*** DSA-3299 stunnel4 - security update ***
---------------------------------------------
Johan Olofsson discovered an authentication bypass vulnerability inStunnel, a program designed to work as an universal SSL tunnel fornetwork daemons. When Stunnel in ..
---------------------------------------------
https://www.debian.org/security/2015/dsa-3299
*** REcon Recap: Here's What Caught My Eye ***
---------------------------------------------
A few weeks ago I was fortunate enough to attend REcon in Montreal, Canada. This conference focuses on reverse engineering and exploitation techniques and has been ..
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2015/07/recon-recap/
*** WordPress File Upload <= 2.7.6 - Multiple Vulnerabilities ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8070
*** Sicherheitsrisiko: LGs Update-App für Smartphones ist anfällig ***
---------------------------------------------
Smartphones von LG sind aufgrund einer schlecht umgesetzten SSL-Verschlüsselung anfällig für Man-in-the-Middle-Attacken. Offenbar weiß der Hersteller schon länger davon, ein Patch soll das Problem beheben - auf manchen Geräten ist dieser aber noch nicht angekommen.
---------------------------------------------
http://www.golem.de/news/sicherheitsrisiko-lgs-update-app-fuer-smartphones-…
*** Viele VPNs plaudern wahre Identität ihrer Nutzer aus ***
---------------------------------------------
Forscher finden grobe Implementationsprobleme - IPv6 und DNS-Abfragen unterwandern Sicherheit
---------------------------------------------
http://derstandard.at/2000018498920
*** Mozilla: Firefox 39 schmeisst alte Krypto raus ***
---------------------------------------------
SSLv3 ist aus Firefox 39 endgültig entfernt worden, und RC4 ist nur noch temporär für einige wenige Seiten erlaubt. Das Mozilla-Team erweitert den Schutz des Browsers vor Malware, daneben gibt es noch viele kleinere Neuerungen.
---------------------------------------------
http://www.golem.de/news/mozilla-firefox-39-schmeisst-alte-krypto-raus-1507…
*** Kovter AdFraud is updating Flash Player (and Internet Explorer) ***
---------------------------------------------
Checking my systems I noticed multiple VM trying to grab last version of Flash and thought they were not properly setup allowing Flash Player to auto-update (which we do not want obviously - we want to keep them exploitable and also avoid behavioural/network noise).
---------------------------------------------
http://malware.dontneedcoffee.com/2015/07/kovter-adfraud-is-updating-flash-…
*** l+f: Noch mehr Hintertüren bei Cisco ***
---------------------------------------------
http://heise.de/-2734480
*** Apple: EFI-Sicherheits-Update nicht für ältere Macs ***
---------------------------------------------
Das Sicherheits-Update, das eine mögliche Modifikation der Firmware verhindert, steht zwar für ältere OS-X-Versionen zur Verfügung – lässt sich jedoch nur auf jüngeren Macs installieren.
---------------------------------------------
http://heise.de/-2735051
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 01-07-2015 18:00 − Donnerstag 02-07-2015 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** Attackers Revive Deprecated RIPv1 Routing Protocol in DDoS Attacks ***
---------------------------------------------
An advisory from Akamai warns of a recent reflection style DDoS attack in which the deprecated RIPv1 routing protocol was leveraged against targets.
---------------------------------------------
http://threatpost.com/attackers-revive-deprecated-ripv1-routing-protocol-in…
*** EMC Documentum D2 Input Validation Flaw Lets Remote Authenticated Users Obtain Potentially Sensitive Information ***
---------------------------------------------
A remote authetnicated user can send specially crafted data to inject data query language (DQL) commands and obtain potentially sensitive information from the database on the target system.
...
The D2CenterstageService.getComments method is affected [CVE-2015-0547].
...
The D2DownloadService.getDownloadUrls method is affected [CVE-2015-0548].
---------------------------------------------
http://www.securitytracker.com/id/1032769
*** Updated Point-to-Point Encryption standard now provides more flexibility ***
---------------------------------------------
The Payment Card Industry Security Standards Council (PCI SSC) published an important update to one of its eight security standards, simplifying the development and use of Point-to-Point Encryption (P2PE) solutions that make payment card data unreadable and less valuable to criminals if stolen in a breach.
---------------------------------------------
http://www.net-security.org/secworld.php?id=18581
*** Final Year Dissertation Paper Release: An Evaluation of the Effectiveness of EMET 5.1 ***
---------------------------------------------
My paper covers three separate exploits that I converted to try bypass EMET 5.1s protections as best I could and the techniques that I used to do so as well as how successful EMET 5.1 was at preventing me from exploiting the vulnerable programs.
---------------------------------------------
http://tekwizz123.blogspot.co.at/2015/07/final-year-dissertation-paper-rele…
*** ENISA's Udo Helmbrecht at EPP Hearing on cybersecurity ***
---------------------------------------------
ENISA's Udo Helmbrecht participated at the EPP Hearing on data driven security, which took place today 1st July 2015, at the European Parliament in Brussels.
Topics discussed included:
Session I: New trends in digital technology developments and cyber threats to security
Session II: Fighting crime: use of new technologies and use of data
Session III: Cyber Security: ensuring security and safety on state and individual levels
---------------------------------------------
http://www.enisa.europa.eu/media/news-items/enisa2019s-udo-helmbrecht-at-ep…
*** How safe is the Windows 10 Wi-Fi sharing feature? ***
---------------------------------------------
... what worries security experts is the fact that it allows users to share access to their password-protected Wi-Fi networks with their Outlook.com contacts, Skype contacts, and Facebook friends.
...
While this feature can come very handy, it could also open users to security risks.
---------------------------------------------
http://www.net-security.org/secworld.php?id=18584
*** Cisco Security Advisories/Vulnerability Alerts ***
---------------------------------------------
Cisco Unified Communications Domain Manager Default Static Privileged Account Credentials
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
Cisco Adaptive Security Appliance SNMP Denial of Service Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=39611
---------------------------------------------
Cisco Nexus Operating System Devices Command Line Interface Local Privilege Escalation Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=39583
---------------------------------------------
Cisco Digital Content Manager Message Processing Denial of Service Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=39556
---------------------------------------------