=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 10-06-2014 18:00 − Mittwoch 11-06-2014 18:00
Handler: Stephan Richter
Co-Handler: Robert Waldner
*** Microsoft Security Bulletin Summary for June 2014 - Version: 1.0 ***
---------------------------------------------
This bulletin summary lists security bulletins released for June 2014.
With the release of the security bulletins for June 2014, this bulletin summary replaces the bulletin advance notification originally issued June 5, 2014.
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/MS14-JUN
*** Assessing risk for the June 2014 security updates ***
---------------------------------------------
Today we released seven security bulletins addressing 66 unique CVEs. Two bulletins have a maximum severity rating of Critical while the other five have a maximum severity rating of Important. This table is designed to help you prioritize the deployment of updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max XI Likely first 30 days impact Platform mitigations and key notes MS14-035(Internet Explorer) Victim browses to a malicious
---------------------------------------------
http://blogs.technet.com/b/srd/archive/2014/06/10/assessing-risk-for-the-ju…
*** Android no longer reveals app permission changes in automatic updates ***
---------------------------------------------
Change could heighten security risks for users.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/KCMtV-_xnqA/
*** May 2014 Cyber Attack Statistics ***
---------------------------------------------
As I noticed previously in these pages, looks like attackers are just waiting for the Summer, since the number of events in May has experienced a sensible decreease. The Daily Trend Of Attacks chart shows quite a linear trend with two small peaks around the 15 and 30 May. Overall the activity appears quite limited.
---------------------------------------------
http://hackmageddon.com/2014/06/11/may-2014-cyber-attack-statistics/
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 06-06-2014 18:00 − Dienstag 10-06-2014 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Microsoft preps seven fixes, two critical, for Patch Tuesday release ***
---------------------------------------------
The critical patches will remediate remote code execute (RCE) bugs in Windows, IE, Office and Microsoft Lync.
---------------------------------------------
http://www.scmagazine.com/microsoft-preps-seven-fixes-two-critical-for-patc…
*** Microsoft will Uralt-Lücke bei Internet Explorer ausmerzen ***
---------------------------------------------
Sieben Update-Pakete für kommenden Patchday angekündigt - Support für XP fraglich
---------------------------------------------
http://derstandard.at/2000001862657
*** Security updates available for Adobe Flash Player (APSB14-16) ***
---------------------------------------------
Adobe has released security updates for Adobe Flash Player 13.0.0.214 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.359 and earlier versions for Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions:...
---------------------------------------------
https://helpx.adobe.com/security/products/flash-player/apsb14-16.html
*** Microsoft Fixing Windows 8 Flaws, But Leaving Them In Windows 7 ***
---------------------------------------------
mask.of.sanity sends this news from El Reg: "Microsoft has left Windows 7 exposed by only applying security upgrades to its newest operating systems. Researchers found the gaps after they scanned 900 Windows libraries using a custom diffing tool and uncovered a variety of security functions that were updated in Windows 8 but not in 7. They said the shortcoming could lead to the discovery of zero day vulnerabilities. The missing safe functions were part of Microsofts dedicated libraries...
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/Rz2E0q7KOps/story01.htm
*** Coordinated malware eradication nears launch ***
---------------------------------------------
Good news: the coordinated malware eradication preparations are almost done. We have held several roundtable meetings at industry events around the world, and the last two are scheduled for June and July. We had insightful conversations with a diverse group of experts from across the antimalware industry. The ideas have converged into a shared vision of how we'll work together to put pressure on the malware ecosystem. I am excited for the first coordinated eradication campaigns to...
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2014/06/04/coordinated-malware-erad…
*** Routersicherheit: Fritzbox sucht automatisch nach Firmware-Updates ***
---------------------------------------------
AVM hat eine Konsequenz aus der schweren Sicherheitslücke seiner Router gezogen. Eine Laborversion ermöglicht nun ein automatisches Update der Firmware.
---------------------------------------------
http://www.golem.de/news/routersicherheit-fritzbox-sucht-automatisch-nach-f…
*** Backstage with the Gameover Botnet Hijackers ***
---------------------------------------------
When youre planning to rob the Russian cyber mob, youd better be sure that you have the element of surprise, that you can make a clean getaway, and that you understand how your target is going to respond. Todays column features an interview with two security experts who helped plan and execute this weeks global, collaborative effort to hijack the Gameover Zeus botnet, an extremely resilient and sophisticated crime machine that helped an elite group of thieves steal more than $100 million from
---------------------------------------------
http://feedproxy.google.com/~r/KrebsOnSecurity/~3/QUb7mFxjXlc/
*** Extracting the payload from a CVE-2014-1761 RTF document ***
---------------------------------------------
Background In March Microsoft published security advisory 2953095, detailing a remote code execution vulnerability in multiple versions of Microsoft Office (CVE-2014-1761). A Technet blog was released at the same time which contained excellent information on how a typical malicious document would be constructed. NCC Group's Cyber Defence Operations team used the information in the Technet blog to identify a malicious document within our malware zoo that exploited this vulnerability which...
---------------------------------------------
https://www.nccgroup.com/en/blog/2014/06/extracting-the-payload-from-a-cve-…
*** Weve Set Up a One-Click Test For GameOver ZeuS ***
---------------------------------------------
Today weve published a new, quick way to check if your computer is infected by GameOver ZeuS (GOZ). Last week the GOZ botnet was disrupted by international law enforcement together with industry partners, including ourselves.It is of critical importance to realize GOZ was disrupted - not dismantled. Its not technically impossible for the botnet administrators to reclaim control in the near future. More than one million computers are infected by GOZ, time is of the essence.To assist with...
---------------------------------------------
http://www.f-secure.com/weblog/archives/00002712.html
*** Cyber-Kriminalität kostet laut Studie weltweit über 400 Mrd. Dollar ***
---------------------------------------------
In Österreich beträgt der Schaden 0,41 Prozent des Bruttoinlandsproduktes
---------------------------------------------
http://derstandard.at/2000001878950
*** "Red Button" Attack Could Compromise Some Smart TVs ***
---------------------------------------------
A vulnerability in an emerging interactive television standard could open up number of smart TVs to untraceable drive-by attacks.
---------------------------------------------
http://threatpost.com/red-button-attack-could-compromise-some-smart-tvs/106…
*** Chrome OS leaks data to Google before switching on a VPN, says GCHQ ***
---------------------------------------------
UK spy-base wing in new advice for BlackBerry, and Google OSes The sexy-named Communications Electronics Security Group (CESG) - the bit of GCHQ that helps Brits protect secrets from foreign spies (never mind GCHQ) - has issued new advice for securing BlackBerry OS 10, Android and Chrome OS 32.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/06/10/security_gu…
*** Zeus Alternative "Pandemiya" Emerges in Cybercrime Underground ***
---------------------------------------------
Pandemiya has all the capabilities that are typical among banking Trojans, such as injecting fake elements into websites, capturing screenshots of the users computer screen, and encrypting its communications with the control panel. What sets Pandemiya apart from all other banking Trojans is the fact that it has been written from scratch without sharing any source code with Zeus, Fleyder said.
---------------------------------------------
https://www.securityweek.com/zeus-alternative-pandemiya-emerges-cybercrime-…
*** iOS Malware Does Exist ***
---------------------------------------------
Before somebody asks me (again) whether there are any iOS malware or not, I decided to consolidate the information for you.
---------------------------------------------
https://blog.fortinet.com/iOS-malware-do-exist/
*** Cisco Wireless LAN Controller Cisco Discovery Protocol Denial of Service Vulnerability ***
---------------------------------------------
CVE-2014-3291
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** Citrix Security Advisory for OpenSSL Vulnerabilities (June 2014) ***
---------------------------------------------
Severity: High Overview The OpenSSL security advisory released on the 5 th of June 2014 disclosed six security vulnerabilities in this open source component; these are described below:
---------------------------------------------
http://support.citrix.com/article/CTX140876
*** SAP Hard-Coded Credentials ***
---------------------------------------------
Topic: SAP Hard-Coded Credentials Risk: Medium Text: Onapsis Security Advisories:Multiple Hard-coded Usernames (CWE-798) have been found and patched in a variety of SAP componen...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014060046
*** MediaWiki Input Validation Flaw in Special:PasswordReset Permits Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1030364
*** VU#758382: Unauthorized modification of UEFI variables in UEFI systems ***
---------------------------------------------
Vulnerability Note VU#758382 Unauthorized modification of UEFI variables in UEFI systems Original Release date: 09 Jun 2014 | Last revised: 09 Jun 2014 Overview Certain firmware implementations may not correctly protect and validate information contained in certain UEFI variables. Exploitation of such vulnerabilities could potentially lead to bypass of security features and/or denial of service for the platform. Description According to Corey Kallenberg, Xeno Kovah, John Butterworth, and Sam...
---------------------------------------------
http://www.kb.cert.org/vuls/id/758382
*** Cisco Unified Communications Manager Java Interface SQL Injection Vulnerability ***
---------------------------------------------
CVE-2014-3287
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** WebEx Meeting Server Sensitive Information Disclosure Vulnerability ***
---------------------------------------------
CVE-2014-3294
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** Vuln: Cisco Wireless LAN Controller CVE-2014-3291 Denial of Service Vulnerability ***
---------------------------------------------
Cisco Wireless LAN Controller CVE-2014-3291 Denial of Service Vulnerability
---------------------------------------------
http://www.securityfocus.com/bid/67926
*** IBM Security Bulletin: Denial of Service attack possible on Cúram instances using Apache Commons FileUpload (CVE-2014-0050) ***
---------------------------------------------
A version of Apache Commons FileUpload shipped with Cúram is vulnerable to a denial of service attack. CVE(s): CVE-2014-0050 Affected product(s) and affected version(s): Cúram Social Program Management All products are affected when running code releases 4.5 SP10, 5.0, 5.2, 5.2 SP1, 5.2 SP4, 5.2 SP4 DE, 5.2 SP5, 5.2 SP6, 6.0 SP2, 6.0.3.0, 6.0.4.0, 6.0.4.3, 6.0.4.4, 6.0.4.5, 6.0.5.2, 6.0.5.3, 6.0.5.4. Refer to the following reference URLs for remediation and additional...
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin…
*** WebTitan: Multiple critical vulnerabilities ***
---------------------------------------------
product: WebTitan vulnerable version: 4.01 (Build 68) fixed version: 4.04 impact: critical ... 1) SQL Injection 2) Remote command execution 3) Path traversal 4) Unprotected Access
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014…
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 05-06-2014 18:00 − Freitag 06-06-2014 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Hunderttausende Server über Fernwartungsprotokolle angreifbar ***
---------------------------------------------
Das Fernwartungsprotokoll IPMI, mit dem Server über die Firmware des Motherboards gewartet werden können, hat gravierende Sicherheitslücken. Forscher haben bei einem Scan des Internets haufenweise Server gefunden, die angreifbar sind.
---------------------------------------------
http://www.heise.de/security/meldung/Hunderttausende-Server-ueber-Fernwartu…
*** Microsoft Security Bulletin Advance Notification for June 2014 - Version: 1.0 ***
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/MS14-JUN
*** Microsoft to Patch Critical Internet Explorer Zero-Day Vulnerability Next Tuesday ***
---------------------------------------------
Today Microsoft has released its Advance Notification for the month of June 2014 Patch Tuesday releasing seven security Bulletins, which will address several vulnerabilities in its products, out of which two are marked critical and rest are important in severity. This Tuesday, Microsoft will issue Security Updates to ..
---------------------------------------------
http://thehackernews.com/2014/06/microsoft-to-patch-critical-internet.html
*** Linux Kernel futex privilege escalation ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/93593
*** Linux: Kernel-Bug erlaubt Sandbox-Ausbrüche ***
---------------------------------------------
Ein Fehler im Futex-Code von Linux erlaubt Nutzern vollen Zugriff auf den Kernel. Damit liesse sich etwa aus der Chrome-Sandbox ausbrechen. Patches sind bereits verfügbar.
---------------------------------------------
http://www.golem.de/news/linux-kernel-bug-erlaubt-sandbox-ausbrueche-1406-1…
*** Bugtraq: ESA-2014-046: EMC Documentum Content Server Multiple Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/532311
*** Hacking Apple ID? ***
---------------------------------------------
The many announcements at Apple's 2014 Worldwide Developers Conference (WWDC) this week was welcome news to the throngs of Apple developers and enthusiasts. It was also welcome news for another group of people with less than clean motives: cybercriminals. Last week we got a concrete example of how some ..
---------------------------------------------
blog.trendmicro.com/trendlabs-security-intelligence/hacking-apple-id/
*** Daktronics Vanguard Hardcoded Credentials (Update A) ***
---------------------------------------------
http://ics-cert.us-cert.gov//alerts/ICS-ALERT-14-155-01A
*** Noch mehr Herzbluten bei OpenSSL ***
---------------------------------------------
Der Verursacher der Heartbleed-Lücke hat weiteren Code zum Open-Source-Projekt beigetragen. Und auch der hat offensichtliche Sicherheitslücken.
---------------------------------------------
http://www.heise.de/security/meldung/Noch-mehr-Herzbluten-bei-OpenSSL-22172…
*** Phish or legit - Can you tell the difference? ***
---------------------------------------------
I recently received two emails, sent to two different addresses and both from different senders. The first email was allegedly from Apple and was sent to my work account. The second email was allegedly from the Bank of Montreal (BMO) and was sent to my personal account. Both were unsolicited and were asking me to click on links contained in the body of the email.
---------------------------------------------
http://nakedsecurity.sophos.com/2014/06/06/phish-or-legit-can-you-tell-the-…
*** Web-Browser: Neues History-Leck schwer zu stopfen ***
---------------------------------------------
Eine Javascript-Funktion erlaubt es indirekt, die Ladezeiten einer Webseite zu messen. Damit lässt sich herausfinden, ob ein Besucher bestimmte Links schon einmal aufgerufen hat.
---------------------------------------------
http://www.heise.de/security/meldung/Web-Browser-Neues-History-Leck-schwer-…
*** [2014-06-06] Multiple critical vulnerabilities in WebTitan ***
---------------------------------------------
Multiple critical security vulnerabilities have been identified in the WebTitan web filtering solution. Exploiting these vulnerabilities potential attackers could take control over the entire appliance.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 04-06-2014 18:00 − Donnerstag 05-06-2014 18:00
Handler: Alexander Riepl
Co-Handler: Robert Waldner
*** Peek Inside a Professional Carding Shop ***
---------------------------------------------
Over the past year, Ive spent a great deal of time trolling a variety of underground stores that sell "dumps" -- street slang for stolen credit card data that buyers can use to counterfeit new cards and go shopping in big-box stores for high-dollar merchandise that can be resold quickly for cash.
---------------------------------------------
http://krebsonsecurity.com/2014/06/peek-inside-a-professional-carding-shop/
*** Daktronics Vanguard Hardcoded Credentials ***
---------------------------------------------
NCCIC/ICS-CERT is aware of a public report of a hardcoded password vulnerability affecting Daktronics Vanguard highway notification sign configuration software. According to this report, the vulnerability is a hardcoded password that could allow unauthorized access to the highway sign.
---------------------------------------------
http://ics-cert.us-cert.gov//alerts/ICS-ALERT-14-155-01
*** New Apple operating systems bring security mysteries ***
---------------------------------------------
Apples march toward seamless integration between the Mac, iPhone and iPad worries some security experts who say companies may find it more difficult to prevent data leakage on the devices.On Monday, Apple introduced Handoff, a feature in upcoming iOS 8 and Mac OS X Yosemite that would let a person start a task on one device and complete it on another. For example, an email started on the Mac could be completed later on the iPad.
---------------------------------------------
http://www.csoonline.com/article/2360161/data-protection/new-apple-operatin…
*** Android-Trojaner verschlüsselt Speicherkarte ***
---------------------------------------------
Ein weiter Malware-Trend erreicht Android: Nach den Erpressungstrojanern, die das Gerät sperren, gibt es nun auch einen Schädling, der das digitale Hab und Gut seines Opfers verschlüsselt. Für die Entschlüsselung der Daten verlangen die Ganoven Geld.
---------------------------------------------
http://www.heise.de/security/meldung/Android-Trojaner-verschluesselt-Speich…
*** Sicherheitsprobleme mit OpenSSL ***
---------------------------------------------
Das OpenSSL-Projekt hat eine Warnung bezüglich mehrerer sicherheitsrelevanter Schwachstellen veröffentlicht. Es besteht die Möglichkeit von Remote Code Execution, Denial Of Service und Man-in-the-middle Attacken. Diese können sowohl OpenSSL Clients als auch Server betreffen.
---------------------------------------------
http://cert.at/warnings/all/20140605.html
*** IBM Security Bulletin: Vulnerability which could allow for unauthorized access to an IBM API Management topology ***
---------------------------------------------
There is a vulnerability which could allow for unauthorized access to an IBM API Management topology, when a user secures APIs with basic authentication
CVE(s): CVE-2014-3036
Affected product(s) and affected version(s): IBM API Management V3.0.0.0
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin…
*** They're ba-ack: Browser-sniffing ghosts return to haunt Chrome, IE, Firefox ***
---------------------------------------------
Privacy threat that allows websites to know what sites youve viewed is revived.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/mZ97m15Wo_M/
*** Security-Experten isolierten über 2 Millionen Gameover-Bots ***
---------------------------------------------
Im Rahmen der Aktionen gegen das Botnetz Gameover Zeus musste ein riesige Peer-to-Peer-Netz ausgeschaltet werden. Über zwei Millionen infizierte Rechner mussten dazu manipuliert werden.
---------------------------------------------
http://www.heise.de/security/meldung/Security-Experten-isolierten-ueber-2-M…
*** Security Notice-Statement About the CSRF Vulnerability on Multiple Huawei 3G Wi-Fi Devices ***
---------------------------------------------
Huawei has noticed that several websites reported the CSRF vulnerability on Huawei E355, E5331, E303, B593 3G Mobile Wi-Fi Devices.
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-notices…
*** Webfwlog - Firewall Log Analyzer ***
---------------------------------------------
Webfwlog is a flexible web-based firewall log analyzer and reporting tool. It supports standard system logs for linux, FreeBSD, OpenBSD, NetBSD, Solaris, Irix, OS X, etc. as well as Windows XP. Supported log file formats are netfilter, ipfilter, ipfw, ipchains and Windows XP.
...
You can sort a report with a single click, 'drill-down' on the reports all the way to the packet level, and save your reports for later use.
---------------------------------------------
http://hack-tools.blackploit.com/2014/06/webfwlog-firewall-log-analyzer.html
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 03-06-2014 18:00 − Mittwoch 04-06-2014 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** GameOver Zeus Takedown Shows Good Early Returns ***
---------------------------------------------
The effect of the takedown of the GameOver Zeus botnet this week has been immediate and significant. Researchers who track the activity of the peer-to-peer botnet's activity say that the volume of packets being sent out by infected machines has dropped to almost zero. On Friday, the FBI and Europol, ..
---------------------------------------------
http://threatpost.com/gameover-zeus-takedown-shows-good-early-returns/106429
*** Phishing Tale: An Analysis of an Email Phishing Scam ***
---------------------------------------------
Phishing scams are always bad news, and in light of the Google Drive scam that made the rounds again last week, we thought we'd tell the story of some spam that was delivered into my own inbox because even security researchers, ..
---------------------------------------------
http://blog.sucuri.net/2014/06/phishing-tale-an-analysis-of-an-email-phishi…
*** Making end-to-end encryption easier to use ***
---------------------------------------------
While end-to-end encryption tools like PGP and GnuPG have been around for a long time, they require a great deal of technical know-how and manual effort to use. To help make this kind of encryption a bit easier, we're releasing code for a new Chrome extension that uses OpenPGP, an open standard supported by many existing encryption tools. However, ..
---------------------------------------------
http://googleonlinesecurity.blogspot.co.at/2014/06/making-end-to-end-encryp…
*** The Best Of Both Worlds - Soraya ***
---------------------------------------------
Arbor Networks' ASERT has recently discovered a new malware family that combines several techniques to steal payment card information. Dubbed Soraya, meaning 'rich', this malware uses memory scraping techniques similar to those found in Dexter to target point-of-sale terminals. Soraya also intercepts form data sent from web browsers, similar to the Zeus family of malware. Neither of these two techniques are new, but we have not seen them used together in the same piece of malware.
---------------------------------------------
http://www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/
*** COPA-DATA Improper Input Validation ***
---------------------------------------------
http://ics-cert.us-cert.gov//advisories/ICSA-14-154-01
*** DSA-2945 chkrootkit ***
---------------------------------------------
http://www.debian.org/security/2014/dsa-2945
*** Adobe Acrobat / Reader XI-X AcroBroker Sandbox Bypass ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014060030
*** FreeBSD PAM Policy Parser Remote Authentication Bypass ***
---------------------------------------------
http://www.securitytracker.com/id/1030330
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 02-06-2014 18:00 − Dienstag 03-06-2014 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Energy Bill Spam Campaign Serves Up New Crypto Malware ***
---------------------------------------------
Everyone hates getting bills, and with each new one it seems like the amount due just keeps getting higher and higher. However, Symantec recently discovered an energy bill currently being ..
---------------------------------------------
http://www.symantec.com/connect/blogs/energy-bill-spam-campaign-serves-new-…
*** Writing robust Yara detection rules for Heartbleed ***
---------------------------------------------
This blog walks through the methodology and process of writing robust Yara rules to detect either Heartbleed vulnerable OpenSSL statically linked or shared libraries which omit version information. Although Yara is designed for pattern matching and typically used by malware researchers we'll show how we can also use it to detect vulnerable binaries.
---------------------------------------------
https://www.nccgroup.com/en/blog/2014/06/writing-robust-yara-detection-rule…
*** Huawei-Router lassen sich aus dem Internet kapern ***
---------------------------------------------
Eine Reihe von Schwachstellen in zwei Mobilnetz-Routern von Huawei ermglichen es, die Geräte aus dem Internet zu kapern. Eine der Schwachstellen hatte Huawei schon einmal geschlossen - offensichtlich nicht gründlich genug.
---------------------------------------------
http://www.heise.de/security/meldung/Huawei-Router-lassen-sich-aus-dem-Inte…
*** TYPO3-EXT-SA-2014-009: Cross-Site Scripting in news ***
---------------------------------------------
It has been discovered that the extension "News system" (news) is susceptible to Cross-Site Scripting
---------------------------------------------
https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-…
*** Vulnerabilities in All in One SEO Pack Wordpress Plugin Put Millions of Sites At Risk ***
---------------------------------------------
Multiple Serious vulnerabilities have been discovered in the most famous "All In One SEO Pack" plugin for WordPress, that put millions of Wordpress websites at risk.
---------------------------------------------
https://thehackernews.com/2014/05/vulnerabilities-in-all-in-one-seo-pack.ht…
*** (0Day) Rocket Servergraph Admin Center for TSM userRequest save_server_groups Command Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Rocket Servergraph Admin Center for Tivoli Storage Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the userRequest servlet. It is possible to inject arbitrary operating system commands when the servlet ..
---------------------------------------------
http://zerodayinitiative.com/advisories/ZDI-14-166/
*** Using nmap to scan for DDOS reflectors ***
---------------------------------------------
As we have seen in past diaries about reflective DDOS attacks they are certainly the flavor of the day. US-CERT claims there are several UDP based protocols that are potential attack vectors. In my experience the most prevalent ones are DNS, NTP, SNMP, and CharGEN. Assuming you have permission; Is there an easy way to do good data gathering for these ports on your network? Yes, as a matter of a fact it can be done in one simple nmap command.
---------------------------------------------
https://isc.sans.edu/diary/Using+nmap+to+scan+for+DDOS+reflectors/18193
*** dbus-glib pam_fprintd Local Root Exploit ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014060009
*** DCMTK Privilege Escalation ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014060011
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 30-05-2014 18:00 − Montag 02-06-2014 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Play Store ermöglicht Apps mehr Rechte ohne Nachfragen ***
---------------------------------------------
Der Play Store wird mal wieder renoviert, doch dabei sägt Google auch an tragenden Wänden. In der aktuellen Version werden App-Berechtigungen in Gruppen zusammengefasst, weshalb neue Rechte nicht immer genehmigt werden müssen.
---------------------------------------------
http://www.heise.de/security/meldung/Play-Store-ermoeglicht-Apps-mehr-Recht…
*** CVE-2014-2120 - A Tale of Cisco ASA 'Zero-Day' ***
---------------------------------------------
A few months ago I was trying to PoC a known cross-site scripting vulnerability in the Cisco ASA WebVPN portal (CVE-2013-3414) for inclusion in the TrustKeeper Scan Engine. I tried a number of different techniques on multiple different ASA versions/branches and I simply could not tease out a viable PoC. At my wits end, I ..
---------------------------------------------
http://blog.spiderlabs.com/2014/05/cve-2014-2120-a-tale-of-cisco-asa-0-day.…
*** FTP Zugangsdaten kompromittiert ***
---------------------------------------------
Wie Heise berichtet, hat das BSI/CERT-Bund viele Provider informiert, dass Zugangsdaten zu FTP-Accounts gefunden wurden.Das betraf nicht nur Deutschland; die gleiche Quelle hat auch andere CERTs und Sicherheitsteams informiert. Wir bekamen die gleichen Daten wie unsere deutschen Kollegen, ..
---------------------------------------------
http://www.cert.at/services/blog/20140530100952-1151.html
*** WordPress iMember360is 3.9.001 XSS Disclosure Code Execution ***
---------------------------------------------
WordPress iMember360is 3.9.001 XSS Disclosure Code Execution
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014060001
*** Security: Heartbleed in WLAN-Routern gefunden ***
---------------------------------------------
Der Heartbleed-Fehler ist offenbar noch in zahlreichen WLAN-Routern vorhanden, genauer im Authentifizierungsprotokoll EAP. Das berichtet der Sicherheitsexperte Luis Grangeia.
---------------------------------------------
http://www.golem.de/news/security-heartbleed-in-wlan-routern-gefunden-1406-…
*** CVE-2014-3466 gnutls: insufficient session id length check in _gnutls_read_server_hello (GNUTLS-SA-2014-3) ***
---------------------------------------------
A flaw was found in the way GnuTLS parsed session ids from Server Hello packets of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code.
---------------------------------------------
https://bugzilla.redhat.com/show_bug.cgi?id=1101932
*** DSA-2943-1 php5 -- security update ***
---------------------------------------------
Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development ..
---------------------------------------------
https://www.debian.org/security/2014/dsa-2943
*** Huawei: SMS verschicken auf fremde Kosten ***
---------------------------------------------
Eine Sicherheitslücke in einem weit verbreiteten USB-UMTS-Stick ermöglicht es Angreifern, mit einer manipulierten Webseite SMS zu verschicken. Ein Update gibt es bisher nicht. (UMTS, Technologie)
---------------------------------------------
http://www.golem.de/news/huawei-sms-verschicken-auf-fremde-kosten-1406-1068…
*** 'Operation Tovar' Targets 'Gameover' ZeuS Botnet, CryptoLocker Scourge ***
---------------------------------------------
The U.S. Justice Department is expected to announce today an international law enforcement operation to seize control over the Gameover ZeuS botnet, a sprawling network of hacked Microsoft Windows computers that currently infects an estimated 500,000 to 1 million compromised systems globally. Experts say PCs infected with Gameover are being harvested for sensitive financial and personal data, ..
---------------------------------------------
http://krebsonsecurity.com/2014/06/operation-tovar-targets-gameover-zeus-bo…
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 29-05-2014 18:00 − Freitag 30-05-2014 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** Third-Party Auth Token Theft: The Big Picture ***
---------------------------------------------
Nothing sets the technical journalists abuzz like the prospect of a catastrophic, Internet-wide vulnerability. Fresh off the very legitimate excitement over Heartbleed, some media outlets were hoping for a new scoop with "Covert Redirections". Spoiler alert: there's no catastrophe. For those that haven't heard, this started with a paper and series of blog posts by Wang Jing. Wang describes an attack against websites that use third-party authentication services and are...
---------------------------------------------
http://blog.spiderlabs.com/2014/05/third-party_auth_token_theft_the_big_pic…
*** Ende von Truecrypt: Entwickler hat angeblich Interesse verloren ***
---------------------------------------------
Einer der Entwickler von Truecrypt hat sich angeblich zu Wort gemeldet und die Beweggründe für das plötzliche Aus erklärt: Man habe das Interesse verloren. Einer Weiterentwicklung durch die Community steht er demnach kritisch gegenüber.
---------------------------------------------
http://www.heise.de/security/meldung/Ende-von-Truecrypt-Entwickler-hat-ange…
*** Hintergrund: Truecrypt ist unsicher - und jetzt? ***
---------------------------------------------
Sollten wir jetzt wirklich alle auf Bitlocker umsteigen, wie es die Truecrypt-Entwickler vorschlagen? Einen echten Nachfolger wird es jedenfalls so bald nicht geben - und daran sind nicht zu letzt auch die Truecrypt-Entwickler schuld.
---------------------------------------------
http://www.heise.de/security/artikel/Truecrypt-ist-unsicher-und-jetzt-22114…
*** ThreadFix v2.1M1 Released ***
---------------------------------------------
ThreadFix is a software vulnerability aggregation and management system that reduces the time it takes to fix software vulnerabilities. ThreadFix imports the results from dynamic, static and manual testing to provide a centralized view of software security defects across development teams and applications. ThreadFix is licensed under the Mozilla Public License (MPL) version 2.0.
---------------------------------------------
http://www.toolswatch.org/2014/05/threadfix-v2-1m1-released/
*** New Attack Methods Can brick Systems, Defeat Secure Boot, Researchers Say ***
---------------------------------------------
IDG News Service - The Secure Boot security mechanism of the Unified Extensible Firmware Interface (UEFI) can be bypassed on around half of computers that have the feature enabled in order to install bootkits, according to a security researcher.
---------------------------------------------
http://www.cio.com/article/753439/New_Attack_Methods_Can_39_brick_39_System…
*** Thieves Planted Malware to Hack ATMs ***
---------------------------------------------
A recent ATM skimming attack in which thieves used a specialized device to physically insert malicious software into a cash machine may be a harbinger of more sophisticated scams to come.
---------------------------------------------
http://krebsonsecurity.com/2014/05/thieves-planted-malware-to-hack-atms/
*** Heartbleed-Bug: OpenSSL bekommt Security-Audit und zwei Festangestellte ***
---------------------------------------------
Die Linux-Foundation sammelt Geld für Kern-Infrastruktur wie OpenSSL und gibt nun erste Pläne bekannt. Beraten sollen das Projekt Linux-Kernel-Hacker und Bruce Schneier sowie Eben Moglen.
---------------------------------------------
http://www.golem.de/news/heartbleed-bug-openssl-bekommt-security-audit-und-…
*** When Networks Turn Hostile ***
---------------------------------------------
We've previously discussed how difficult it is to safely connect to networks when on the go. This is particularly true on vacations and holidays, where the availability of Internet access is one of the most important factors when looking for a place to stay. In fact, many holiday lodges and hotels today have made Wi-Fi access an...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/CL6K-SnbQJQ/
*** Triangle MicroWorks Uncontrolled Resource Consumption ***
---------------------------------------------
Adam Crain of Automatak and Chris Sistrunk of Mandiant have identified an uncontrolled resource consumption vulnerability in Triangle MicroWorks products and third-party components. Triangle MicroWorks has produced an update that mitigates this vulnerability.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-14-149-01
*** Cogent Datahub Vulnerabilities ***
---------------------------------------------
Independent researcher Alain Homewood has identified four vulnerabilities in the Cogent Real-Time Systems DataHub application. Cogent Real-Time Systems has produced a new version that mitigates three of the four identified vulnerabilities; they have recommended a mitigation for the unresolved vulnerability. The researcher has tested the new version to validate that it resolves three of the four vulnerabilities.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-14-149-02
*** VMSA-2014-0005 ***
---------------------------------------------
VMware Workstation, Player, Fusion, and ESXi patches address a guest privilege escalation
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2014-0005.html
*** VMSA-2014-0002.3 ***
---------------------------------------------
VMware vSphere updates to third party libraries
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2014-0002.html
*** ElasticSearch Dynamic Script Arbitrary Java Execution ***
---------------------------------------------
Topic: ElasticSearch Dynamic Script Arbitrary Java Execution Risk: High Text:## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-fr...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014050154
*** VU#325636: Huawei E303 contains a cross-site request forgery vulnerability ***
---------------------------------------------
Vulnerability Note VU#325636 Huawei E303 contains a cross-site request forgery vulnerability Original Release date: 30 May 2014 | Last revised: 30 May 2014 Overview The built-in web interface of Huawei E303 devices contains a cross-site request forgery vulnerability. Description Huawei E303 wireless broadband modems include a web interface for administration and additional services. The web interface allows users to send and receive SMS messages using the connected cellular network. CWE-352:
---------------------------------------------
http://www.kb.cert.org/vuls/id/325636
*** VU#124908: Dell ML6000 and Quantum Scalar i500 tape backup system command injection vulnerability ***
---------------------------------------------
Vulnerability Note VU#124908 Dell ML6000 and Quantum Scalar i500 tape backup system command injection vulnerability Original Release date: 30 May 2014 | Last revised: 30 May 2014 Overview Dell ML6000 and Quantum Scalar i500 tape backup system contain a command injection vulnerability. Description CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)Dells and Quantums advisories state the following:The tape librarys remote user interface...
---------------------------------------------
http://www.kb.cert.org/vuls/id/124908
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 27-05-2014 18:00 − Mittwoch 28-05-2014 18:00
Handler: Christian Wojner
Co-Handler: Stephan Richter
*** Spam Campaign Spreading Malware Disguised as HeartBleed Bug Virus Removal Tool ***
---------------------------------------------
At the beginning of April, a vulnerability in the OpenSSL cryptography library, also known as the Heartbleed bug, made headlines around the world.read more
---------------------------------------------
http://www.symantec.com/connect/blogs/spam-campaign-spreading-malware-disgu…
*** [2014-05-28] Root Backdoor & Unauthenticated access to voice recordings in NICE Recording eXpress ***
---------------------------------------------
Attackers are able to completely compromise the voice recording / surveillance solution "NICE Recording eXpress" as they can gain access to the system and database level and listen to recorded calls without prior authentication or exploit a root backdoor account.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014…
*** Apple Ransomware Targeting iCloud Users Hits Australia ***
---------------------------------------------
A handful of iPhone, iPad and Mac users, largely confined to Australia, awoke Tuesday to discover their devices had been taken hostage by ransomware.
---------------------------------------------
http://threatpost.com/apple-ransomware-targeting-icloud-users-hits-australi…
*** iPhone-"Entführung" per Fernzugriff: Apple betont, dass iCloud sicher ist ***
---------------------------------------------
In einem Statement heißt es, die derzeit in Australien die Runde machenden Erpressungsversuche, bei denen Angreifer Apple-Hardware aus der Ferne sperren, hätten nichts mit Sicherheitsproblemen in der iCloud zu tun. Schlechte Passwörter seien schuld.
---------------------------------------------
http://www.heise.de/security/meldung/iPhone-Entfuehrung-per-Fernzugriff-App…
*** Bugtraq: LSE Leading Security Experts GmbH - LSE-2014-05-21 - Check_MK - Arbitrary File Disclosure Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/532224
*** Kali-Linux: Pentesting-Stick mit Verschlüsselung und Notfallknopf ***
---------------------------------------------
Wer Kali Linux auf einen USB-Stick installiert, kann die Datenpartition mit Version 1.0.7 endlich verschlüsseln. Das schützt brisante Daten vor neugierigen Blicken. Darüber hinaus gibt es einen Selbstzerstörungs-Mechanismus.
---------------------------------------------
http://www.heise.de/security/meldung/Kali-Linux-Pentesting-Stick-mit-Versch…
Next End-of-Shift report on 2015-05-30
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 26-05-2014 18:00 − Dienstag 27-05-2014 18:00
Handler: Christian Wojner
Co-Handler: Stephan Richter
*** Mac OS X: VirusTotal veröffentlicht Uploader ***
---------------------------------------------
Der von Google aufgekaufte Viren-Scan-Dienst hat ein Tool veröffentlicht, mit dem Mac-Nutzer suspekte Dateien und Programme zur Prüfung hochladen können. VirusTotal erhofft sich tieferen Einblick in OS-X-Schadsoftware.
---------------------------------------------
http://www.heise.de/security/meldung/Mac-OS-X-VirusTotal-veroeffentlicht-Up…
*** Malicious Redirections to Porn Websites ***
---------------------------------------------
The past week has brought about a large number of cases where compromised websites had hidden redirections to porn injected into their code. All the infections had a similar pattern where they only targeted mobile devices. They are highly conditional as well making it challenging for webmasters to detect. Lets take a minute to explain...
---------------------------------------------
http://feedproxy.google.com/~r/sucuri/blog/~3/aMQhA3--dfg/website-infection…
*** Unsafe cookies leave WordPress accounts open to hijacking, 2-factor bypass ***
---------------------------------------------
Accounts accessed from Wi-Fi hotspots and other unsecured networks are wide open.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/yKbonlXYDrk/
*** Youve got Mail! But someone else is reading it in Outlook for Android ***
---------------------------------------------
Researchers say Redmond forgot to encrypt messages stored on Android SD cards Researchers have plucked privacy holes in Microsofts Outlook Android app that expose user data when user security setting screws were not tightened.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/05/27/prying_priv…
*** Mt. Gox: Bitcoin-Preise angeblich durch Bots manipuliert ***
---------------------------------------------
Neue Spekulation um die insolvente Bitcoin-Börse Mt. Gox: Laut einer Analyse sollen Bots die Preise an der Börse getrieben und mindestens rund 570.000 Bitcoins aufgekauft haben.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Mt-Gox-Bitcoin-Preise-angeblich-durc…
*** Fernwartungsfunktion: Onlineganoven entführen Macs und iPhones ***
---------------------------------------------
Mit "Find My iPhone" und "Find My Mac" können Nutzer geklaute Hardware über ihre Apple ID sperren. Gerät diese in falsche Hände, können das aber auch Erpresser. In Australien sollen solche "Entführungen" gerade öfter vorkommen.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Fernwartungsfunktion-Onlineganoven-e…
*** cPanel cgiemail Character Injection Flaw Lets Remote Users Send SPAM via the System ***
---------------------------------------------
A remote user can inject newline characters via certain parameters to modify email fields and send SPAM to arbitrary destination addresses via cgiemail.
---------------------------------------------
http://www.securitytracker.com/id/1030287
*** Avast-Forum fällt Hackerangriff zum Opfer ***
---------------------------------------------
Unbekannten gelang es, Nutzernamen, E-Mail-Adressen und verschlüsselte Passwörter von 350.000 Nutzern zu kopieren. Der Firmenchef des Antivirenherstellers hält es für möglich, dass die Hacker an Klartext-Passwörter kommen.
---------------------------------------------
http://www.heise.de/security/meldung/Avast-Forum-faellt-Hackerangriff-zum-O…
*** Multiple Vulnerabilities in TYPO3 CMS ***
---------------------------------------------
It has been discovered that TYPO3 CMS is vulnerable to Cross-Site Scripting, Insecure Unserialize, Improper Session Invalidation, Authentication Bypass, Information Disclosure and Host Spoofing.
---------------------------------------------
http://typo3.org/news/article/multiple-vulnerabilities-in-typo3-cms-1/
*** Amazons AWS bietet Verschlüsselung auf Blockebene ***
---------------------------------------------
Nutzer von Amazons Cloud-Angeboten können ihre auf virtuellen Laufwerken gespeicherten Daten verschlüsseln.
---------------------------------------------
http://www.heise.de/security/meldung/Amazons-AWS-bietet-Verschluesselung-au…
*** Top 10 Windows Server Security Misconfigurations ***
---------------------------------------------
Introduction According to Wikipedia, 32.6% of servers on the Internet are running Microsoft Windows. The purpose of this article is to create awareness among system administrators and managers about some of the areas on which it is important to focus when implementing a new Windows build or when hardening the security of an existing server. The Survey One of the activities of the @NCCGroupInfosec team is to perform build reviews on clients' systems, looking for any misconfigurations that...
---------------------------------------------
https://www.nccgroup.com/en/blog/2014/05/top-10-windows-server-security-mis…
*** Zeus-Carberp Hybrid Trojan Pops Up ***
---------------------------------------------
Researchers have discovered a new hybrid Trojan that combines elements of two of the more notorious crimeware strains of the last few years: Zeus and Carberp. It's not uncommon for malware writers to steal bits and pieces of code from one another, but both Zeus and Carberp were once exclusively private tools, but the source...
---------------------------------------------
http://threatpost.com/zeus-carberp-hybrid-trojan-pops-up/106283