=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 25-10-2013 18:00 − Montag 28-10-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
*** Email contains phishing scam, not iPhone 5S ***
---------------------------------------------
A new phishing email circulating the globe is preying on Apple fans who cant wait to get their hands on the coming iPhone 5S and iPhone 5c devices.
---------------------------------------------
http://www.scmagazine.com/email-contains-phishing-scam-not-iphone-5s/articl…
*** Blog: Cryptolocker Wants Your Money! ***
---------------------------------------------
A new ransomware Trojan is on the loose. The attackers give you roughly three days to pay them, otherwise your data is gone forever.
---------------------------------------------
http://www.securelist.com/en/blog/208214109/Cryptolocker_Wants_Your_Money
*** Blog-Software Wordpress 3.7 aktualisiert sich selbst ***
---------------------------------------------
In der neuen Version 3.7 hält sich die Blog-Software Wordpress selbst aktuell: Sicherheitsupdates werden künftig im Hintergrund automatisch eingespielt, wenn die Konfiguration das zulässt. Weitere Neuerungen dienen ebenfalls vorrangig der Sicherheit.
---------------------------------------------
http://www.heise.de/security/meldung/Blog-Software-Wordpress-3-7-aktualisie…
*** Periodic Connections to Control Server Offer New Way to Detect Botnets ***
---------------------------------------------
A number of recent botnets and advanced threats use HTTP as their primary communications channel with their control servers. McAfee Labs research during the last couple of years reveals that more than 60 percent of the top botnet families depend on HTTP. These numbers have increased significantly over the last few quarters.
---------------------------------------------
http://blogs.mcafee.com/mcafee-labs/periodic-links-to-control-server-offer-…
*** Improving Hadoop Security with Host Intrusion Detection (Part 2) ***
---------------------------------------------
This is a continuation of our previous post on Hadoop security. As we mentioned in our earlier post, we can use OSSEC to monitor for the file integrity of these existing Hadoop and HBase systems. OSSEC creates logs which a system administrator can use to check for various system events. It´s worth noting that big data systems ...
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/improving-hadoop…
*** Active Perl/Shellbot Trojan ***
---------------------------------------------
ISC received a submission from Zach of a Perl/Shellbot.B trojan served by fallencrafts[.]info/download/himad.png. The trojan has limited detection on Virustotal and the script contains a 'hostauth' of sosick[.]net[3] and the IRC server where the compromised systems are connecting to is located at 89.248.172.144. What we have so far, it appears it is exploiting older version of Plesk.
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=16907&rss
*** LinkedIn kann Mails mitlesen ***
---------------------------------------------
Die kürzlich eingeführte Intro-Technik für iOS bringt dem Berufsnetzwerk Kritik ein: Sie sei ein Traum für Angreifer und Sicherheitsdienste. Die Firma verteidigt sich: Alles sei sicher und man respektiere die Privatsphäre der Nutzer.
---------------------------------------------
http://www.heise.de/security/meldung/LinkedIn-kann-Mails-mitlesen-2034490.h…
*** Einbruch bei Buffer ***
---------------------------------------------
Der Social-Media-Dienst wurde gestern gehackt. Laut Unternehmensblog sollen weder Passwörter noch Kreditkarteninformationen abhanden gekommen sein.
---------------------------------------------
http://www.heise.de/security/meldung/Einbruch-bei-Buffer-2034519.html
*** Storewize: IBM warnt vor Sicherheitslücke in Storage-Systemen ***
---------------------------------------------
In den SAN-Controllern der Serie Storewize von IBM steckt eine Lücke, mit der ein Angreifer die Konfiguration ändern und auch Daten löschen kann. Abhilfe schafft ein Firmware-Update, das schon bereitsteht. (IBM, Netzwerk)
---------------------------------------------
http://www.golem.de/news/storewize-ibm-warnt-vor-sicherheitsluecke-in-stora…
*** End User Devices Security and Configuration Guidance ***
---------------------------------------------
UK Gov Configuration guidance for the following platforms:
End User Devices Security Guidance: Windows Phone 8
End User Devices Security Guidance: Android 4.2
End User Devices Security Guidance: Windows 7 and Windows 8
End User Devices Security Guidance: Ubuntu 12.04
End User Devices Security Guidance: Windows 8 RT
...
---------------------------------------------
https://www.gov.uk/government/collections/end-user-devices-security-guidanc…
*** Bypassing security scanners by changing the system language ***
---------------------------------------------
Luiz Eduardo and Joaquim Espinhara´s found that the majority of pentesting tools analyze specific problems in web applications - such as SQL injection - via the return messages that are provided by the application, and not by the error code that is reported by the database management system. So, what would happen if the setup language was not English, but Chinese or Portuguese? As their research showed, if the target SQL server doesnt use English by default, the scanners wont be able to
---------------------------------------------
http://www.net-security.org/secworld.php?id=15832
*** Cisco Identity Services Engine contains an input validation vulnerability ***
---------------------------------------------
Vulnerability Note VU#952422 Cisco Identity Services Engine contains an input validation vulnerability Original Release date: 28 Oct 2013 | Last revised: 28 Oct 2013 Overview Cisco Identity Services Engine contains an input validation vulnerability (CWE-20). Description CWE-20: Improper Input ValidationCisco Identity Services Engine (ISE) contains an input validation vulnerability.
---------------------------------------------
http://www.kb.cert.org/vuls/id/952422
*** I challenged hackers to investigate me and what they found out is chilling ***
---------------------------------------------
It´s my first class of the semester at New York University. I´m discussing the evils of plagiarism and falsifying sources with 11 graduate journalism students when, without warning, my computer freezes. I fruitlessly tap on the keyboard as my laptop takes on a life of its own and reboots. Seconds later the screen flashes a message.
---------------------------------------------
http://pandodaily.com/2013/10/26/i-challenged-hackers-to-investigate-me-and…
*** Spam-Versender. Schauen Sie doch mal bitte in Ihren Junk-Ordner ***
---------------------------------------------
Werbefilter funktionieren inzwischen ziemlich zuverlässig. Das wissen auch die Spam-Versender. Deshalb schicken sie noch eine zweite Nachricht hinterher.
---------------------------------------------
http://www.heise.de/security/meldung/Spam-Versender-Schauen-Sie-doch-mal-bi…
*** Scan Shows 65% of ReadyNAS Boxes on Web Vulnerable to Critical Bug ***
---------------------------------------------
It´s been known for some time now several months, in fact that there is a critical, remotely exploitable vulnerability in some of Netgear´s ReadyNAS storage boxes, and a patch has been available since July. However, many of the boxes exposed to the Web are still vulnerable, and a recent scan by HD Moore of Rapid7 found that ...
---------------------------------------------
http://threatpost.com/scan-shows-65-of-readynas-boxes-on-web-vulnerable-to-…
*** Vuln: Cisco Catalyst 3750 Series Switches Default Credentials Security Bypass Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/bid/63342
*** Bugtraq: Multiple CSRF Horde Groupware Web mail Edition 5.1.2 ***
---------------------------------------------
http://www.securityfocus.com/archive/1/529466
*** Bugtraq: DD-WRT v24-sp2 Command Injection ***
---------------------------------------------
http://www.securityfocus.com/archive/1/529463
*** Apache Struts2 showcase multiple XSS ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013100185
*** DSA-2787 roundcube ***
---------------------------------------------
http://www.debian.org/security/2013/dsa-2787
*** Woltlab Burning Board Regenbogenwiese 2007 Addon SQL Injection Exploit. ***
---------------------------------------------
http://www.exploit-db.com/exploits/29023
*** GnuPG Side-Channel Attack Lets Local Users Recover RSA Secret Keys ***
---------------------------------------------
http://www.securitytracker.com/id/1029242
*** DSA-2785 chromium-browser ***
---------------------------------------------
http://www.debian.org/security/2013/dsa-2785
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 24-10-2013 18:00 − Freitag 25-10-2013 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Periodic Links to Control Server Offer New Way to Detect Botnets ***
---------------------------------------------
A number of recent botnets and advanced threats use HTTP as their primary communications channel with their control servers. McAfee Labs research during the last couple of years reveals that more than 60 percent of the top botnet families depend on HTTP. These numbers have increased significantly over the last few quarters. The following pie […]
---------------------------------------------
http://blogs.mcafee.com/mcafee-labs/periodic-links-to-control-server-offer-…
*** DDoS mitigation firm notes dramatic increase in reflection attack style ***
---------------------------------------------
Between Q3 2012 and Q3 2013, distributed reflection denial-of-service (DrDoS) attacks increased 265 percent, a global attack report found.
---------------------------------------------
http://www.scmagazine.com/ddos-mitigation-firm-notes-dramatic-increase-in-r…
*** LinkedIn Intro App Equivalent to Man in the Middle Attack, Experts Say ***
---------------------------------------------
LinkedIn’s release of its Intro app yesterday for Apple iOS mobile devices raised more than a few eyebrows for behaviors that are tantamount to a man-in-the-middle attack, experts said.
---------------------------------------------
http://threatpost.com/linkedin-intro-app-equivalent-to-man-in-the-middle-at…
*** Evasive Tactics: Terminator RAT ***
---------------------------------------------
FireEye Labs has been tracking a variety of APT threat actors that have been slightly changing their tools, techniques and procedures (TTPs) in order to evade network defenses. Earlier, we documented changes to Aumlib, the malware used in the attack...
---------------------------------------------
http://www.fireeye.com/blog/technical/malware-research/2013/10/evasive-tact…
*** Cybercriminals release new commercially available Android/BlackBerry supporting mobile malware bot ***
---------------------------------------------
Thanks to the growing adoption of mobile banking, in combination with the utilization of mobile devices to conduct financial transactions, opportunistic cybercriminals are quickly capitalizing on this emerging market segment. Made evident by the release of Android/BlackBerry compatible mobile malware bots. This site is empowering potential cybercriminals with the necessary ‘know-how’ when it comes to ‘cashing out’ compromised accounts of E-banking victims who have...
---------------------------------------------
http://www.webroot.com/blog/2013/10/25/cybercriminals-release-new-commercia…
*** OSX/Leverage.a Analysis ***
---------------------------------------------
A few days ago, a new OSX malware was detected in the wild. It looks like a picture and behaves like it when you click on it. Everything looks fine when the clicked picture is opened on the screen, but the malware also performs some other actions. After the first look, we saw that the malware copies itself to /Users/Shared/UserEvent.app with the ditto command, and creates a LaunchAgent to load itself when the computer starts with these shell commands: mkdir ~/Library/LaunchAgents echo
---------------------------------------------
http://www.alienvault.com/open-threat-exchange/blog/osx-leveragea-analysis
*** PHP.net zur Verbreitung von Malware missbraucht ***
---------------------------------------------
Entgegen früherer Aussagen der Administratoren wurde die Projektseite von PHP doch Opfer eines Hackerangriffs. Zwei Server wurden gekapert und zur Verteilung von Schadcode eingesetzt.
---------------------------------------------
http://www.heise.de/security/meldung/PHP-net-zur-Verbreitung-von-Malware-mi…
*** ProSoft Technology RadioLinx ControlScape PRNG Vulnerability ***
---------------------------------------------
RadioLinx ControlScape is prone to a predictable random number generator weakness. Attackers can leverage this weakness to aid in brute-force attacks. Other attacks are also possible.
---------------------------------------------
http://www.securityfocus.com/bid/62238/http://ics-cert.us-cert.gov/advisories/ICSA-13-248-01
*** Vuln: OpenStack Keystone Tokens Validation CVE-2013-4222 Security Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/61725
*** Vuln: OpenStack Nova CVE-2013-4261 Denial of Service Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/62200
*** Vuln: OpenStack Nova CVE-2013-4278 Security Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/62016
*** CA SiteMinder Input Validation Flaw Permits Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1029237
*** libvirt API Access Control Flaw Lets Remote Authenticated Users Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1029241
*** Vuln: GnuTLS CVE-2013-4466 libdane/dane.c Remote Buffer Overflow Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63326
*** Vuln: VICIDIAL manager_send.php CVE-2013-4468 Command Injection Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63288
*** Security Bulletin: Tivoli Netcool/OMNIbus Web GUI - IBM WebSphere Application Server PM44303 security bypass (CVE-2012-3325) and Hash denial of service (CVE-2011-4858) ***
---------------------------------------------
CVE-2012-3325: After installing an Interim Fix for PM44303 or a Fix Pack containing PM44303, there is a potential security exposure with IBM WebSphere Application Server. CVE-2011-4858: Potential Denial of Service (DoS) security exposure when using web-based applications due to Java HashTable implementation vulnerability.
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_tiv…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 23-10-2013 18:00 − Donnerstag 24-10-2013 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Neutrino: Caught in the Act ***
---------------------------------------------
Last week, we got a tip from Kafeine about hacked sites serving injected iframes leading to an exploit kit. We thought it was quite interesting so we looked at one of the infected websites and found this sneaky piece of code: The deobfuscated code shows the location from where the...
---------------------------------------------
http://www.f-secure.com/weblog/archives/00002626.html
*** Neue und alte Router-Lücken bei Netgear, Tenda und DrayTek ***
---------------------------------------------
Sicherheitsexperten haben eine Hintertür in Routern der WNDR-Reihe von Netgear gefunden, die ohne Passwort-Abfrage vollen Zugrif auf das Gerät erlaubt. Bei Modellen der Firmen Tenda und DrayTek kann man Schadcode ausführen, ohne sich einloggen zu müssen.
---------------------------------------------
http://www.heise.de/security/meldung/Neue-und-alte-Router-Luecken-bei-Netge…
*** Industrial software flaw could allow manipulation of energy processes ***
---------------------------------------------
The vulnerability lies in industrial automation software that uses a weak encryption algorithm for user authentication, researchers at IOActive found.
---------------------------------------------
http://www.scmagazine.com/industrial-software-flaw-could-allow-manipulation…
*** Bugtraq: ESA-2013-067: RSA® Authentication Agent for Web for Internet Information Services (IIS) Security Controls Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/529394
*** Bugtraq: RPS/APS vulnerability in snom/yealink and others ***
---------------------------------------------
http://www.securityfocus.com/archive/1/529397
*** Security Bulletin: IBM Flex System Manger expired USERID password vulnerability (CVE-2013-5424) ***
---------------------------------------------
Security Bulletin: IBM Flex System Manger expired USERID password vulnerability (CVE-2013-5424) Affected product(s) and affected version(s): IBM Flex System Manager Node, Types 7955, 8731, 8734 all models, Version 1.3.0
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm…
*** Cisco IOS XR Software Route Processor Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Multiple Vulnerabilities in Cisco Identity Services Engine ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Secure ACS Distributed Deployment Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013…
*** Vuln: Multiple Cisco Appliances CVE-2013-5537 Denial of Service Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63280
*** Vuln: Joomla! Maian15 Component name Parameter Arbitrary Shell Upload Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63287
*** Vuln: Drupal Spaces Module Access Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63305
*** WordPress Blue Wrench Video Widget Plugin Cross-Site Request Forgery Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55456
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 21-10-2013 18:00 − Dienstag 22-10-2013 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Fake Dropbox Password Reset Spam Leads to Malware ***
---------------------------------------------
A new spam campaign has been circulating over the last few weeks in hopes of duping users of the popular cloud storage service Dropbox. The e-mails purport to come from the service but instead lead those who click through to a malware landing page.
---------------------------------------------
http://threatpost.com/fake-dropbox-password-reset-spam-leads-to-malware/102…
*** New DIY compromised hosts/proxies syndicating tool spotted in the wild ***
---------------------------------------------
Compromised, hacked hosts and PCs are a commodity in underground markets today. More cybercriminals are populating the market segment with services tailored to fellow cybercriminals looking for access to freshly compromised PCs to be later abused in a variety of fraudulent/malicious ways, all the while taking advantage of their clean IP reputation. Naturally, once the commoditization took place, cybercriminals quickly realized that the supply of such hosts also shaped several different market...
---------------------------------------------
http://www.webroot.com/blog/2013/10/21/new-diy-compromised-hostsproxies-syn…
*** Cryptolocker Update, Request for Info, (Tue, Oct 22nd) ***
---------------------------------------------
It was briefly mentioned in a previous posting, but the Cryptolocker ransomware is still going strong. In essence, post infection is encrypts all of your "document" files based on file extension and then gives the user 72 hours to pay the ransom ($300 USD or 2 BTC). It is one f the few pieces of ransomware that does encryption right so at present, short of paying the ransom, there is no other means to decrypt. Bleeping Computer has a good write up, but below are the TL;DR highlights.
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=16871&rss
*** Touch ID: Biometrics Dont Make For Good Passwords ***
---------------------------------------------
Theres an Apple event scheduled for tomorrow which will showcase this years iPad lineup. Among the more credible rumors is that at least one version of the iPad will include Apples Touch ID, its fingerprint identity sensor.And so it seems somewhat inevitable that all of our "smart" devices will soon include fingerprint readers.That being the case, we strongly recommend the following by @dustinkirkland: • Fingerprints are Usernames, not PasswordsWe welcome intelligent use of
---------------------------------------------
http://www.f-secure.com/weblog/archives/00002624.html
*** Defending Against Crypto Backdoors ***
---------------------------------------------
We already know the NSA wants to eavesdrop on the Internet. It has secret agreements with telcos to get direct access to bulk Internet traffic. It has massive systems like TUMULT, TURMOIL, and TURBULENCE to sift through it all. And it can identify ciphertext -- encrypted information -- and figure out which programs could have created it. But what the...
---------------------------------------------
https://www.schneier.com/blog/archives/2013/10/defending_again_1.html
*** Security Bulletins: Citrix XenServer Multiple Security Updates ***
---------------------------------------------
A number of security vulnerabilities have been identified in Citrix XenServer. These vulnerabilities affect all currently supported versions of Citrix XenServer up to and including version 6.2.
---------------------------------------------
http://support.citrix.com/article/CTX139295
*** Vuln: 7T Interactive Graphical SCADA System Multiple Security Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/bid/46936
*** WordPress Portable phpMyAdmin Plugin Security Bypass Security Issue ***
---------------------------------------------
https://secunia.com/advisories/55270
*** WatchGuard Extensible Threat Management and System Manager Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/55388
*** Vuln: D-Link DIR-605L CAPTCHA Data Stack Based Buffer Overflow Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/56330
*** Bugtraq: [CVE-2013-2751, CVE-2013-2752] NETGEAR ReadyNAS Remote Root ***
---------------------------------------------
http://www.securityfocus.com/archive/1/529364
*** Cisco ASA VPN Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the VPN authentication code that handles parsing of the username from the certificate on the Cisco ASA firewall could allow an unauthenticated, remote attacker to cause a reload of the affected device.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013…
*** Security Bulletin: IBM SONAS fix available for Cross Frame Scripting vulnerability via Graphical User Interface (CVE-2013-5376) ***
---------------------------------------------
An issue in IBM SONAS allows remote attackers to access the system as an authorized administrative user.
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm…
*** Security Bulletin: IBM SONAS Fix Available for SONAS Cross Protocol Vulnerability (CVE-2013-0500) ***
---------------------------------------------
IBM SONAS includes a flaw in the handling of special files created by an NFS client resulting in a vulnerability reported against IBM SONAS. ---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm…
*** IBM WebSphere Message Broker and IBM Integration Bus Security Vulnerability: XML4J denial of service attack (CVE-2013-5372) ***
---------------------------------------------
XML4J is vulnerable to a denial of service attack triggered by a specially crafted XML document
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21653087
*** IBM Domino / iNotes Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/55405https://secunia.com/advisories/55409
*** IBM WebSphere DataPower XC10 Two Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/55402
*** F5 BIG-IP Traffic Management Microkernel Component Lets Remote Users Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1029220
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 18-10-2013 18:00 − Montag 21-10-2013 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Card Data Siphon with Google Analytics ***
---------------------------------------------
The introduction of EMV (Chip & Pin) payment devices in 2003 resulted in a rapid decline in physical credit card cloning in Europe. EMV technology has also led to an increase in attacks on e-commerce systems targeting cardholder data. Each year, Trustwave SpiderLabs investigates hundreds of incidents of data compromise. I work on some of these investigations and occasionally get to evaluate some rather unusual attack vectors. This blog post details a novel data extraction technique using...
---------------------------------------------
http://blog.spiderlabs.com/2013/10/card-data-siphon-with-google-analytics.h…
*** New tricks that may bring DNS spoofing back or: "Why you should enable DNSSEC even if it is a pain to do", (Mon, Oct 21st) ***
---------------------------------------------
Recently, two papers independently outlined new attacks against DNS, undermining some of the security features protecting us from DNS spoofing. As Dan Kaminsky showed [1], 16 bit query IDs are an insufficient protection against DNS spoofing. As a result, DNS servers started to randomize the source port of DNS queries in order to make DNS spoofing harder. This was never meant to "fix" DNS spoofing, but worked well enough for DNSSEC to be pushed back yet again. Overall, to
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=16859&rss
*** Darkleech in Europe, Middle East and Africa ***
---------------------------------------------
In a previous blog post, we discussed how Darkleech-related malware wound up on a FireEye partner’s website. We followed up with a post detailing a major wave of Darkleech activity linked to a major global malvertising campaign. In this post,...
---------------------------------------------
http://www.fireeye.com/blog/corporate/2013/10/darkleech-in-europe-middle-ea…
*** Threatpost News Wrap, October 18, 2013 ***
---------------------------------------------
Dennis Fisher and Mike Mimoso discuss the big stories of the last couple of weeks, including the grassroots effort to audit the TrueCrypt source code, the Apple iMessage security model and Yahoo enabling SSL by default.
---------------------------------------------
http://threatpost.com/threatpost-news-wrap-october-18-2013/102624
*** Bugtraq: OWASP Vulnerable Web Applications Directory Project ***
---------------------------------------------
The OWASP Vulnerable Web Applications Directory (VWAD) Project is a
comprehensive and well maintained registry of all known vulnerable web
applications currently available. These vulnerable web applications
can be used by web developers, security auditors and penetration
testers to put in practice their knowledge and skills during training...
---------------------------------------------
http://www.securityfocus.com/archive/1/529293
*** DNP3 Implementation Vulnerability ***
---------------------------------------------
OVERVIEW: Adam Crain of Automatak and independent researcher Chris Sistrunk reported an improper input validation vulnerability to NCCIC/ICS-CERT that was evident in numerous slave and/or master station software products. The researchers emphasize that the vulnerability is not with the DNP3 stack but with the implementation.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-291-01
*** Yet Another WHMCS SQL Injection Exploit, (Sat, Oct 19th) ***
---------------------------------------------
WHMCS, a popular billing/support/customer management system, is still suffering from critical SQL injection issues. Today, yet another vulnerability, including exploit was released...
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=16853&rss
*** Vuln: WordPress Quick Paypal Payments Plugin Multiple HTML Injection Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/bid/63213
*** Wordpress WooCommerce Plugin 2.0.17 Cross-Site Scripting Vulnerability ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013100127
*** Wordpress spreadsheet Plugin Cross site scripting ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013100130
*** Cisco Unified Computing System Bugs Let Remote Users Conduct Man-in-the-Middle Attacks and Obtain Information and Let Local Users View Files ***
---------------------------------------------
http://www.securitytracker.com/id/1029209
*** Vuln: OpenLDAP rwm_conn_destroy Denial of Service Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63190
*** IBM WebSphere Partner Gateway Java Spoofing and Denial of Service Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/55406
*** Vulnerability Note VU#303900 - SAP Sybase Adaptive Server Enterprise vulnerable to XML injection ***
---------------------------------------------
SAP Sybase Adaptive Server Enterprise Version 15.7 ESD 2 and possibly earlier versions contains an XML injection vulnerability (CWE-91).
---------------------------------------------
http://www.kb.cert.org/vuls/id/303900
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 17-10-2013 18:00 − Freitag 18-10-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
*** You´re infected - if you want to see your data again, pay us $300 in Bitcoins ***
---------------------------------------------
Ransomware comes of age with unbreakable crypto, anonymous payments.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/VLDxuwIP36Q/story01…
*** DNS-Experten diskutieren Risiken neuer Angriffsszenarien ***
---------------------------------------------
Forscher beschreiben Angriffsszenarien auf das Domain Name System, bei dem die Fragmentierung von IP-Paketen ausgenutzt wird.
---------------------------------------------
http://www.heise.de/security/meldung/DNS-Experten-diskutieren-Risiken-neuer…
*** Kankan - eine chinesische Trojaner-Geschichte ***
---------------------------------------------
Die Analysten von Eset haben eine mysteriöse Geschichte über einen Trojaner zusammengetragen, der vor allem in China Verbreitung fand. Die Bestandteile: infizierte PCs und Smartphones, ein reumütiger Software-Hersteller und mehrere offene Rätsel.
---------------------------------------------
http://www.heise.de/security/meldung/Kankan-eine-chinesische-Trojaner-Gesch…
*** Got a mobile phone? Then youve got a Trojan problem too ***
---------------------------------------------
This time it´s personal Something wonderful has happened: phones have got smart, but the bad news is they may open the door to those you don´t want to let in.
---------------------------------------------
http://www.theregister.co.uk/2013/10/18/feature_mobile_security_malware/
*** VMware Release Multiple Security Updates ***
---------------------------------------------
VMware released the following security updates. The first one is VMSA-2013-0012 which address multiple vulnerabilities in vCenter Server, vSphere Update Manager, ESXi and ESX. The second is VMSA-2013-0006.1 which address multiple vulnerabilities in vCenter Server Appliances and vCenter Server running on Windows. The last is VMSA-2013-0009.1 which address multiple vulnerabilities in vCenter Server, ESX and ESXi that updates third party libraries.
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=16847&rss
*** Fiendish CryptoLocker ransomware: Whatever you do, dont PAY ***
---------------------------------------------
Create remote backups before infection, advise infosec bods Vid A fiendishly nasty strain of Windows malware that uses advanced encryption to lock up user files before demanding a ransom is doing the rounds.
---------------------------------------------
http://www.theregister.co.uk/2013/10/18/cryptolocker_ransmware/
*** Sybase Adaptive Server Enterprise XML injection ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/88105
*** cPanel CloudFlare Plugin Unspecified Privilege Escalation Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55273
*** osCommerce Flaws Permit Cross-Site Scripting and Cross-Site Request Forgery Attacks to Create New Admin Accounts ***
---------------------------------------------
http://www.securitytracker.com/id/1029189
*** Level One Enterprise Access Points Password Disclosure ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013100123
*** Bugtraq: CSRF vulnerability in LinkedIn ***
---------------------------------------------
http://www.securityfocus.com/archive/1/529270
*** Summary for October 2013 - Version: 1.1 ***
---------------------------------------------
http://technet.microsoft.com/en-za/security/bulletin/ms13-oct
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 16-10-2013 18:00 − Donnerstag 17-10-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
*** Bug Hunters Find 25 ICS, SCADA Vulnerabilities ***
---------------------------------------------
A trio of researchers have uncovered 25 security vulnerabilities in various supervisory control and data acquisition (SCADA) and industrial control system (ICS) protocols.
---------------------------------------------
http://threatpost.com/bug-hunters-find-25-ics-scada-vulnerabilities/102599
*** Researchers uncover holes that open power stations to hacking ***
---------------------------------------------
Hacks could cause power outages and dont need physical access to substations.
---------------------------------------------
http://arstechnica.com/security/2013/10/researchers-uncover-holes-that-open…
*** Raising awareness quickly: A look at basic password hygiene ***
---------------------------------------------
Rapid7s tips for strengthing your first line of defense
---------------------------------------------
http://www.csoonline.com/article/741540/raising-awareness-quickly-a-look-at…
*** Mass iFrame injection campaign leads to Adobe Flash exploits ***
---------------------------------------------
We´ve intercepted an ongoing malicious campaign, relying on injected/embedded iFrames at Web sites acting as intermediaries for a successful client-side exploits to take place. Let´s dissect the campaign, expose the malicious domains portfolio/infrastructure it relies on, as well as directly connect it with historical malicious activity, in this particular case, a social engineering campaign pushing fake browser updates.
---------------------------------------------
http://www.webroot.com/blog/2013/10/17/mass-iframe-injection-campaign-leads…
*** Top 20 Free Digital Forensic Investigation Tools for SysAdmins ***
---------------------------------------------
Here are 20 of the best free tools that will help you conduct a digital forensic investigation. Whether it´s for an internal human resources case, an investigation into unauthorized access to a server, or if you just want to learn a new skill, these suites and utilities will help you conduct memory forensic analysis, hard drive forensic analysis, forensic image exploration, forensic imaging and mobile forensics.
---------------------------------------------
http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-fo…
*** Hintergrund: Standardpasswörter kein Sicherheitsrisiko? ***
---------------------------------------------
Das ICS-CERT, zuständig für kritische Infrastruktur wie Staudämme und Atomkraftwerke, sagt Standardpasswörter stellen kein Sicherheitsrisiko dar solange sie gut dokumentiert und änderbar sind. Ist das wirklich so?
---------------------------------------------
http://www.heise.de/security/artikel/Standardpasswoerter-kein-Sicherheitsri…
*** Apple iMessage Open to Man in the Middle, Spoofing Attacks ***
---------------------------------------------
The Apple iMessage protocol has been shrouded in secrecy for years now, but a pair of security researchers have reverse-engineered the protocol and found that Apple controls the encryption key infrastructure for the system and therefore has the ability to read users´ text messages or decrypt them and hand them over at the order of a government agency.
---------------------------------------------
http://threatpost.com/apple-imessage-open-to-man-in-the-middle-spoofing-att…
*** IBM Storwize V7000 Unified Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/55247
*** Bugtraq: PayPal Inc Bug Bounty #61 - Persistent Mail Encoding Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/529250
*** Puppet Enterprise Dashboard Report YAML Handling Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55362
*** Drupal Context Mulitple Vulnerabilities ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013100111
*** Drupal Simplenews Cross Site Scripting ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013100112
*** Vuln: Cisco Identity Services Engine CVE-2013-5539 Arbitrary File Upload Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63031
*** Bugtraq: Security Advisory for Bugzilla 4.4.1, 4.2.7 and 4.0.11 ***
---------------------------------------------
http://www.securityfocus.com/archive/1/529262
*** Panda Security for Business Pagent.exe code execution ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/88091
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 15-10-2013 18:00 − Mittwoch 16-10-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
*** ORACLE Critical Patch Update - October 2013 ***
---------------------------------------------
Critical Patch Update - October 2013
---------------------------------------------
http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html
** Follow-up **
*** Critical Java Update Plugs 51 Security Holes ***
---------------------------------------------
Oracle has released a critical security update that fixes at least 51 security vulnerabilities in its Java software. Patches are available for Linux, Mac OS X, Solaris and Windows versions of the software.
---------------------------------------------
http://krebsonsecurity.com/2013/10/java-update-plugs-51-security-holes/
*** Android-Verschlüsselung wurde verschlimbessert ***
---------------------------------------------
Android bevorzugt offenbar seit einigen Jahren für Internet-Verbindungen Verschlüsselungsverfahren, die eigentlich als geknackt gelten. Die Motivation dahinter ist unklar.
---------------------------------------------
http://www.heise.de/security/meldung/Android-Verschluesselung-wurde-verschl…
*** Google Fixes Three High-Risk Flaws in Chrome ***
---------------------------------------------
There is a trio of high-risk security vulnerabilities in Google Chrome that have been patched in a new version of the browser released on Tuesday. The vulnerabilities all are use-after-free bugs, and Google paid a total of $5,000 in rewards to researchers who discovered and reported them.
---------------------------------------------
http://threatpost.com/google-fixes-three-high-risk-flaws-in-chrome/102586
*** Registrar in Metasploit DNS Hijacking Not Duped by Fax ***
---------------------------------------------
Rapid7 said today that an employee at its registrar, Register.com, was duped out of their credentials leading to a DNS hijacking attack against the Rapid7 and Metasploit websites.
---------------------------------------------
http://threatpost.com/registrar-in-metasploit-dns-hijacking-not-duped-by-fa…
*** How Vulnerable Are Your Phishing Targets? ***
---------------------------------------------
How Vulnerable Are Your Phishing Targets?
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2013/10/16/how-vulne…
*** ASLR Bypass Apocalypse in Lately Zero-Day Exploits ***
---------------------------------------------
ASLR (Address Space Layout Randomization) is one of the most effective protection mechanisms in the modern operation system. However, there were many innovative ASLR bypass techniques used in recent APT attacks.
---------------------------------------------
http://www.fireeye.com/blog/technical/cyber-exploits/2013/10/aslr-bypass-ap…
*** Vulnerabilities Discovered in Global Vessel Tracking Systems ***
---------------------------------------------
Text by Marco Balduzzi and Kyle Wilhoit Trend Micro researchers have discovered that flaws in the AIS vessel tracking system can allow attackers to hijack communications of existing vessels, create fake vessels, trigger false SOS or collision alerts and even permanently disable AIS tracking on any vessel. Figure 1.
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-…
*** Blog: Under Pressure ***
---------------------------------------------
Any online project - be it a long-lost blog, or a new start-up's web app - has a very important performance feature called a "maximum load". This indicator makes itself known when a web app either partially or fully fails to perform its assigned functions to process user requests.
---------------------------------------------
http://www.securelist.com/en/blog/8136/Under_Pressure
*** Yet another Bitcoin accepting E-shop offering access to thousands of hacked PCs spotted in the wild ***
---------------------------------------------
The never-ending supply of access to compromised/hacked PCs - the direct result of the general availability of DIY/cracked/leaked malware/botnet generating tools - continues to grow in terms of the number and variety of such type of underground market propositions.
---------------------------------------------
http://www.webroot.com/blog/2013/10/16/yet-another-bitcoin-accepting-e-shop…
*** Honeydroid: Android-Handy wird zur Hackerfalle ***
---------------------------------------------
Experten der Deutschen Telekom machen aus Android-Smartphones mobile Honeypots. So haben sie in drei Monaten über 10.000 Angriffe auf ein einzelnes Gerät im Mobilnetz protokollieren können.
---------------------------------------------
http://www.heise.de/security/meldung/Honeydroid-Android-Handy-wird-zur-Hack…
*** Convincing "Urgent Windows Error Fix" phishing email doing rounds ***
---------------------------------------------
A pretty convincing email phishing campaign is targeting one of the largest user bases out there - those who use Microsofts Windows OS - by taking advantage of the recent problems that the company has been having with updates.
---------------------------------------------
http://www.net-security.org/secworld.php?id=15779
*** HP Service Manager Bugs Permit Cross-Site Scripting, Information Disclosure, and Code Injection Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1029180
*** UbiDisk File Manager v2.0 iOS - Multiple Web Vulnerabilities ***
---------------------------------------------
http://www.exploit-db.com/exploits/28977
*** Apple iOS 7.0.2 SIM Lock Screen Display Bypass ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013100103
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 14-10-2013 18:00 − Dienstag 15-10-2013 18:00
Handler: Matthias Fraidl
Co-Handler: Robert Waldner
*** Fingerprinting Ubuntu OS Versions using OpenSSH ***
---------------------------------------------
Over the past couples weeks, I’ve been working on enhancing the operating system detection logic in the TrustKeeper Scan Engine. Having the capability to detect a target’s operating system can be very useful. Whether you’re performing a simple asset identification scan or doing an in depth review, this information helps you make more informed decisions. In this blog post, I’ll be talking about a technique that that you can use to fingerprint a server operating system
---------------------------------------------
http://feedproxy.google.com/~r/SpiderlabsAnterior/~3/e7s2jWmx7bU/fingerprin…
*** October 2013 Security Bulletin Webcast, Q&A, and Slide Deck ***
---------------------------------------------
Today we’re publishing the October 2013 Security Bulletin Webcast Questions & Answers page. We fielded 11 questions during the webcast, with specific bulletin questions focusing primarily on the SharePoint (MS13-084) and Kernel-Mode Drivers (MS13-081) bulletins. There was one additional question that we were unable to answer on air, and we have included a response to that question on the Q&A page. We invite our customers to join us for the next public webcast on Wednesday,
---------------------------------------------
http://blogs.technet.com/b/msrc/archive/2013/10/14/october-2013-security-bu…
*** Vuln: osCommerce products_id Parameter HTML Injection Vulnerability ***
---------------------------------------------
osCommerce is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input.
Hostile HTML and script code may be injected into vulnerable sections of the application. When an unsuspecting user visits the affected site and views the affected section, the attacker-supplied code is rendered in the user's browser in the context of that site.
osCommerce 2.3.3 is vulnerable. Other versions may also be affected.
---------------------------------------------
http://www.securityfocus.com/bid/62997
*** Insecurities in the Linux /dev/random ***
---------------------------------------------
New paper: "Security Analysis of Pseudo-Random Number Generators with Input: /dev/random is not Robust, by Yevgeniy Dodis, David Pointcheval, Sylvain Ruhault, Damien Vergnaud, and Daniel Wichs. Abstract: A pseudo-random number generator (PRNG) is a deterministic algorithm that produces numbers whose distribution is indistinguishable from uniform. A formal security model for PRNGs with input was proposed in 2005 by Barak and...
---------------------------------------------
https://www.schneier.com/blog/archives/2013/10/insecurities_in.html
*** Thousands of Sites Hacked Via vBulletin Hole ***
---------------------------------------------
Attackers appear to have compromised tens of thousands of Web sites using a security weakness in sites powered by the forum software vBulletin, security experts warn.
---------------------------------------------
http://feedproxy.google.com/~r/KrebsOnSecurity/~3/Mc94cSf4_Mc/
*** Juniper Junos SRX Series Gateway Buffer Overflow in Telnet Firewall Lets Remote Users Execute Arbitrary Code ***
---------------------------------------------
Juniper Junos SRX Series Gateway Buffer Overflow in Telnet Firewall Lets Remote Users Execute Arbitrary Code
---------------------------------------------
http://www.securitytracker.com/id/1029175
*** Sensoren verraten Identität des Smartphones ***
---------------------------------------------
Die Messwerte eines Smartphones können den Benutzer wie ein digitaler Fingerabdruck verraten. Das haben Forscher der US-Universität Stanford nachgewiesen.
---------------------------------------------
http://futurezone.at/digital-life/sensoren-verraten-identitaet-des-smartpho…
*** Steam-Client verhilft Angreifern zu Systemrechten ***
---------------------------------------------
Die Windows-Version der Spieleplattform Steam enthält eine Schwachstelle, die es einem Angreifer ermöglicht, Schadcode mit Systemrechten auszuführen. Valve schweigt zu der Lücke.
---------------------------------------------
http://www.heise.de/security/meldung/Steam-Client-verhilft-Angreifern-zu-Sy…
*** We scanned the Internet for port 22 ***
---------------------------------------------
We scanned the entire Internet for port 22 - the port reserved for SSH, the protocol used by sysadmins to remotely log into machines. Unlike our normal scans of port 80 or 443, this generated a lot more abuse complaints, so I thought Id explain the scan.
---------------------------------------------
http://blog.erratasec.com/2013/09/we-scanned-internet-for-port-22.html
*** Blog: Pharmaceutical ‘phishing’ ***
---------------------------------------------
Adverts for medication to improve male sex drive are a staple of spam mailings. Like any other unsolicited messages, emails of this nature have evolved with time and today’s versions no longer merely contain promises of enahnced potency and a link to a site selling pills. In August and September we noted a series of mailings that used the names of well-known companies, that looked just like typical phishing messages. However, instead of a phishing site the links they contained led to an advert for “male medication”.
---------------------------------------------
http://www.securelist.com/en/blog/8135/Pharmaceutical_phishing
*** Cisco Video Surveillance 4000 Series IP Camera Analytics Page Hardcoded Credentials Security Issue ***
---------------------------------------------
A security issue has been reported in Cisco Video Surveillance 4000 Series IP Camera, which can be exploited by malicious people to bypass certain security restrictions.
The security issue is caused due to the device allowing access to the analytics page using hardcoded credentials, which can be exploited to gain access to an otherwise restricted video feed.
The security issue is reported in versions 2.4(0.1) and 3.1(0.52).
---------------------------------------------
https://secunia.com/advisories/55283
*** [2013-10-15] Multiple critical vulnerabilities in SpamTitan ***
---------------------------------------------
SpamTitan suffers from multiple critical vulnerabilities. Unauthenticated attackers are able to completely compromise the system and extract or manipulate database contents.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2013…
*** WordPress security threats, protection tips and tricks ***
---------------------------------------------
To start off with, there are some things that you can do just once to improve the security of your WordPress blog or website, but you still have to always follow a number of rules while using WordPress. By following such rules you will be safe from most of the automated targeted WordPress attacks which typically spread like wild fires ...
---------------------------------------------
http://www.net-security.org/article.php?id=1895
*** D-link to Padlock Router Backdoor By Halloween ***
---------------------------------------------
D-Link will address by the end of October a security issue in some of its routers that could allow attackers to change the device settings without requiring a username and password.The issue consists of a backdoor-type function built into the firmware of some D-Link routers that can be used to bypass the normal authentication procedure on their Web-based user interfaces.
---------------------------------------------
http://www.cio.com/article/741414/D_link_to_Padlock_Router_Backdoor_By_Hall…