=======================
= End-of-Shift report =
=======================
Timeframe: Montag 15-12-2014 18:00 − Dienstag 16-12-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Is POODLE Back for Another Byte? ***
---------------------------------------------
[...] The problem is a number of other TLS implementations are optimized for performance by verifying only that the first byte of padding matches the number of padding bytes. Such implementations would accept any value for the second and subsequent padding bytes. What's worse is that the adversary doesn't need to artificially downgrade the connection to SSLv3 to exploit this issue, so the barriers to execution are lower.
---------------------------------------------
https://www.fireeye.com/blog/threat-research/2014/12/is_poodle_back_fora.ht…
*** RevSlider Vulnerability Leads To Massive WordPress SoakSoak Compromise ***
---------------------------------------------
Yesterday we disclosed a large malware campaign targeting and compromising over 100,000 WordPress sites, and growing by the hour. It was named SoakSoak due to the first domain used in the malware redirection path (soaksoak.ru). After a bit more time investigating this issue, we were able to confirm that the attack vector is the RevSlider...
---------------------------------------------
http://blog.sucuri.net/2014/12/revslider-vulnerability-leads-to-massive-wor…
*** SoakSoak: Payload Analysis - Evolution of Compromised Sites - IE 11 ***
---------------------------------------------
Thousands of WordPress sites has been hit by the SoakSoak attack lately. At this moment we know quite a lot about it. It uses the RevSlider vulnerability as a point of penetration. Then uploads a backdoor and infects all websites that share the same server account (so sites that don't use the RevSlider plugin can...
---------------------------------------------
http://blog.sucuri.net/2014/12/soaksoak-payload-analysis-evolution-of-compr…
*** Google Blacklists WordPress Sites Peddling SoakSoak Malware ***
---------------------------------------------
Up to 100,000 sites hosted on WordPress may be vulnerable to new campaign thats pushing malware and multiple exploit kits to the browser.
---------------------------------------------
http://threatpost.com/google-blacklists-wordpress-sites-peddling-soaksoak-m…
*** Safari 8.0.2 Still Supporting SSLv3 with Block Ciphers, (Mon, Dec 15th) ***
---------------------------------------------
In October, Apple released Security Update 2014-005, specifically with the intend to address the POODLE issue [1]. The description with the update stated: There are known attacks on the confidentiality of SSL 3.0 when a cipher suite uses a block cipher in CBC mode. An attacker could force the use of SSL 3.0, even when the server would support a better TLS version, by blocking TLS 1.0 and higher connection attempts. This issue was addressed by disabling CBC cipher suites when TLS connection...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19067&rss
*** ENISA CERT training programme now available online ***
---------------------------------------------
ENISA has launched a new section on its website introducing the ENISA CERT training programme.
In the new section, you can find all the publicly available training resources and the training courses currently provided by ENISA.
---------------------------------------------
http://www.enisa.europa.eu/media/news-items/enisa-cert-training-programme-n…
*** SSL-TLS Implementations Cipher Block Chaining Padding Information Disclosure Vulnerability ***
---------------------------------------------
CVE-2014-8730
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** Internet-Sicherheit: Auch Cisco mit Poodle-Problemen ***
---------------------------------------------
Ausgerechnet Firewalls und Load-Balancing-Erweiterungen des Netzwerkgeräte-Herstellers pfuschen bei der Umsetzung von TLS - und werden damit ebenfalls anfällig für Poodle-Angriffe auf die Verschlüsselung.
---------------------------------------------
http://www.heise.de/security/meldung/Internet-Sicherheit-Auch-Cisco-mit-Poo…
*** Android Hacking and Security, Part 16: Broken Cryptography ***
---------------------------------------------
Introduction In this article, we will discuss broken cryptography in Android applications. Broken cryptography attacks come into the picture when an app developer wants to take advantage of encryption in his application. This article covers the possible ways where vulnerabilities associated with broken cryptography may be introduced in Android apps. [...]The post Android Hacking and Security, Part 16: Broken Cryptography appeared first on InfoSec Institute.
---------------------------------------------
http://resources.infosecinstitute.com/android-hacking-security-part-16-brok…
*** F5 Security Advisory: Linux kernel SCTP vulnerabilities CVE-2014-3673 and CVE-2014-3687 ***
---------------------------------------------
(SOL15910) - Remote attackers may be able to cause a denial-of-service (DoS) using malformed or duplicate ASCONF chunk.
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/15000/900/sol15910.html
*** Security Advisory 2014-06: Incomplete Access Control ***
---------------------------------------------
An attacker with valid OTRS credentials could access and manipulate ticket data of other users via the GenericInterface, if a ticket webservice is configured and not additionally secured.
---------------------------------------------
https://www.otrs.com/security-advisory-2014-06-incomplete-access-control/
*** Apache Buffer Overflow in mod_proxy_fcgi Lets Remote Users Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1031371
*** SSA-831997 (Last Update 2014-12-15): Denial-of-Service Vulnerability in Ruggedcom ROS-based Devices ***
---------------------------------------------
https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit…
*** CA Release Automation Multiple Flaws Permit Cross-Site Scripting, Cross-Site Request Forgery, and SQL Injection Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1031375
*** DokuWiki conf/mime.conf cross-site scripting ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/99291
*** Python TLS security bypass ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/99294
*** CA LISA Multiple Vulns ***
---------------------------------------------
Topic: CA LISA Multiple Vulns Risk: Medium Text:CA20141215-01: Security Notice for CA LISA Release Automation Issued: December 15, 2014 CA Technologies Support is alerti...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014120097
*** Bugtraq: [Onapsis Security Advisory 2014-034] SAP Business Objects Search Token Privilege Escalation via CORBA ***
---------------------------------------------
http://www.securityfocus.com/archive/1/534249
*** Better Search <= 1.3.4 - Reflective XSS ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7725
*** WP Construction Mode <= 1.91 - Cross-Site Scripting (XSS) ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7724
*** Sliding Social Icons <= 1.61 - CSRF & Stored XSS ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7723
*** Bugtraq: "Ettercap 8.0 - 8.1" multiple vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/534248
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 12-12-2014 18:00 − Montag 15-12-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** ICS-CERT: BlackEnergy may be infecting WinCC systems lacking recent patch ***
---------------------------------------------
BlackEnergy malware may be exploiting a vulnerability in Siemens SIMATIC WinCC software that was patched in early November.
---------------------------------------------
http://www.scmagazine.com/ics-cert-urges-wincc-users-others-to-update-softw…
*** BGP Hijacking Continues, Despite the Ability To Prevent It ***
---------------------------------------------
An anonymous reader writes: BGPMon reports on a recent route hijacking event by Syria. These events continue, despite the ability to detect and prevent improper route origination: Resource Public Key Infrastructure. RPKI is technology that allows an operator to validate the proper relationship between an IP prefix and an Autonomous System. That is, assuming you can collect the certificates. ARIN requires operators accept something called the Relying Party Agreement. But the provider community...
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/hl_eP152_h0/story01.htm
*** Batten down the patches: New vuln found in Docker container tech ***
---------------------------------------------
Last months patch brought new privilege escalation flaw More security woes plagued users of the Docker application containerization tech for Linux this week, after an earlier security patch was found to have introduced a brand-new critical vulnerability in the software.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/12/12/docker_vuln…
*** Cisco to release flying pig - Snort 3.0 ***
---------------------------------------------
Sourcefires been making bacon, now wants you to fry it Ciscos going to release a flying pig.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/12/12/cisco_to_re…
*** Worm Backdoors and Secures QNAP Network Storage Devices, (Sun, Dec 14th) ***
---------------------------------------------
Shellshock is far from over, with many devices still not patched andout there ready for exploitation. One set of thedevices receiving a lot of attention recently are QNAP disk storage systems. QNAP released a patch in early October, but applying the patch is not automatic and far from trivial for many users[1]. Our reader Erichsubmitted a link to an interesting Pastebin post with code commonly used in these scans [2] The attack targets a QNAP CGI script, /cgi-bin/authLogin.cgi, a well known...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19061&rss
*** SoakSoak Malware Compromises 100,000+ WordPress Websites ***
---------------------------------------------
This Sunday has started with a bang. Google has blacklisted over 11,000 domains with this latest malware campaign from SoakSoak.ru: Our analysis is showing impacts in the order of 100s of thousands of WordPress specific websites. We cannot confirm the exact vector, but preliminary analysis is showing correlation with the Revslider vulnerability we reported a...
---------------------------------------------
http://blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpres…
*** Man in the Middle attack vs. Cloudflares Universal SSL ***
---------------------------------------------
MitM attacks are a class of security attacks that involve the compromise of the authentication of a secure connection. In essence, an attacker builds a transparent tunnel between the client and the server, but makes sure that the client negotiates the secure connection with the attacker, instead of the intended server. Thus the client instead of having a secure connection to the server, has a secure connection to the attacker, which in turn has set up its own secure connection to the server, so...
---------------------------------------------
http://blog.ricardomacas.com/index.php?controller=post&action=view&id_post=4
*** 10th Annual ICS Security Summit - Orlando ***
---------------------------------------------
For SCADA, Industrial Automation, and Control System Security Join us for the 10th anniversary of the Annual SANS ICS Security Summit. The Summit is the premier event to attend in 2015 for ICS cybersecurity practitioners and managers. This years summit will feature hands-on training courses focused on Attacking and Defending ICS environments, Industry specific pre-summit events, and an action packed summit agenda with the release of ICS security tools and the popular security kit for Summit
---------------------------------------------
https://www.sans.org/event/ics-security-summit-2015
*** Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3009712) ***
---------------------------------------------
V3.0 (December 12, 2014): Rereleased bulletin to announce the reoffering of Microsoft security update 2986475 for Microsoft Exchange Server 2010 Service Pack 3. The rereleased update addresses a known issue in the original offering. Customers who uninstalled the original update should install the updated version of 2986475 at the earliest opportunity.
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/MS14-075
*** Two newcomers in the exploit kit market ***
---------------------------------------------
Exploit kits are a great means to an end for malware distributors, who either buy them or rent them in order to widely disseminate their malicious wares. Its no wonder then that unscrupulous developers are always trying to enter the market currently cornered by Angler, Nuclear, FlashEK, Fiesta, SweetOrange, and others popular exploit kits.
---------------------------------------------
http://www.net-security.org/malware_news.php?id=2929
*** RSA Authentication Manager 8.0 / 8.1 Unvalidated Redirect ***
---------------------------------------------
Topic: RSA Authentication Manager 8.0 / 8.1 Unvalidated Redirect Risk: Low Text:ESA-2014-173: RSA Authentication Manager Unvalidated Redirect Vulnerability EMC Identifier: ESA-2014-173 CVE Identifier:...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014120080
*** RSA Archer GRC Platform 5.x Cross Site Scripting ***
---------------------------------------------
Topic: RSA Archer GRC Platform 5.x Cross Site Scripting Risk: Low Text:ESA-2014-163: RSA Archer GRC Platform Multiple Vulnerabilities EMC Identifier: ESA-2014-163 CVE Identifier: See b...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014120079
*** EMC Isilon InsightIQ Cross Site Scripting ***
---------------------------------------------
Topic: EMC Isilon InsightIQ Cross Site Scripting Risk: Low Text:ESA-2014-164: EMC Isilon InsightIQ Cross-Site Scripting Vulnerability EMC Identifier: ESA-2014-164 CVE Identifier: CVE-...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014120078
*** Cisco Prime Security Manager Cross-Site Scripting Vulnerability ***
---------------------------------------------
CVE-2014-3364
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** Soitec SmartEnergy 1.4 SCADA Login SQL Injection Authentication Bypass ***
---------------------------------------------
Topic: Soitec SmartEnergy 1.4 SCADA Login SQL Injection Authentication Bypass Risk: Medium Text:Soitec SmartEnergy 1.4 SCADA Login SQL Injection Authentication Bypass Exploit Vendor: Soitec Product web page: http://ww...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014120086
*** Multiple vulnerabilities in InfiniteWP Admin Panel ***
---------------------------------------------
InfiniteWP (http://www.infinitewp.com/) allows an administrator to manage multiple Wordpress sites from one control panel. According to the InfiniteWP homepage, it is used on over 317,000 Wordpress sites. The InfiniteWP Admin Panel contains a number of vulnerabilities that can be exploited by an unauthenticated remote attacker. These vulnerabilities allow taking over managed Wordpress sites by leaking secret InfiniteWP client keys, allow SQL injection, allow cracking of InfiniteWP admin
---------------------------------------------
http://seclists.org/fulldisclosure/2014/Dec/43
*** Bugtraq: Vulnerabilities in Ekahau Real-Time Location Tracking System [MZ-14-01] ***
---------------------------------------------
http://www.securityfocus.com/archive/1/534241
*** [dos] - phpMyAdmin 4.0.x, 4.1.x, 4.2.x - DoS ***
---------------------------------------------
http://www.exploit-db.com/exploits/35539
*** Multiple vulnerabilities in BibTex Publications (si_bibtex) ***
---------------------------------------------
It has been discovered that the extension "BibTex Publications" (si_bibtex) is susceptible to Cross-Site Scripting and SQL Injection.
---------------------------------------------
http://www.typo3.org/news/article/multiple-vulnerabilities-in-bibtex-public…
*** Multiple vulnerabilities in Drag Drop Mass Upload (ameos_dragndropupload) ***
---------------------------------------------
It has been discovered that the extension "Drag Drop Mass Upload" (ameos_dragndropupload) is susceptible to Cross-Site Scripting, Cross-Site Request Forgery and Improper Access Control.
---------------------------------------------
http://www.typo3.org/news/article/improper-access-control-in-drag-drop-mass…
*** Security Advisory-SSLv3 POODLE Vulnerability in Huawei Products ***
---------------------------------------------
Dec 15, 2014 18:30
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor…
*** SEO Redirection <= 2.2 - Unauthenticated Stored XSS ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7722
*** Lightbox Photo Gallery 1.0 - CSRF/XSS ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7719
*** WP-FB-AutoConnect <= 4.0.5 - XSS/CSRF ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7721
*** Timed Popup <= 1.3 - CSRF & Stored XSS ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7720
*** Bugtraq: CVE-2014-2026 Reflected Cross-Site Scripting (XSS) in "Intrexx Professional" ***
---------------------------------------------
http://www.securityfocus.com/archive/1/534230
*** Bugtraq: CVE-2014-2025 Remote Code Execution (RCE) in "Intrexx Professional" ***
---------------------------------------------
http://www.securityfocus.com/archive/1/534229
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 11-12-2014 18:00 − Freitag 12-12-2014 18:00
Handler: Alexander Riepl
Co-Handler: Otmar Lendl
*** Archie and Astrum: New Players in the Exploit Kit Market ***
---------------------------------------------
Thu, 11 Dec 2014 17:10:55 +0200
---------------------------------------------
https://www.f-secure.com/weblog/archives/00002776.html
*** Researcher: Lax Crossdomain Policy Puts Yahoo Mail At Risk ***
---------------------------------------------
A security researcher disclosed a problem with a loose cross-domain policy for Flash requests on Yahoo Mail that puts email content and contacts at risk.
---------------------------------------------
http://threatpost.com/researcher-lax-crossdomain-policy-puts-yahoo-mail-at-…
*** DSA-3098 graphviz - security update ***
---------------------------------------------
Joshua Rogers discovered a format string vulnerability in the yyerrorfunction in lib/cgraph/scan.l in Graphviz, a rich set of graph drawingtools. An attacker could use this flaw to cause graphviz to crash orpossibly execute arbitrary code.
---------------------------------------------
https://www.debian.org/security/2014/dsa-3098
*** ZDI-14-424: Honeywell OPOS Suite HWOPOSScale.ocx Open Method Stack Buffer Overflow Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Honeywell OPOS Suite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/8tlo_ZfI4BE/
*** ZDI-14-423: Honeywell OPOS Suite HWOPOSSCANNER.ocx Open Method Stack Buffer Overflow Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Honeywell OPOS Suite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/ZDVuupIJS6Q/
*** ZDI-14-422: ManageEngine NetFlow Analyzer CollectorConfInfoServlet COLLECTOR_ID Directory Traversal Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine NetFlow Analyzer. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/sBfZBCsAKl4/
*** ZDI-14-421: ManageEngine Password Manager Pro UploadAccountActivities filename Directory Traversal Denial of Service Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to create a denial of service condition on vulnerable installations of ManageEngine Password Manager Pro. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/agLsqjzz9u4/
*** ZDI-14-420: ManageEngine Desktop Central MSP NativeAppServlet UDID JSON Object Code Injection Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine Desktop Central MSP. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/YGf1aa88_QM/
*** Targeted Phishing Against GoDaddy Customers ***
---------------------------------------------
I do get a lot of phishing emails, we all do, but as security professionals we tend to recognize them immediately. Either the syntax is wrong, or it's missing a name. When you get them from a bank you don't even deal with that's a pretty good clue. However, when the phishing is well doneRead More
---------------------------------------------
http://feedproxy.google.com/~r/sucuri/blog/~3/uan3MNQ2J9g/targeted-phishing…
*** Siemens SIMATIC WinCC, PCS7, and TIA Portal Vulnerabilities (Update B) ***
---------------------------------------------
This updated advisory is a follow-up to the updated advisory titled ICSA-14-329-02A Siemens SIMATIC WinCC, PCS7, and TIA Portal Vulnerabilities that was published December 2, 2014, on the NCCIC/ICS-CERT web site.
---------------------------------------------
https://ics-cert.us-cert.gov//advisories/ICSA-14-329-02B
*** Wire transfer spam spreads Upatre ***
---------------------------------------------
The Microsoft Malware Protection Center (MMPC) is currently monitoring a spam email campaign that is using a wire transfer claim to spread Trojan:Win32/Upatre. It is important to note that customers running up-to-date Microsoft security software are protected from this threat. Additionally, customers with Microsoft Active Protection Service Community (MAPS) enabled also benefit from our cloud protection service. Upatre typically uses spam email campaigns to spread and then downloads other
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2014/12/11/wire-transfer-spam-sprea…
*** Digitaler Anschlag: Cyber-Attacke soll Ölpipeline zerstört haben ***
---------------------------------------------
Ein Cyber-Angriff soll 2008 die Explosion einer Ölpipeline in der Türkei verursacht haben, wie anonyme Quellen berichten. Es gibt dafür aber nur Indizien. (Cyberwar, Virus)
---------------------------------------------
http://www.golem.de/news/digitaler-anschlag-cyber-attacke-soll-oelpipeline-…
*** Cross-Signed Certificates Crashes Android ***
---------------------------------------------
We have discovered a vulnerability in Android that affects how cross-signed certificates are handled. No current Android release correctly handles these certificates, which are created when two certificates are signed with a looped certificate chain (certificate A signs certificate B; certificate B signs certificate A). We've already notified Google about this vulnerability, and there is no fix
Post from: Trendlabs Security Intelligence Blog - by Trend MicroCross-Signed
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/K85aQffE_W0/
*** Microsoft: Neues Zertifikats-Update, noch ein zurückgezogener Patch ***
---------------------------------------------
Microsoft hat ein neues Zertifikats-Update für Windows 7 und Server 2008 ausgeliefert, das die Update-Probleme beheben soll. In der Zwischenzeit musste allerdings der dritte Patch in wenigen Tagen zurückgezogen werden, da er Silverlight zerschossen hatte.
---------------------------------------------
http://www.heise.de/security/meldung/Microsoft-Neues-Zertifikats-Update-noc…
*** Office für Mac 2011: Microsoft beseitigt kritische Schwachstelle ***
---------------------------------------------
Das Update für die OS-X-Version der Büro-Suite soll eine Sicherheitslücke in Word beseitigen, die das Einschleusen und Ausführen von Schadcode erlaubt. Auch ein kleineres Problem wird behoben.
---------------------------------------------
http://www.heise.de/security/meldung/Office-fuer-Mac-2011-Microsoft-beseiti…
*** Microsoft pulls Patch Tuesday fix - "Outlook can't connect to Exchange" ***
---------------------------------------------
Part of Patch Tuesday is now only partly available as Microsoft recalls its already-delayed Exchange 2010 update. Paul Ducklin takes a look...
---------------------------------------------
http://feedproxy.google.com/~r/nakedsecurity/~3/pyrMdTGYdYo/
*** DFN-CERT-2014-1647/">MantisBT: Mehrere Schwachstellen ermöglichen das Ausführen beliebigen Programmcodes ***
---------------------------------------------
12.12.2014
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2014-1647/
*** OphionLocker: Joining in the Ransomware Race ***
---------------------------------------------
Fri, 12 Dec 2014 16:32:35 +0200
---------------------------------------------
https://www.f-secure.com/weblog/archives/00002777.html
*** SSL-Lücke: Der POODLE beißt Windows Phone 7 ***
---------------------------------------------
Windows Phone 7 kann Mails nur mit dem uralten SSL-Protokoll Version 3 abholen. Das wird aber von vielen Mailservern wegen der POODLE-Lücke nicht mehr angeboten. Auf Abhilfe können Nutzer wohl nicht hoffen. (Windows Phone, E-Mail)
---------------------------------------------
http://www.golem.de/news/ssl-luecke-der-poodle-beisst-windows-phone-7-1412-…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 10-12-2014 18:00 − Donnerstag 11-12-2014 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Critical vulnerability affecting HD FLV Player ***
---------------------------------------------
We've been notified of a critical vulnerability affecting the HD FLV Player plugin for Joomla!, WordPress and custom websites. It was silently patched on Joomla! and WordPress, leaving the custom website version vulnerable. Furthermore, websites ..
---------------------------------------------
http://blog.sucuri.net/2014/12/critical-vulnerability-in-joomla-hd-flv-play…
*** Underground black market: Thriving trade in stolen data, malware, and attack services ***
---------------------------------------------
The underground market is still booming after recent major data breaches. The price of stolen email accounts has dropped substantially, but the value of ..
---------------------------------------------
http://www.symantec.com/connect/blogs/underground-black-market-thriving-tra…
*** Odd new ssh scanning, possibly for D-Link devices, (Wed, Dec 10th) ***
---------------------------------------------
I noticed it in my own logs overnight and also had a couple of readers (both named Paul) report some odd new ssh scanning overnight. The scanning involves many sites, likely a botnet, attempting to ssh in as 3 users, D-Link, admin, ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19055
*** Microsoft Enables Removal of SSL 3.0 Fallback In IE ***
---------------------------------------------
Microsoft has given Windows admins the option to remove the SSL 3.0 fallback from Internet Explorer. By disabling SSL 3.0, IE is no longer vulnerable to POODLE attacks.
---------------------------------------------
http://threatpost.com/microsoft-enables-removal-of-ssl-3-0-fallback-in-ie/1…
*** FreeBSD Buffer Overflow in libc stdio Lets Local Users Deny Service or Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1031343
*** FreeBSD file(1) and libmagic(3) File Processing Flaws Let Remote Users Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1031344
*** WordPress Uninstall <= 1.1 - WordPress Deletion via CSRF ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7715
*** Mysterious Turla Linux backdoor also for Solaris? ***
---------------------------------------------
There has been numerous reports about the mysterious Linux backdoor connected to Turla, an APT family. The malware has some pretty interesting features, the most interesting being its ability to sniff the network interface. More specifically, it ..
---------------------------------------------
https://www.f-secure.com/weblog/archives/00002775.html
*** Regin ***
---------------------------------------------
Wir haben in der Woche ab dem 24. November 2014 zum Thema Regin regelmässige Status-Updates an die GovCERT Constituency (in unserer Rolle als GovCERT Austria), die potentiell betroffenen Sektoren (im Rahmen des ATC) und den CERT-Verbund verschickt.Dieser Blogpost stellt unsere Timeline ..
---------------------------------------------
http://www.cert.at/services/blog/20141211105745-1339.html
*** Patch-Debakel: Microsoft zieht erneut Update zurück ***
---------------------------------------------
Nach einem fehlerhaften Rollup-Update für Exchange musste Microsoft nun auch einen Patch für die Root-Zertifikate in Windows zurückziehen. Probleme mit Updates und Patches hatte Microsoft in letzter Zeit des öfteren.
---------------------------------------------
http://www.heise.de/security/meldung/Patch-Debakel-Microsoft-zieht-erneut-U…
*** Cyber-Spionage: Auf Roter Oktober folgt Cloud Atlas ***
---------------------------------------------
Eine neue Angriffswelle mit gezielten Attacken droht: Cloud Atlas soll die nächste digitale Spionagekampagne sein. Die Malware sei eine aktualisierte Variante von Roter Oktober, sagen IT-Sicherheitsexperten.
---------------------------------------------
http://www.golem.de/news/cyber-spionage-auf-roter-oktober-folgt-cloud-atlas…
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 09-12-2014 18:00 − Mittwoch 10-12-2014 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Adobe Security Bulletins Posted ***
---------------------------------------------
http://blogs.adobe.com/psirt/?p=1149
*** VMSA-2014-0013 ***
---------------------------------------------
VMware vCloud Automation Center product updates address a critical remote privilege escalation vulnerability. VMware vCloud Automation Center has a remote privilege escalation vulnerability. This issue may allow an authenticated vCAC user to obtain administrative access to vCenter Server.
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2014-0013.html
*** MS14-DEC - Microsoft Security Bulletin Summary for December 2014 - Version: 1.0 ***
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/MS14-DEC
*** Multiple vulnerabilities in SAP SQL Anywhere ***
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-14-415/http://www.zerodayinitiative.com/advisories/ZDI-14-414/http://www.zerodayinitiative.com/advisories/ZDI-14-413/http://www.zerodayinitiative.com/advisories/ZDI-14-412/
*** ZDI-14-411: Lexmark MarkVision Enterprise ReportDownloadServlet Information Disclosure Vulnerability ***
---------------------------------------------
The specific flaw exists within the ReportDownloadServlet class. The class contains a method that does not properly sanitize input allowing for directory traversal. An attacker can leverage this vulnerability to read files under the context of SYSTEM.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-14-411/
*** ZDI-14-410: Lexmark MarkVision Enterprise GfdFileUploadServlet Remote Code Execution Vulnerability ***
---------------------------------------------
The specific flaw exists within the GfdFileUploadServlet class. The class contains a method that does not properly sanitize input allowing for directory traversal. An attacker can leverage this vulnerability to write files under the context of SYSTEM and achieve remote code execution.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-14-410/
*** X Multiple Memory Corruption Flaws Let Remote Users Deny Service and Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1031326
*** Yokogawa FAST/TOOLS XML External Entity ***
---------------------------------------------
This advisory provides mitigation details for an XML external entity processing vulnerability in the Yokogawa FAST/TOOLS application.
---------------------------------------------
https://ics-cert.us-cert.gov//advisories/ICSA-14-343-01
*** Trihedral VTScada Integer Overflow Vulnerability ***
---------------------------------------------
This advisory provides mitigation details for an integer overflow vulnerability in Trihedral Engineering Ltd's VTScada application.
---------------------------------------------
https://ics-cert.us-cert.gov//advisories/ICSA-14-343-02
*** .Bank hires Symantec to check credentials ***
---------------------------------------------
Soon you might be able to trust that financial email The launch of new .bank domain names is one step closer with the announcement that Symantec has been chosen to act as the credentials verifier for the top-level domain ..
---------------------------------------------
http://www.theregister.co.uk/2014/12/10/bank_hires_symantec_to_check_creden…
*** Nach Hack: Sony-Sicherheitszertifikat zur Malware-Tarnung genutzt ***
---------------------------------------------
Es ist wohl der verheerendste Angriff auf die IT-Sicherheit eines Unternehmens, den es je gegeben hat. Seit Tagen tauchen immer neue interne Informationen aus dem Netzwerk von Sony Pictures auf. Neben bislang ..
---------------------------------------------
http://derstandard.at/2000009194439
*** Cloud Atlas: RedOctober APT is back in style ***
---------------------------------------------
Two years ago, we published our research into RedOctober, a complex cyber-espionage operation targeting diplomatic embassies worldwide. We named it RedOctober because we started this investigation in October 2012, an unusually hot month.
---------------------------------------------
http://securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-bac…
*** DFN-CERT-2014-1622: Red Hat Package Manager (RPM): Zwei Schwachstellen ermöglichen die Ausführung beliebiger Befehle ***
---------------------------------------------
Zwei Schwachstellen im Red Hat Package Manager (RPM) ermöglichen einem entfernten, nicht authentisierten Angreifer die Ausführung beliebiger Befehle während der Paketinstallation und damit die Übernahme des Systems. Die Schwachstelle ..
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2014-1622/
*** F5 BIG-IP SSLv3 Decoding Function Lets Remote Users Decrypt TLS Traffic ***
---------------------------------------------
A vulnerability was reported in F5 BIG-IP. A remote user can decrypt TLS sessions in certain cases. The system may accept incorrect TLS padding when terminating TLSv1 CBC connections. A remote user can with the ability to conduct a man-in-the-middle attack can force a client to use a vulnerable SSLv3 decoding function with TLS and then conduct a BEAST-style of attack to decrypt portions of the session.
---------------------------------------------
http://www.securitytracker.com/id/1031338
*** Link spoofing and cache poisoning vulnerabilities in TYPO3 CMS ***
---------------------------------------------
An attacker could forge a request, which modifies anchor only links on the homepage of a TYPO3 installation in a way that they point to arbitrary domains, if the ..
---------------------------------------------
http://www.typo3.org/news/article/link-spoofing-and-cache-poisoning-vulnera…
*** Störungen bei 1&1-Webhosting wegen DDos-Attacke ***
---------------------------------------------
Weil das DNS-System von 1&1 angegriffen wird, sind sowohl Webhosting als auch Mail von 1&1 zeitweise nicht über Domains erreichbar.
---------------------------------------------
http://www.heise.de/security/meldung/Stoerungen-bei-1-1-Webhosting-wegen-DD…
*** Sony Pictures wurde vor Angriff auf IT-Infrastruktur angeblich erpresst ***
---------------------------------------------
Die Umstände des Hacker-Angriffs auf Sony Pictures werden immer verwirrender. Eine Geldforderung legt einen kriminellen Hintergrund nahe. Zugleich fordern die Hacker aber angeblich auch, die Nordkorea-Komödie "The Interview" zu stoppen.
---------------------------------------------
http://www.heise.de/security/meldung/Sony-Pictures-wurde-vor-Angriff-auf-IT…
*** X.ORG: Wieder Jahrzente alte Lücken im X-Server ***
---------------------------------------------
Der X-Server ist von 13 Sicherheitslücken betroffen, die sich auf verschiedene Implementierungen auswirken können. Die älteste reicht fast 30 Jahre in die erste Version von X11 zurück. Andeutungen auf die Fehler gab es bereits auf dem 30C3 vor einem Jahr.
---------------------------------------------
http://www.golem.de/news/x-org-wieder-jahrzente-alte-luecken-im-x-server-14…
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 05-12-2014 18:00 − Dienstag 09-12-2014 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Advance Notification Service for the December 2014 Security Bulletin Release ***
---------------------------------------------
Today, we provide advance notification for the release of seven Security Bulletins. Three of these updates are rated Critical and four are rated as Important in severity. These updates are for Microsoft Windows, Internet Explorer (IE), Office and Exchange. As per our monthly process, we've scheduled the Security Bulletin release for the second Tuesday of the month, December 9, 2014, at approximately 10 a.m. PDT. Until then, please review the ANS summary page for more information to help...
---------------------------------------------
http://blogs.technet.com/b/msrc/archive/2014/12/04/advance-notification-ser…
*** Leveraging the WordPress Platform for SPAM ***
---------------------------------------------
We've all seen WordPress comment and pingback spam, but thanks to strict moderation regimes and brilliant WordPress plugins that focus strictly on SPAM comments, comment spam isn't a major problem for most websites these days. I have seen however, a new trend starting to emerge when it comes to spam involving WordPress. In recent years...
---------------------------------------------
http://blog.sucuri.net/2014/12/leveraging-the-wordpress-platform-for-spam.h…
*** SSLv3: Kaspersky-Software hebelt Schutz vor Poodle-Lücke aus ***
---------------------------------------------
Das Paket Kaspersky Internet Security kann auch bei Browsern, die unsichere Verbindungen per SSLv3 nicht unterstützen, das veraltete Protokoll dennoch aktivieren. Patchen will das der Hersteller erst 2015, es gibt aber schon jetzt eine einfache Lösung.
---------------------------------------------
http://www.golem.de/news/sslv3-kaspersky-software-hebelt-schutz-vor-poodle-…
*** Sicherheitslücken: Java-Sandbox-Ausbrüche in Googles App Engine ***
---------------------------------------------
Ein Forscherteam hat diverse Möglichkeiten und Lücken gefunden, aus der Java-Sandbox von Googles App Engine auszubrechen. Dadurch seien sogar beliebige Systemaufrufe im darunter liegenden Betriebssystem möglich.
---------------------------------------------
http://www.golem.de/news/sicherheitsluecken-java-sandbox-ausbrueche-in-goog…
*** DNS-Server BIND, PowerDNS und Unbound droht Endlosschleife ***
---------------------------------------------
Eine Sicherheitslücke in den drei DNS-Servern kann dazu ausgenutzt werden, die Software lahmzulegen. Dazu muss ein Angreifer allerdings die Zonen manipulieren oder einen bösartigen DNS-Resolver einschleusen.
---------------------------------------------
http://www.heise.de/security/meldung/DNS-Server-BIND-PowerDNS-und-Unbound-d…
*** The Penquin Turla - A Turla/Snake/Uroburos Malware for Linux ***
---------------------------------------------
So far, every single Turla sample weve encountered was designed for the Microsoft Windows family, 32 and 64 bit operating systems. The newly discovered Turla sample is unusual in the fact that its the first Turla sample targeting the Linux operating system that we have discovered.
---------------------------------------------
https://securelist.com/blog/research/67962/the-penquin-turla-2/
*** Setting Up Your Gadgets Securely ***
---------------------------------------------
I'm sure that many of us will take home brand new iPhones and Android devices and set it up just the way we want our personal devices to be. We should take a minute to remember, however, that because these devices are so personal to us, the damage a hacked smartphone can do to is significant. Imagine what would happen if a hacker stole your personal data. We don't have to imagine, however, as this has happened to many users in 2014. At the very least, this is embarrassing to the user...
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/setting-up-your-…
*** Social Engineering improvements keep Rogues/FakeAV a viable scam ***
---------------------------------------------
The threat landscape has been accustomed to rogues for a while now. They've been rampant for the past few years and there likely isn't any end in sight to this scam. These aren't complex pieces of malware by any means and typically don't fool the average experienced user, but that's because they're aimed at the inexperienced user. We're going to take a look at some of the improvements seen recently in the latest round of FakeAVs that lead to their success.
---------------------------------------------
http://www.webroot.com/blog/2014/12/05/social-engineering-improvements-keep…
*** MediaWiki unspecified cross-site request forgery ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/99151
*** MediaWiki unspecified code execution ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/99152
*** [Xen-announce] Xen Security Advisory 114 (CVE-2014-9065, CVE-2014-9066) - p2m lock starvation ***
---------------------------------------------
http://lists.xen.org/archives/html/xen-announce/2014-12/msg00001.html
*** [TYPO3-announce] Announcing TYPO3 CMS 6.2.8 LTS ***
---------------------------------------------
The TYPO3 Community has just released TYPO3 CMS version 6.2.8 LTS,
which is now ready for you to download. This version is maintenance releases and contains bug fixes. The packages can be downloaded here: http://typo3.org/download/
---------------------------------------------
http://typo3.org/news/article/typo3-cms-628-released/
*** Multiple vulnerabilities in extension phpMyAdmin (phpmyadmin) ***
---------------------------------------------
It has been discovered that the extension "phpMyAdmin" (phpmyadmin) is susceptible to Cross-Site Scripting, Denial of Service and Local File Inclusion.
---------------------------------------------
http://www.typo3.org/news/article/multiple-vulnerabilities-in-extension-php…
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 04-12-2014 18:00 − Freitag 05-12-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** MS14-DEC - Microsoft Security Bulletin Advance Notification for December 2014 - Version: 1.0 ***
---------------------------------------------
This is an advance notification of security bulletins that Microsoft is intending to release on December 9, 2014.
This bulletin advance notification will be replaced with the December bulletin summary on December 9, 2014. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification.
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/MS14-DEC
*** Missing Exchange Patch Expected Among December Patch Tuesday Bulletins ***
---------------------------------------------
Microsofts December 2014 advanced Patch Tuesday notification includes three critical bulletins and a missing Exchange patch originally scheduled for November.
---------------------------------------------
http://threatpost.com/missing-exchange-patch-expected-among-december-patch-…
*** Details Emerge on Sony Wiper Malware Destover ***
---------------------------------------------
Kaspersky Lab has published an analysis of Destover, the wiper malware used in the attacks against Sony Pictures Entertainment, and its similarities to Shamoon and DarkSeoul.
---------------------------------------------
http://threatpost.com/details-emerge-on-sony-wiper-malware-destover/109727
*** Upcoming Security Updates for Adobe Reader and Acrobat (APSB14-28) ***
---------------------------------------------
December 4, 2014
---------------------------------------------
http://blogs.adobe.com/psirt/?p=1147
*** Upcoming Adobe Reader, Acrobat Update to Patch Sandbox Escape ***
---------------------------------------------
Adobe announced security updates for Reader and Acrobat that likely include patches for a sandbox escape vulnerability. Googles Project Zero released details and exploit code earlier this week.
---------------------------------------------
http://threatpost.com/upcoming-adobe-reader-acrobat-update-to-patch-sandbox…
*** Weekly Metasploit Wrapup: On Unicorns and Wizards ***
---------------------------------------------
This week, we shipped a brand new exploit for the "unicorn" bug in Microsoft Internet Explorer, CVE-2014-6332, not-so-prosaically entitled, Microsoft Internet Explorer Windows OLE Automation Array Remote Code Execution. This is a big deal client-side vulnerability for the usual reason that Internet Explorer 11 accounts for about a quarter of browser traffic today; nearly always, remote code execution bugs in latest IE are usually particularly dangerous to leave unpatched in your environment. The buzz around this bug, though, is that it's been exploitable...
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2014/12/04/weekly-me…
*** Schwachstelle: Yosemite schreibt Firefox-Eingaben mit ***
---------------------------------------------
Unter Mac OS X 10.10 werden sämtliche Eingaben im Browser Firefox protokolliert. Mozilla spricht von einer schweren Schwachstelle, die in der aktuellen Version des Browsers geschlossen ist. Die Protokolldateien sind allgemein zugänglich und sollten gelöscht werden.
---------------------------------------------
http://www.golem.de/news/schwachstelle-yosemite-schreibt-firefox-eingaben-m…
*** Demo-Exploit für kritische Kerberos-Lücke in Windows Server ***
---------------------------------------------
Höchste Zeit zu patchen: Mit dem Python Kerberos Exploitation Kit können sich Angreifer sonst zum Enterprise-Admin machen.
---------------------------------------------
http://www.heise.de/security/meldung/Demo-Exploit-fuer-kritische-Kerberos-L…
*** ZDI-14-403: (0Day) Microsoft Internet Explorer display:run-in Use-After-Free Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-14-403/
*** ZDI: (0Day) 3S Pocketnet Tech VMS PocketNetNVRMediaClientAxCtrl.NVRMediaViewer.1 multiple Vulnerabilities ***
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-14-393http://www.zerodayinitiative.com/advisories/ZDI-14-394http://www.zerodayinitiative.com/advisories/ZDI-14-395http://www.zerodayinitiative.com/advisories/ZDI-14-396http://www.zerodayinitiative.com/advisories/ZDI-14-397
*** DSA-3090 iceweasel - security update ***
---------------------------------------------
Multiple security issues have been found in Iceweasel, Debians versionof the Mozilla Firefox web browser: Multiple memory safety errors, bufferoverflows, use-after-frees and other implementation errors may lead tothe execution of arbitrary code, the bypass of security restrictions ordenial of service.
---------------------------------------------
https://www.debian.org/security/2014/dsa-3090
*** Security Advisory: libxml2 vulnerability CVE-2014-3660 ***
---------------------------------------------
(SOL15872)
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/15000/800/sol15872.htm…
*** Novell Patches and Security Updates ***
---------------------------------------------
https://download.novell.com/Download?buildid=gV_oiDtqRV0~https://download.novell.com/Download?buildid=vPrLP1Ai9zY~https://download.novell.com/Download?buildid=GuVaYIx6DDo~https://download.novell.com/Download?buildid=lHQCbRDbSMI~https://download.novell.com/Download?buildid=Tlic28DXD3o~https://download.novell.com/Download?buildid=zhVqTr2nsdg~
*** MediaWiki Bugs Permit Cross-Site Request Forgery and API Code Injection Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1031301
*** Security Advisories for VMware vSphere ***
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2014-0012.htmlhttp://www.vmware.com/security/advisories/VMSA-2014-0008.htmlhttp://www.vmware.com/security/advisories/VMSA-2014-0002.html
*** HPSBUX03218 SSRT101770 rev.1 - HP-UX running Java7, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities ***
---------------------------------------------
Potential security vulnerabilities have been identified in the Java Runtime Environment (JRE) and the Java Developer Kit (JDK) running on HP-UX. These vulnerabilities could allow remote unauthorized access, disclosure of information, and other vulnerabilities.
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…
*** HPSBGN03205 rev.1 - HP Insight Remote Support Clients running SSLv3, Remote Disclosure of Information ***
---------------------------------------------
A potential security vulnerability has been identified with HP Insight Remote Support Clients running SSLv3 which may impact WBEM, WS-MAN and WMI connections from monitored devices to a HP Insight Remote Support Central Management Server (CMS).
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…
Next End-of-Shift report on 2014-12-09
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 03-12-2014 18:00 − Donnerstag 04-12-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** An Analysis of the "Destructive" Malware Behind FBI Warnings ***
---------------------------------------------
TrendLabs engineers were recently able to obtain a malware sample of the "destructive malware" described in reports about the Federal Bureau of Investigation (FBI) warning to U.S. businesses last December 2. According to Reuters, the FBI issued a warning to businesses to remain vigilant against this new "destructive" malware in the wake of the recent Sony Pictures...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/ZsHCPcPYoQk/
*** Sony Got Hacked Hard: What We Know and Don't Know So Far ***
---------------------------------------------
A week into the Sony hack, however, there is a lot of rampant speculation but few solid facts. Here's a look at what we do and don't know about what's turning out to be the biggest hack of the year.
---------------------------------------------
http://feeds.wired.com/c/35185/f/661467/s/41179d61/sc/28/l/0L0Swired0N0C20A…
*** Automating Incident data collection with Python, (Thu, Dec 4th) ***
---------------------------------------------
One of my favorite Python modules isImpacketby the guys at Core Labs. Among other things it allows me to create Python scripts that can speak to Windows computers over SMB. I can use it to map network drives, kill processes on a remote machine and much more. During an incident having the ability to reach out to allthe machines in your environment to list or kill processes is very useful. Python andImpacketmake this very easy. Check it out. After installing Impacketall of the awesome modules are...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19025&rss
*** Escaping the Internet Explorer Sandbox: Analyzing CVE-2014-6349 ***
---------------------------------------------
Applications that have been frequently targeted by exploits frequently add sandboxes to their features in order to harden their defenses against these attacks. To carry out a successful exploit, an attacker will have to breach these sandboxes to run malicious code. As a result, researchers will pay particular attention to exploits that are able to...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/OnnBY6zHrlw/
*** Android Hacking and Security, Part 15: Hacking Android Apps Using Backup Techniques ***
---------------------------------------------
In the previous article, we had an introduction on how to analyze Android application specific data using Android backup techniques. This article builds on the previous article. We are going to see how local data storage or basic checks that are performed on a local device can be exploited on...
---------------------------------------------
http://resources.infosecinstitute.com/android-hacking-security-part-15-hack…
*** WebSocket Security Issues ***
---------------------------------------------
Overview In this article, we will dive into the concept of WebSocket introduced in HTML 5, security issues around the WebSocket model, and the best practices that should be adopted to address security issues around WebSocket. Before going straight to security, let's refresh our concepts on WebSocket. Why Websocket and...
---------------------------------------------
http://resources.infosecinstitute.com/websocket-security-issues/
*** Avoiding Mod Security False Positives with White-listing ***
---------------------------------------------
We have already discussed in my previous articles how to configure Mod Security Firewall with OWASP rules and also analysed the different types of logs which Mod Security generates. While analysing the logs, we have seen that the OWASP rules generate a lot of false positive results, as these rules [...]The post Avoiding Mod Security False Positives with White-listing appeared first on InfoSec Institute.
---------------------------------------------
http://resources.infosecinstitute.com/avoiding-mod-security-false-positives…
*** Apple veröffentlicht Updates für Safari-Browser - und zieht sie wieder zurück ***
---------------------------------------------
Laut Apple soll Safari 8.0.1 unter anderem Fehler im Zusammenhang mit iCloud-Diensten beheben. Gleichzeitig wurden Safari 6.2.1 und 7.1.1 für ältere OS-X-Versionen veröffentlicht. Apple hat die Updates allerdings kommentarlos offline genommen.
---------------------------------------------
http://www.heise.de/security/meldung/Apple-veroeffentlicht-Updates-fuer-Saf…
*** Quantum Attack on Public-Key Algorithm ***
---------------------------------------------
This talk (and paper) describe a lattice-based public-key algorithm called Soliloquy developed by GCHQ, and a quantum-computer attack on it. News article....
---------------------------------------------
https://www.schneier.com/blog/archives/2014/12/quantum_attack_.html
*** The TYPO3 community publishes TYPO3 CMS 7.0 ***
---------------------------------------------
Following our new release cycle, TYPO3 CMS 7.0 is the first sprint release on our way towards the final 7 LTS which will be released in fall 2015. 7.0 will not receive regular bugfix releases, an upgrade to 7.1 should be installed after its release in around 8 weeks instead - see our roadmap for more details.
---------------------------------------------
https://typo3.org/news/article/the-typo3-community-publishes-typo3-cms-70-a…
*** Cisco Unified Computing System (UCS) Manager Information Disclosure Vulnerability ***
---------------------------------------------
CVE-2014-8009
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** SA-CONTRIB-2014-117 - Hierarchical Select - Cross Site Scripting (XSS) ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2014-117Project: Hierarchical Select (third-party module)Version: 6.xDate: 2014-December-03Security risk: 14/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:All/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescriptionThe Hierarchical Select module provides a "hierarchical_select" form element, which is a greatly enhanced way for letting the user select items in a taxonomy. The module does not sanitize some of the user-supplied data...
---------------------------------------------
https://www.drupal.org/node/2386615
*** SA-CONTRIB-2014-116 -Webform Invitation - Cross Site Scripting ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2014-116Project: Webform Invitation (third-party module)Version: 7.xDate: 2014-December-03Security risk: 8/25 ( Less Critical) AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescriptionThis module enables you to create custom invitation codes for Webforms.The module failed to sanitize node titles.This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Webform: Create new...
---------------------------------------------
https://www.drupal.org/node/2386387
*** Security Advisory - High Severity - WordPress Download Manager ***
---------------------------------------------
Advisory for: WordPress Download Manager Security Risk: Very High Exploitation level: Easy/Remote DREAD Score: 9/10 Vulnerability: Code Execution / Remote File Inclusion Risk Version: Read More
---------------------------------------------
http://blog.sucuri.net/2014/12/security-advisory-high-severity-wordpress-do…
*** Security Advisory-DLL Hijacking Vulnerability on Huawei USB Modem products ***
---------------------------------------------
Dec 04, 2014 18:26
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor…
*** DSA-3086 tcpdump - security update ***
---------------------------------------------
Several vulnerabilities have been discovered in tcpdump, a command-line network traffic analyzer. These vulnerabilities might result in denial of service, leaking sensitive information from memory or, potentially, execution of arbitrary code.
---------------------------------------------
https://www.debian.org/security/2014/dsa-3086
*** DSA-3089 jasper - security update ***
---------------------------------------------
Josh Duart of the Google Security Team discovered heap-based bufferoverflow flaws in JasPer, a library for manipulating JPEG-2000 files,which could lead to denial of service (application crash) or theexecution of arbitrary code.
---------------------------------------------
https://www.debian.org/security/2014/dsa-3089
*** DSA-3088 qemu-kvm - security update ***
---------------------------------------------
Paolo Bonzini of Red Hat discovered that the blit region checks wereinsufficient in the Cirrus VGA emulator in qemu-kvm, a fullvirtualization solution on x86 hardware. A privileged guest user coulduse this flaw to write into qemu address space on the host, potentiallyescalating their privileges to those of the qemu host process.
---------------------------------------------
https://www.debian.org/security/2014/dsa-3088
*** DSA-3087 qemu - security update ***
---------------------------------------------
Paolo Bonzini of Red Hat discovered that the blit region checks wereinsufficient in the Cirrus VGA emulator in qemu, a fast processoremulator. A privileged guest user could use this flaw to write into qemuaddress space on the host, potentially escalating their privileges tothose of the qemu host process.
---------------------------------------------
https://www.debian.org/security/2014/dsa-3087
*** GNU cpio Heap Overflow in process_copy_in() Lets Remote Users Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1031285
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 02-12-2014 18:00 − Mittwoch 03-12-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Shodan Add-on for Firefox ***
---------------------------------------------
It's now possible to see what information Shodan has available on a server from within Firefox thanks to the new Shodan add-on created by @PaulWebSec and @romainletendart! It's a minimalistic yet powerful add-on to see what the website you're visiting is exposing to the Internet. And the add-on will also tell you other information about the IP,...
---------------------------------------------
http://shodanio.wordpress.com/2014/12/02/shodan-add-on-for-firefox/
*** Böse Schlüssel werden zum Problem für GnuPG ***
---------------------------------------------
Ein Forscherteam hat demonstriert, wie einfach sich die IDs zu GnuPG-Schlüsseln fälschen lassen und kurzerhand böse Duplikate des kompletten Strong-Sets erzeugt. Das umfasst rund 50.000 besonders eng vernetzte und vertrauenswürdige Schlüssel.
---------------------------------------------
http://www.heise.de/security/meldung/Boese-Schluessel-werden-zum-Problem-fu…
*** IBM Fixes Serious Code Execution Bug in Endpoint Manager Product ***
---------------------------------------------
IBM has fixed a serious vulnerability in its Endpoint Manager product that could allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. The vulnerability lies in the Endpoint Manager for Mobile Devices component of the product and the researchers who discovered it said the bug could be used to compromise not...
---------------------------------------------
http://threatpost.com/ibm-fixes-serious-code-execution-bug-in-endpoint-mana…
*** An interesting case of the CVE-2014-8439 exploit ***
---------------------------------------------
We have recently seen an exploit targeting the Adobe Flash Player vulnerability CVE-2014-8439 (we detect it as Exploit:SWF/Axpergle). This exploit is being integrated into multiple exploit kits, including the Nuclear exploit kit (Exploit:JS/Neclu) and the Angler exploit kit (Exploit:JS/Axpergle). Adobe released a patch in November to address this exploit (APSB14-26). Coincidentally, our investigation shows that Adobe released a patch to address a different exploit and that patch appears to...
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2014/12/02/an-interesting-case-of-t…
*** Keeping Your Website Safe From WordPress's XSS Vulnerability ***
---------------------------------------------
Last month, a Finnish IT company by the name of Klikki Oy identified a critical vulnerability in WordPress - one which has been present in the platform for approximately four years. It allows attackers to enter comments which include malicious JavaScript. Once the script in these comments is executed, the attacker could then do anything from infecting the PCs of visitors to completely hijacking the website; locking the original administrator out of their account.
---------------------------------------------
http://www.ahosting.net/blog/keeping-your-website-safe-from-wordpresss-xss-…
*** A Physical Security Policy Can Save Your Company Thousands of Dollars ***
---------------------------------------------
Investments in cybersecurity and physical security are proportionally connected to your organization's improved financial picture for a long-term perspective. Our digital lives are getting smaller as technology simplifies our communications, but cyber attacks are also prevalent. While the Internet radically changes the way organizations operate globally, from handling sensitive data to offshore outsourcing of IT architecture, the payoffs of security are significant and can't be...
---------------------------------------------
http://resources.infosecinstitute.com/physical-security-policy-can-save-com…
*** Samurai Web Testing Framework 3.0 - LiveCD Web Pen-testing Environment ***
---------------------------------------------
The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test.
---------------------------------------------
http://hack-tools.blackploit.com/2014/12/samurai-web-testing-framework-30-l…
*** New LusyPOS malware is a cross between Dexter and Chewbacca ***
---------------------------------------------
A new piece of Point-of-Sale RAM scraping malware has been submitted to VirusTotal and analyzed by researchers, who found that its a cross between two older and different POS malware families and is offered for sale on underground markets for $2,000.
---------------------------------------------
http://www.net-security.org/malware_news.php?id=2926
*** The Future of Auditory Surveillance ***
---------------------------------------------
Interesting essay on the future of speech recognition, microphone miniaturization, and the future ubiquity of auditory surveillance....
---------------------------------------------
https://www.schneier.com/blog/archives/2014/12/the_future_of_a.html
*** DSA-3084 openvpn ***
---------------------------------------------
security update
---------------------------------------------
http://www.debian.org/security/2014/dsa-3084
*** Bugtraq: ESA-2014-156: EMC Documentum Content Server Insecure Direct Object Reference Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/534135
*** Bugtraq: ESA-2014-160: RSA Adaptive Authentication (On-Premise) Authentication Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/534136
*** F5 Security Advisories ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/15000/100/sol15147.htm…https://support.f5.com:443/kb/en-us/solutions/public/15000/100/sol15158.htm…https://support.f5.com:443/kb/en-us/solutions/public/15000/300/sol15329.htm…
*** Siemens SIMATIC WinCC, PCS7, and TIA Portal Vulnerabilities (Update A) ***
---------------------------------------------
This updated advisory is a follow-up to the original advisory titled ICSA-14-329-02 Siemens SIMATIC WinCC, PCS7, and TIA Portal Vulnerabilities that was published November 25, 2014, on the NCCIC/ICS-CERT web site. This updated advisory provides mitigation details for two vulnerabilities within products utilizing the Siemens WinCC application.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-14-329-02A
*** Elipse SCADA DNP3 Denial of Service ***
---------------------------------------------
Independent researchers Adam Crain and Chris Sistrunk have identified a DNP3 denial of service vulnerability in the Elipse SCADA application. Elipse has produced a new version of the DNP3 driver that mitigates this vulnerability.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-14-303-02
*** Emerson ROC800 Multiple Vulnerabilities (Update A) ***
---------------------------------------------
This advisory provides mitigation details for multiple vulnerabilities affecting the Emerson Process Management's ROC800 remote terminal units (RTUs) products (ROC800, ROC800L, and DL8000).
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-13-259-01A
*** Yokogawa CENTUM and Exaopc Vulnerability (Update A) ***
---------------------------------------------
Tod Beardsley of Rapid7 Inc. and Jim Denaro of CipherLaw have identified an authentication vulnerability and released proof-of-concept (exploit) code for the Yokogawa CENTUM CS 3000 series and Exaopc products. JPCERT and Yokogawa have mitigated this vulnerability.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-14-260-01A
*** IBM Security Bulletins ***
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin…https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_powerkvm_2_issues…https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin…https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin…https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin…
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 01-12-2014 18:00 − Dienstag 02-12-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Researcher Releases Database of Known-Good ICS and SCADA Files ***
---------------------------------------------
A prominent security researcher has put together a new database of hundreds of thousands of known-good files from ICS and SCADA software vendors in an effort to help users and other researchers identify legitimate files and home in on potentially malicious ones. The database, known as WhiteScope, comprises nearly 350,000 files, including executables and DLLs,...
---------------------------------------------
http://threatpost.com/researcher-releases-database-of-known-good-ics-and-sc…
*** CVE-2014-1824 - A New Windows Fuzzing Target ***
---------------------------------------------
As time progresses, due to constant fuzzing and auditing many common Microsoft products are becoming reasonably hard targets to fuzz and find interesting crashes. There are two solutions to this: write a better fuzzer (http://lcamtuf.coredump.cx/afl/) or pick a less audited target. In a search for less audited attack surface, we are brought to MS14-038, Vulnerability...
---------------------------------------------
http://blog.beyondtrust.com/cve-2014-1824-searching-for-windows-attack-surf…
*** Kritische Lücke legt OpenVPN-Server lahm ***
---------------------------------------------
Wer einen OpenVPN-Server betreibt, sollte diesen umgehend auf den aktuellen Stand bringen. Durch eine Schwachstelle können Angreifer dessen Erreichbarkeit erheblich beeinträchtigen.
---------------------------------------------
http://www.heise.de/security/meldung/Kritische-Luecke-legt-OpenVPN-Server-l…
*** Operation DeathClick ***
---------------------------------------------
The era of spear phishing and the waterhole attack, which uses social engineering, has come to an end. Hackers are now moving their tricky brains towards targeted Malvertising - a type of attack that uses online advertising to spread malware. A recent campaign termed "Operation death click" displays a new form of cyber-attack focused on specific targets. The attack is also defined as micro targeted malvertising. In this newly targeted variation of malvertising, the hackers are
---------------------------------------------
http://resources.infosecinstitute.com/operation-deathclick/
*** 3Q 2014 Security Roundup: Vulnerabilities Under Attack ***
---------------------------------------------
Our report on the threats seen in 3Q 2014 shows us that once again, software vulnerabilities are the most favored cybercriminal targets. Following the second quarter's infamous Heartbleed vulnerability came another serious vulnerability in open-source software: Shellshock. Having gone unnoticed for years, the Shellshock incident suggests that there might be more vulnerabilities in Bash or in...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/4qiLKTUdqhM/
*** Betrügerische E-Mails im Namen des Finanzministeriums in Umlauf ***
---------------------------------------------
Täuschend echte Phishing-Masken in Design von FinanzOnline
---------------------------------------------
http://derstandard.at/2000008913504
*** JSA10607 - 2014-01 Security Bulletin: Junos: Memory-consumption DoS attack possible when xnm-ssl or xnm-clear-text service enabled (CVE-2014-0613) ***
---------------------------------------------
Product Affected: This issue can affect any product or platform running Junos OS.
Problem: When xnm-ssl or xnm-clear-text is enabled within the [edit system services] hierarchy level of the Junos configuration, an unauthenticated, remote user could exploit the XNM command processor to consume excessive amounts of memory. This, in turn, could lead to system instability or other performance issues.
---------------------------------------------
http://kb.juniper.net/index?page=content&id=JSA10607
*** Security advisory - High severity - InfiniteWP Client WordPress plugin ***
---------------------------------------------
Advisory for: InfiniteWP Client for WordPress Security Risk: High (DREAD score : 8/10) Exploitation level: Easy/Remote Vulnerability: Privilege escalation and potential Object Injection vulnerability. Patched Version: 1.3.8 If you're using the InfiniteWP WordPress Client plugin to manage your website, now is a good time to update. While doing a routine audit of our Website FirewallRead More
---------------------------------------------
http://blog.sucuri.net/2014/12/security-advisory-high-severity-infinitewp-c…
*** Security Bulletin: Unauthenticated Remote Code Execution in IBM Endpoint Manager Mobile Device Management (CVE-2014-6140) ***
---------------------------------------------
A vulnerability exists in IBM Endpoint Manager Mobile Device Management component, where an attacker could misuse cookies to execute arbitrary code.
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21691701
*** Security Advisory: PHP vulnerability CVE-2013-2110 ***
---------------------------------------------
(SOL15876)
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/15000/800/sol15876.htm…
*** Security Advisory: SOAP parser vulnerability CVE-2013-1824 ***
---------------------------------------------
(SOL15879)
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/15000/800/sol15879.htm…
*** Yokogawa FAST/TOOLS XML information disclosure ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/99018
*** EntryPass N5200 Credential Disclosure ***
---------------------------------------------
Topic: EntryPass N5200 Credential Disclosure Risk: Low Text:Advisory: EntryPass N5200 Credentials Disclosure EntryPass N5200 Active Network Control Panels allow the unauthenticated do...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014120010
*** 1830 Photonic Service Switch PSS-32/16/4 Cross Site Scripting ***
---------------------------------------------
Topic: 1830 Photonic Service Switch PSS-32/16/4 Cross Site Scripting Risk: Low Text: # # # SWISSCOM CSIRT ADVISORY - http://www.swisscom.com/security # # # # CVE ID: ...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014120009
*** Security Advisory-Multiple Vulnerabilities on Huawei P2 product ***
---------------------------------------------
Dec 02, 2014 15:22
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor…