=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 11-03-2014 18:00 − Mittwoch 12-03-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** When ASLR makes the difference ***
---------------------------------------------
We wrote several times in this blog about the importance of enabling Address Space Layout Randomization mitigation (ASLR) in modern software because it's a very important defense mechanism that can increase the cost of writing exploits for attackers and in some cases prevent reliable exploitation. In today's blog, we'll go through ASLR one more time to show in practice how it can be valuable to mitigate two real exploits seen in the wild and to suggest solutions for programs...
---------------------------------------------
http://blogs.technet.com/b/srd/archive/2014/03/11/when-aslr-makes-the-diffe…
*** Zeus-in-the-mobile variant uses security firms name to gain victims trust ***
---------------------------------------------
Android users are tricked into installing a spurious "security" app, which allows fraudsters to bypass one-time password authentication for online banking.
---------------------------------------------
http://feedproxy.google.com/~r/SCMagazineHome/~3/uCKACIRIxoI/
*** BB10s dated crypto lets snoops squeeze the juice from your BlackBerry ***
---------------------------------------------
BEAST will attack your sensitive web traffic, warns poster BlackBerry BB10 OS uses dated protocols that leave users at risk to known cryptographic attacks, according to a security researcher.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/03/12/bb10_dated_…
*** WhatsApp erweitert Einstellungen zur Privatsphäre und bleibt trotzdem unsicher ***
---------------------------------------------
Der Schutz der Privatsphäre bleibt in WhatsApp löchrig: Zwar können andere Nutzer durch das neueste Update nicht mehr sehen, wann man zuletzt im Chat online war, aber die Chats können wohl komplett durch andere Android-Apps ausgelesen werden.
---------------------------------------------
http://www.heise.de/security/meldung/WhatsApp-erweitert-Einstellungen-zur-P…
*** iOS 7.1: Innenraumortung iBeacon schwerer abzustellen ***
---------------------------------------------
Nach dem Update auf Apples jüngsten Mobilbetriebssystem reicht es nicht aus, eine Anwendung, die das Indoor-Tracking nutzt, zu schließen - selbst nach einem Geräteneustart funkt iBeacon fleißig weiter.
---------------------------------------------
http://www.heise.de/security/meldung/iOS-7-1-Innenraumortung-iBeacon-schwer…
*** Is it the ISPs Fault if Your Home Broadband Router Gets Hacked? ***
---------------------------------------------
As consumers we have a right to be huffy at our ISPs when something goes wrong. But is the Internet provider still to blame if, as in the recent cases of AAISP and now PlusNet, your home broadband router ends up being hijacked by a DNS redirection exploit?
---------------------------------------------
http://www.ispreview.co.uk/index.php/2014/03/isps-fault-home-broadband-rout…
*** Blog: Agent.btz: a source of inspiration? ***
---------------------------------------------
The past few days has seen an extensive discussion within the IT security industry about a cyberespionage campaign called Turla, aka Snake and Uroburos, which, according to G-DATA experts, may have been created by Russian special services.
---------------------------------------------
http://www.securelist.com/en/blog/8191/Agent_btz_a_source_of_inspiration
*** Yokogawa CENTUM CS 3000 Vulnerabilities ***
---------------------------------------------
Juan Vazquez of Rapid7 Inc.,a and independent researcher Julian Vilas Diaz have identified several buffer overflow vulnerabilities and released proof-of-concept (exploit) code for the Yokogawa CENTUM CS 3000 application. CERT/CC, NCCIC/ICS-CERT, and JPCERT have coordinated with Rapid7 and Yokogawa to mitigate these vulnerabilities.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-14-070-01
*** SSA-456423 (Last Update 2014-03-12): Vulnerabilities in SIMATIC S7-1500 CPU ***
---------------------------------------------
https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit…
*** VMSA-2014-0002 ***
---------------------------------------------
VMware vSphere updates to third party libraries
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2014-0002.html
*** Apple Safari OSX code execution ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/91654
*** WordPress WP SlimStat Plugin URL Script Insertion Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/57305
*** Bugtraq: CORE-2014-0002 - Oracle VirtualBox 3D Acceleration Multiple Memory Corruption Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/531418
*** Vuln: MediaWiki text Prameter HTML Injection Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/65906
*** Vuln: MediaWiki CVE-2014-2242 Cross Site Scripting Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/65910
*** [webapps] - ZyXEL Router P-660HN-T1A - Login Bypass ***
---------------------------------------------
http://www.exploit-db.com/exploits/32204
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 10-03-2014 18:00 − Dienstag 11-03-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** A clear-eyed guide to Mac OSs actual security risks ***
---------------------------------------------
Apple has improved its security in recent years, but is it enough?
---------------------------------------------
http://www.csoonline.com/article/749495/a-clear-eyed-guide-to-mac-os-s-actu…
*** CanSecWest Presenter Self-Censors Risky Critical Infrastructure Talk ***
---------------------------------------------
Researcher Eric Filiol withdrew his presentation from this weeks CanSecWest conference because of concerns the information could be used to attack critical infrastructure worldwide.
---------------------------------------------
http://threatpost.com/cansecwest-presenter-self-censors-risky-critical-infr…
*** More Than 162,000 WordPress Sites Used for Distributed Denial of Service Attack ***
---------------------------------------------
Distributed Denial of Service (DDOS) attacks are becoming a common trend on our blog lately, and that's OK because it's a very serious issue for every website owner. Today I want to talk about a large DDOS attack that leveraged thousands of unsuspecting WordPress websites as indirect amplification vectors. Any WordPress site with XML-RPC enabled...
---------------------------------------------
http://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-di…
*** Can this $70 dongle stem the epidemic of password breaches? ***
---------------------------------------------
Maybe not, but its approach could improve the security of password databases.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/TIJ7a8DsSVY/
*** Careto and OS X Obfuscation ***
---------------------------------------------
Last month, security researchers released a report about a targeted attack operation which they named Careto, or Mask in Spanish. The attack was noted for encoding its configuration data and encrypting its network traffic, making analysis more difficult. However, the capabilities of the Mac malware used in Careto was not as sophisticated as its Windows...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/tLQMNa8HgFc/
*** Saboteurs slip Dendroid RAT into Google Play ***
---------------------------------------------
Google quickly removed the malware, which was reportedly disguised as a legitimate parental control app, from its marketplace.
---------------------------------------------
http://www.scmagazine.com/saboteurs-slip-dendroid-rat-into-google-play/arti…
*** Ein Drittel aller Zertifikats-Herausgeber nur Security-Ballast ***
---------------------------------------------
Bei einer Untersuchung von 48 Millionen SSL-Zertifikaten stellten Forscher fest, dass jeder dritte Herausgeber kein einziges HTTPS-Zertifikat ausgestellt hat. Diese Schläfer-CAs sind ein beträchtliches Sicherheitsrisiko, das man leicht entschärfen könnte.
---------------------------------------------
http://www.heise.de/security/meldung/Ein-Drittel-aller-Zertifikats-Herausge…
*** Download: Threat Report ***
---------------------------------------------
Our Threat Report covering the second half of 2013 (with some forecasting of 2014) was released last week.Youll find it, and all of our previous reports in the Labs section of f-secure.com. On 10/03/14 At 06:24 PM
---------------------------------------------
http://www.f-secure.com/weblog/archives/00002681.html
*** Verschlüsselung: Snowden empfiehlt Textsecure und Redphone ***
---------------------------------------------
Edward Snowden lobt in der Diskussion auf der SXSW Openwhispersystems und dessen Entwickler Moxie Marlinspike für die Veröffentlichung einfach zu nutzender Verschlüsselungstools.
---------------------------------------------
http://www.golem.de/news/verschluesselung-snowden-empfiehlt-textsecure-und-…
*** iOS 7.1: Apple stopft zahlreiche Sicherheitslücken ***
---------------------------------------------
Mit dem jüngsten Update behebt Apple über zwei Dutzend teils kritische Fehler in seinem Mobilbetriebssystem. Ein Jailbreak ist nun nicht mehr möglich.
---------------------------------------------
http://www.heise.de/security/meldung/iOS-7-1-Apple-stopft-zahlreiche-Sicher…
*** Team Cymrus SOHO Pharming Whitepaper ***
---------------------------------------------
UPDATE: Here is the video for our SOHO Pharming Update of March 11, 2014. This update discusses the results of our SOHO Pharming Whitepaper release as well as further developments on that topic. If youve navigated to this site from an external source and are seeking the download of the SOHO Pharming Whitepaper, please scroll down on this page. Thanks for watching and feel free to share with your colleagues and friends!
---------------------------------------------
https://www.team-cymru.com/ReadingRoom/Whitepapers/SOHOPharming.html
*** Microsoft Security Bulletin Summary for March 2014 ***
---------------------------------------------
This bulletin summary lists security bulletins released for March 2014.
With the release of the security bulletins for March 2014, this bulletin summary replaces the bulletin advance notification originally issued March 6, 2014.
---------------------------------------------
http://technet.microsoft.com/en-us/security/bulletin/ms14-mar
*** Security updates available for Adobe Flash Player ***
---------------------------------------------
Adobe has released security updates for Adobe Flash Player 12.0.0.70 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.341 and earlier versions for Linux. These updates address important vulnerabilities, and Adobe recommends users update their product installations to the latest versions: ...
---------------------------------------------
http://helpx.adobe.com/security/products/flash-player/apsb14-08.html
*** TA14-069A: Microsoft Ending Support for Windows XP and Office 2003 ***
---------------------------------------------
Original release date: March 10, 2014 Systems Affected Microsoft Windows XP with Service Pack 3 (SP3) Operating SystemMicrosoft Office 2003 Products Overview Microsoft is ending support for the Windows XP operating system and Office 2003 product line on April 8, 2014. [1] After this date, these products will no longer receive:Security patches which help protect PCs from harmful viruses, spyware, and other malicious softwareAssisted technical support from MicrosoftSoftware and content updates...
---------------------------------------------
https://www.us-cert.gov/ncas/alerts/TA14-069A-0
*** Asterisk - Multiple Vulnerabilities ***
---------------------------------------------
Asterisk PJSIP Channel Drive Bug Lets Remote Users Deny Service
Asterisk chan_sip File Descriptor Flaw Lets Remote Authenticated Users Deny Service
Asterisk HTTP Header Cookie Processing Overflow Lets Remote Users Deny Service
Asterisk PJSIP Channel Driver Subscription Handling Bug Lets Remote Users Deny Service
---------------------------------------------
http://www.securitytracker.com/id/1029892http://www.securitytracker.com/id/1029891http://www.securitytracker.com/id/1029890http://www.securitytracker.com/id/1029893
*** FreeType Buffer Overflow in CFF Driver Lets Remote Users Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1029895
*** D-Link DIR-600 Cross-Site Request Forgery Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/57304
*** D-Link DSL-2640U Cross-Site Request Forgery Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/57269
*** Bugtraq: Android Vulnerability: Install App Without User Explicit Consent ***
---------------------------------------------
http://www.securityfocus.com/archive/1/531394
*** IBM Security Bulletin: IBM SPSS SamplePower vsflex8l ActiveX Control ComboList Property Remote Code Execution Vulnerability (CVE-2014-0895) ***
---------------------------------------------
There is security vulnerability with an ActiveX control shipped by IBM SPSS SamplePower Version 3.0.1. This is corrected in the IBM SPSS SamplePower product Interim Fix. CVE(s): CVE-2014-0895 Affected product(s) and affected version(s): IBM SPSS SamplePower for Windows V3.0.1 Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21666790 X-Force Database:
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin…
*** IBM Security Bulletin: Download of Code Without Integrity Check vulnerability in IBM Security AppScan Standard (CVE-2014-0904) ***
---------------------------------------------
IBM Security AppScan Standard can be affected a vulnerability in the update process that could allow remote code injection. CVE(s): CVE-2014-0904 Affected product(s) and affected version(s): IBM Security AppScan Standard 8.8 IBM Security AppScan Standard 8.7 IBM Security AppScan Standard 8.6 IBM Rational AppScan Standard 8.5 IBM Rational AppScan Standard 8.0 IBM Rational AppScan Standard 7.9 Refer to the following reference URLs for remediation and additional vulnerability details:
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin…
*** HPSBGN02970 rev.1 - HP Rapid Deployment Pack (RDP) or HP Insight Control Server Deployment, Multiple Remote Vulnerabilities affecting Confidentiality, Integrity and Availability ***
---------------------------------------------
Potential vulnerabilities have been identified with HP Rapid Deployment Pack (RDP) or HP Insight Control Server Deployment. The vulnerabilities could be exploited remotely affecting confidentiality, integrity and availability.
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…
*** HPSBMU02947 rev.1 - HP System Management Homepage (SMH) Running on Linux and Windows, Remote Disclosure of Information and Cross-Site Request Forgery (CSRF) ***
---------------------------------------------
Potential security vulnerabilities have been identified with HP System Management Homepage (SMH) running on Linux and Windows. The vulnerabilities could be exploited remotely resulting in disclosure of information or cross-site request forgery (CSRF).
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…
*** HPSBMU02948 rev.1 - HP Systems Insight Manager (SIM) Running on Linux and Windows, Remote Execution of Arbitrary Code, Denial of Service (DoS), Disclosure of Information ***
---------------------------------------------
Potential security vulnerabilities have been identified with HP Systems Insight Manager (SIM) running on Linux and Windows. The vulnerabilities could be exploited remotely resulting in execution of arbitrary code, Denial of Service (DoS), or disclosure of information.
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…
*** HPSBUX02976 SSRT101236 rev.1 - HP-UX Running NFS rpc.lockd, Remote Denial of Service (DoS) ***
---------------------------------------------
A potential security vulnerability has been identified with HP-UX running NFS rpc.lockd. The vulnerability could be exploited remotely to create a Denial of Service (DoS).
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 07-03-2014 18:00 − Montag 10-03-2014 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Experts analyze Snake, Uroburos malware samples dating back to 2006 ***
---------------------------------------------
Researchers with BAE Systems Applied Intelligence have determined that a possibly Russian-fueled malware campaign known as Snake, or Uroburos, may actually date back as far as 2006.
---------------------------------------------
http://www.scmagazine.com/experts-analyze-snake-uroburos-malware-samples-da…
*** SSL-Verschlüsselung auch in iOS-Apps problematisch ***
---------------------------------------------
Nicht nur bei Android-Apps - auch im iPhone-Universum erweisen sich die Datenverbindungen von Apps recht oft als angreifbar. Rund 14 Prozent der iOS-Apps, die SSL einsetzen konnte ein Forscherteam austricksen.
---------------------------------------------
http://www.heise.de/newsticker/meldung/SSL-Verschluesselung-auch-in-iOS-App…
*** iOS Security ***
---------------------------------------------
iOS is designed with comprehensive security that offers enterprise-grade protection of corporate data. Learn more about the advanced security features of iOS in this security guide.
---------------------------------------------
https://ssl.apple.com/iphone/business/docs/iOS_Security_Feb14.pdf
*** ETH40G: Verschlüsselung mit 40 Gigabit pro Sekunde ***
---------------------------------------------
Mit dem ETH40G aus der SITLine-Reihe verspricht Rohde & Schwarz einen hohen verschlüsselten Datendurchsatz mit 40 Gigabit pro Sekunde in breitbandigen Netzen.
---------------------------------------------
http://www.golem.de/news/eth40g-verschluesselung-mit-40-gigabit-pro-sekunde…
*** Linux kernel IPv6 crash due to router advertisement flooding ***
---------------------------------------------
Topic: Linux kernel IPv6 crash due to router advertisement flooding Risk: Medium Text:The Linux kernel is vulnerable to a crash on hosts that accept router advertisements. An unlimited number of routes can be cre...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030061
*** OpenVZ update for kernel ***
---------------------------------------------
OpenVZ has issued an update for the kernel. This fixes a weakness and a vulnerability, which can be exploited by malicious, local users in a guest virtual machine to potentially disclose sensitive information and by malicious, local users to cause a DoS (Denial of Service).
---------------------------------------------
https://secunia.com/advisories/57300
*** FFmpeg Multiple Vulnerabilities ***
---------------------------------------------
Some vulnerabilities have been reported in FFmpeg, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise an application using the library.
---------------------------------------------
https://secunia.com/advisories/56866
*** Multiple vulnerabilities in current releases of the IBM SDK, Java Technology Edition. ***
---------------------------------------------
Multiple vulnerabilities in current releases of the IBM SDK, Java Technology Edition. CVE(s): CVE-2014-0428, CVE-2014-0422, CVE-2013-5907, CVE-2014-0415, CVE-2014-0410, CVE-2013-5889, CVE-2014-0417, CVE-2014-0387, CVE-2014-0424, CVE-2013-5878, CVE-2014-0373, CVE-2014-0375, CVE-2014-0403, CVE-2014-0423, CVE-2014-0376, CVE-2013-5910, CVE-2013-5884, CVE-2013-5896, CVE-2013-5899, CVE-2014-0416, CVE-2013-5887, CVE-2014-0368, CVE-2013-5888, CVE-2013-5898 and CVE-2014-0411 Affected product(s)
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/multiple_vulnerabilit…
*** Vuln: PHP Fileinfo Component Out of Bounds Memory Corruption Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/66002
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 06-03-2014 18:00 − Freitag 07-03-2014 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** The Snake Campaign ***
---------------------------------------------
This new report from BAE Systems Applied Intelligence today provides further details on how the recently disclosed ‘Snake’ cyber espionage toolkit operates. Timelines of the malware development show this to be much bigger campaign than previously known. Specifically it reveals that the malware has actually been in development since at least 2005. From the complexity of the malware, and the range of variants and techniques used to support its operation, the research also suggests that
---------------------------------------------
http://www.baesystems.com/what-we-do-rai/the-snake-campaign
*** Diffie-Hellman: Unsinnige Krypto-Parameter ***
---------------------------------------------
Ein kurzer Schlüsselaustausch bringt Chrome zum Absturz, andere Browser akzeptieren völlig unsinnige Parameter für einen Diffie-Hellman-Schlüsselaustausch. Im Zusammenhang mit den jüngst gefundenen TLS-Problemen könnte das ein Sicherheitsrisiko sein. (Opera, Firefox)
---------------------------------------------
http://www.golem.de/news/diffie-hellman-unsinnige-krypto-parameter-1403-104…
*** Shedding New Light on Tor-Based Malware ***
---------------------------------------------
Researchers at Kaspersky Lab and Microsoft have shared new insight into how malware campaigns operate over the Tor anonymity network, as well as other darknets.
---------------------------------------------
http://threatpost.com/shedding-new-light-on-tor-based-malware/104651
*** EMC Documentum TaskSpace privilege escalation ***
---------------------------------------------
EMC Documentum TaskSpace could allow a remote attacker to gain elevated privileges on the system, caused by an error related to the way dm_world group users were added to the dm_superusers_dynamic group. An attacker could exploit this vulnerability to gain elevated privileges on the system.
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/91600
*** Multiple Cisco Wireless LAN Controllers WebAuth denial of service ***
---------------------------------------------
Multiple Cisco Wireless LAN Controllers are vulnerable to a denial of service, caused by the failure to deallocate memory used during the processing of a WebAuth login. By creating an overly large number of WebAuth requests, an attacker could exploit this vulnerability to cause the device to reboot.
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/91602
*** New Tool Makes Android Malware Easier To Create ***
---------------------------------------------
itwbennett writes "A new commercial tool designed to allow cybercriminals to easily transform legitimate Android applications into malicious software has hit the underground market, paving the way for cheap and easy development of sophisticated Android malware. Security researchers from Symantec said Wednesday in a blog post that the tool, called Dendroid, is marketed by its creators as an Android remote administration tool (RAT) and is being sold for $300." Read more of this story
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/lUI1_mGPycM/story01.htm
*** The Siesta Campaign: A New Targeted Attack Awakens ***
---------------------------------------------
In the past few weeks, we have received several reports of targeted attacks that exploited various application vulnerabilities to infiltrate various organizations. Similar to the Safe Campaign, the campaigns we noted went seemingly unnoticed and under the radar. The attackers orchestrating the campaign we call the Siesta Campaign used multicomponent malware to target certain institutions that […]Post from: Trendlabs Security Intelligence Blog - by Trend MicroThe Siesta Campaign: A New
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/-rYSWuRUzdQ/
*** Gameover trojan uses rootkit to remain stealthy, tougher to remove ***
---------------------------------------------
Researchers have discovered a Gameover variant of the Zeus trojan that has been modified to include the Necurs rootkit, which makes the malware tougher to detect and remove by protecting files on the disk and memory.
---------------------------------------------
http://feedproxy.google.com/~r/SCMagazineHome/~3/F6bJXyUofvI/
*** Apache Struts Bugs Let Remote Users Deny Service and Manipulate the ClassLoader ***
---------------------------------------------
A remote user can supply specially crafted 'class' parameter values to the ParametersInterceptor class to manipulate the ClassLoader [CVE-2014-0094].
A remote user can send a multipart request with a specially crafted Content-Type header to to trigger a flaw in the Apache Commons FileUpload component and cause denial of service conditions [CVE-2014-0050].
---------------------------------------------
http://www.securitytracker.com/id/1029876
*** Linux Memory Dump with Rekall, (Fri, Mar 7th) ***
---------------------------------------------
Memory dumping for incident response is nothing new, but ever since they locked down access to direct memory (/dev/mem) on Linux, I’ve had bad experiences dumping memory. I usually end up crashing the server about 60 percent of the time while collecting data with Fmem. A new version of Linux memory dumping utility rekall (previous called Winpmem) has recently came out. I’ve been testing it on the latest versions of Ubuntu and Redhat EL 5 and have not run into any issues with
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17775&rss
*** Citrix NetScaler Application Delivery Controller Multiple Flaws Let Users Gain Elevated Privileges and Deny Service ***
---------------------------------------------
Several vulnerabilities were reported in Citrix NetScaler Application Delivery Controller. A local user can obtain passwords. A user can gain elevated privileges. A remote user can conduct cross-site scripting and cross-site request forgery attacks. A user can cause denial of service conditions.
---------------------------------------------
http://www.securitytracker.com/id/1029880
*** February 2014 virus activity review from Doctor Web ***
---------------------------------------------
February 28, 2014 Although it’s the years shortest month, February proved to be quite eventful in terms of information security. In particular, Doctor Webs security researchers discovered several Trojans that replace browser window banners and steal confidential information. Also identified were new malignant programs targeting Android. Viruses According to statistics collected in February 2014 by Dr.Web CureIt!, Trojan.Packed.24524, which spreads in the guise of legitimate software, was
---------------------------------------------
http://news.drweb.com/show/?i=4262&lng=en&c=9
*** ownCloud 4.0.x / 4.5.x Remote Code Execution ***
---------------------------------------------
Topic: ownCloud 4.0.x / 4.5.x Remote Code Execution Risk: High Text:Vulnerability title: Remote Code Execution in ownCloud CVE: CVE-2014-2044 Vendor: ownCloud Product: ownCloud Affected versi...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030055
*** WordPress Premium Gallery Manager Shell Upload ***
---------------------------------------------
Topic: WordPress Premium Gallery Manager Shell Upload Risk: High Text: Wordpress Plugins Premium Gallery Manager Arbitrary File Upload ...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030053
*** [2014-03-07] Unauthenticated access & manipulation of settings in Huawei E5331 MiFi mobile hotspot ***
---------------------------------------------
Unauhenticated attackers are able to gain access to sensitive configuration (e.g. WLAN passwords in clear text or IMEI information of the SIM card) and even manipulate all settings in the web administration interface! This can even be exploited remotely via Internet depending on the mobile operator setup or via CSRF attacks.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014…
*** HP-UX m4(1) Command Flaw Lets Local Users Gain Elevated Privileges ***
---------------------------------------------
A vulnerability was reported in HP-UX. A local user can obtain elevated privileges on the target system.
A local user can exploit an unspecified flaw in the HP-UX m4(1) command to gain elevated privileges.
---------------------------------------------
http://www.securitytracker.com/id/1029881
*** Hack gegen AVM-Router: Fritzbox-Lücke offengelegt, Millionen Router in Gefahr ***
---------------------------------------------
Die Schonfrist ist abgelaufen: Im Netz kursieren Details, wie man die kritische Schwachstelle in den Fritzboxen ausnutzt. Das bedeutet akute Gefahr, da nach Erkenntnissen von heise Security noch immer sehr viele AVM-Router verwundbar sind.
---------------------------------------------
http://www.heise.de/security/meldung/Hack-gegen-AVM-Router-Fritzbox-Luecke-…
*** ComiXology gehackt: User müssen Passwort ändern ***
---------------------------------------------
Die größte digitale Comics-Plattform ComiXology wurde Opfer eines unerlaubten Zugriffs auf Datenbanken mit Usernamen, E-Mailinfos und verschlüsselten Passwörtern.
---------------------------------------------
http://futurezone.at/digital-life/comixology-gehackt-user-muessen-passwort-…
*** Via Drucker ins Netz: PDF-Trojaner verwandelt IP-Telefone in Wanzen ***
---------------------------------------------
Ausschließlich durch Missbrauch von Lücken in Geräten wie Netzwerkdruckern oder VoIP-Telefonen können Angreifer ein Netzwerk attackieren. Demonstriert wurde, wie sich die Telefone in Wanzen verwandeln lassen.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Via-Drucker-ins-Netz-PDF-Trojaner-ve…
*** Microsoft Security Bulletin Advance Notification for March 2014 ***
---------------------------------------------
* Remote Code Execution Microsoft Windows,Internet Explorer * Remote Code Execution Microsoft Windows * Elevation of Privilege Microsoft Windows * Security Feature Bypass Microsoft Windows * Security Feature Bypass Microsoft Silverlight
---------------------------------------------
http://technet.microsoft.com/en-us/security/bulletin/ms14-mar
*** PHP 5.4.26 and 5.5.10 available. Several Security Fixes @ : http://www.php.net/downloads.php, (Fri, Mar 7th) ***
---------------------------------------------
PHP 5.4.26 and 5.5.10 available. Several Security Fixes @ : http://www.php.net/downloads.php -- Tom Webb (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17777&rss
*** Windows XP: Bundesregierung sorgt sich um Sicherheit von Geldautomaten ***
---------------------------------------------
Zum 8. April läuft Microsofts Support für Windows XP aus. Darum hält es das BSI laut Innenministerium für geboten, aktuelle Betriebssysteme einzusetzen, die mit Sicherheitsupdates versorgt werden.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Windows-XP-Bundesregierung-sorgt-sic…
*** New Attacks on HTTPS Traffic Reveal Plenty About Your Web Surfing ***
---------------------------------------------
Researchers at UC Berkeley have developed new attacks that analyze HTTPS traffic and can accurately determine what pages youve visited during an encrypted session.
---------------------------------------------
http://threatpost.com/new-attacks-on-https-traffic-reveal-plenty-about-your…
*** Open-Source-CMS: Sicherheitsupdate für Joomla ***
---------------------------------------------
Das Joomla-Entwicklerteam hat ein Sicherheitsupdate für die beiden aktuell unterstützten Versionszweige des Open-Source-CMS veröffentlicht. Joomla 2.5.19 und Joomla 3.2.3 sollen kürzlich entdeckte Schwachstellen des Content Management Systems stopfen.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Open-Source-CMS-Sicherheitsupdate-fu…
*** FFmpeg Multiple Vulnerabilities ***
---------------------------------------------
Multiple vulnerabilities have been reported in FFmpeg, which can be exploited by malicious people to cause a DoS (Denial of Service) in an application using the library.
---------------------------------------------
https://secunia.com/advisories/57282
*** Security Bulletin: Multiple vulnerabilities in IBM QRadar SIEM (CVE-2014-0838, CVE-2014-0835, CVE-2014-0836, CVE-2014-0837) ***
---------------------------------------------
Multiple vulnerabilities exist in the AutoUpdate settings page and the AutoUpdate process within the IBM QRadar SIEM that when used together could result in remote code execution. CVE(s): CVE-2014-0835, CVE-2014-0836, CVE-2014-0837, and CVE-2014-0838 Affected product(s) and affected version(s): IBM QRadar Security Information and Event Manager (SIEM) 7.2 MR1 and earlier Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin:
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul…
*** Security Bulletin: Information regarding security vulnerability in IBM SDK Java™ Technology Edition that is shipped with IBM WebSphere Application Server and addressed by Oracle CPU January 2014 ***
---------------------------------------------
Multiple security vulnerabilities exist in the IBM SDK Java Technology Edition that is shipped with IBM WebSphere Application Server and included in the products that are listed in this document. CVE(s): CVE-2014-0411 Affected product(s) and affected version(s): WebSphere Process Server V6.1.2, 6.2.x, 7.0.x WebSphere Process Server on z/OS V6.2.x, 7.0.x WebSphere Process Server Hypervisor Edition for Red Hat Enterprise Linux Server for x86 (32-bit) V7.0.0 WebSphere Process Server Hypervisor
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_inf…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 05-03-2014 18:00 − Donnerstag 06-03-2014 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** Apple OpenSSL Verification Surprises ***
---------------------------------------------
Apple ships a patched version of OpenSSL with OS X. If no precautions are taken, their changes rob you of the power to choose your trusted CAs, and break the semantics of a callback that can be used for custom checks and verifications in client software.
---------------------------------------------
https://hynek.me/articles/apple-openssl-verification-surprises/
*** Sefnit's Tor botnet C&C details ***
---------------------------------------------
We have talked about the impact that resulted from the Sefnit botnet Tor hazard as well as the clean-up effort that went into that threat. In this post we'd like to introduce some of the details regarding the Tor component's configuration and its communication with the Tor service. Specifically, we'll talk about how Trojan:Win32/Sefnit.AT communicates with the Tor network, what domains it tries to contact, and where it keeps its configuration data. After Sefnit...
---------------------------------------------
https://blogs.technet.com/b/mmpc/archive/2014/03/05/sefnit-s-tor-botnet-c-a…
*** Cisco-Router mit Passwörtern im Quellcode des Web-Interfaces ***
---------------------------------------------
In zwei Routern und einer Firewall von Cisco klafft eine Sicherheitslücke, die es Angreifern erlaubt, sich mit Administratorrechnern anzumelden. Die Geräte geben die Passwörter im Quelltext des Anmeldefensters preis.
---------------------------------------------
http://www.heise.de/security/meldung/Cisco-Router-mit-Passwoertern-im-Quell…
*** Akute Angriffsserie auf D-Link-Modems ***
---------------------------------------------
Tausende Internetanschlüsse sind aufgrund einer Sicherheitslücke in DSL-Modems von D-Link akut gefährdet - allein in Deutschland. Die Schwachstelle wird bereits systematisch für Angriffe missbraucht. Wer betroffene Geräte betreibt, muss umgehend handeln.
---------------------------------------------
http://www.heise.de/security/meldung/Akute-Angriffsserie-auf-D-Link-Modems-…
*** Joomla! Core - Multiple Vulnerabilities ***
---------------------------------------------
http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/xcttKR2_t_4/578-20140301-c…http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/-FMP5B4UydI/579-20140302-c…http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/3SC6NBuk13g/580-20140303-c…http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/oiSyKvvYgXA/581-20140304-c…
*** SA-CONTRIB-2014-028 - Masquerade - Access bypass ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2014-028Project: Masquerade (third-party module)Version: 6.x, 7.xDate: 2014-March-05Security risk: Highly criticalExploitable from: RemoteVulnerability: Access bypassDescriptionThis module allows a user with the right permissions to switch users. When a user has been limited to only masquerading as certain users via the "Enter the users this user is able to masquerade as" user profile field, they can still masquerade as any user on the site by using the...
---------------------------------------------
https://drupal.org/node/2211401
*** Security Bulletins: Citrix NetScaler Application Delivery Controller Multiple Security Vulnerabilities ***
---------------------------------------------
A number of security vulnerabilities have been identified in Citrix NetScaler Application Delivery Controller (ADC).
---------------------------------------------
http://support.citrix.com/article/CTX139049
*** HP Data Protector Backup Client Service Remote Code Execution ***
---------------------------------------------
Topic: HP Data Protector Backup Client Service Remote Code Execution Risk: High Text:## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-fr...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030052
*** PHP date() is evil (XSS'able) ***
---------------------------------------------
Topic: PHP date() is evil (XSS'able) Risk: Low Text:I was playing with PHP (As usual) and i was thinking about date() It's a PHP function that displays date in different ...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030046
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 04-03-2014 18:00 − Mittwoch 05-03-2014 18:00
Handler: Alexander Riepl
Co-Handler: Christian Wojner
*** Windows XP: Microsoft drängt mit Popup zum Umstieg ***
---------------------------------------------
Microsoft will XP-Nutzer direkter darauf hinweisen, dass der Support für das Betriebssystem endet. Zusätzlich soll die bislang kostenpflichtige Migrationshilfe PCmover Express umsonst bereit - das Angebot hat aber einen Pferdefuss.
---------------------------------------------
http://www.heise.de/security/meldung/Windows-XP-Microsoft-draengt-mit-Popup…
*** 69 Prozent der beliebtesten Android Apps funken im Klartext ***
---------------------------------------------
Bei einer Untersuchung von 10,000 Android-Apps haben Forscher herausgefunden, dass die Mehrzahl ihre Datenverbindungen gar nicht verschlüsselt und weitere 26 Prozent SSL so einsetzen, dass die Verbindung angreifbar ist.
---------------------------------------------
http://www.heise.de/security/meldung/69-Prozent-der-beliebtesten-Android-Ap…
*** Geld her oder Seite weg: Erpressung mit DDoS-Angriff ***
---------------------------------------------
Angreifer fordern Geld, um Attacken auf Seiten zu stoppen
---------------------------------------------
http://derstandard.at/1392687169264
*** Blog: Tor hidden services - a safe haven for cybercriminals ***
---------------------------------------------
http://www.securelist.com/en/blog/8187/Tor_hidden_services_a_safe_haven_for…
*** Malware nutzt iTunes als Lockmittel ***
---------------------------------------------
Nachgebaute iTunes-Seiten locken zur Installation der vermeintlichen Apple-Software - stattdessen erhält der Nutzer Malware. Prominent platzierte Suchmaschinenwerbung zum Begriff "iTunes" dient als Zubringer.
---------------------------------------------
http://www.heise.de/security/meldung/Malware-nutzt-iTunes-als-Lockmittel-21…
*** Apache Shiro 1.2.2 LDAP Authentication Bypass ***
---------------------------------------------
Topic: Apache Shiro 1.2.2 LDAP Authentication Bypass Risk: High Text:Dear Apache Shiro Community, The Apache Shiro team has released Apache Shiro version 1.2.3. This is the third bug fix point...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030034
*** Windows Escalate UAC Protection Bypass (In Memory Injection) ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030039
*** HPSBHF02965 rev.1 - HP Security Management System, Remote Execution of Arbitrary Code ***
---------------------------------------------
A potential security vulnerability has been identified with HP Security Management System. The vulnerability could be remotely exploited to allow remote execution of arbitrary code.
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…
*** HPSBUX02973 SSRT101455 rev.1 - HP-UX Running Java6/7, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities ***
---------------------------------------------
Potential security vulnerabilities have been identified in the Java Runtime Environment (JRE) and the Java Developer Kit (JDK) running on HP-UX. These vulnerabilities could allow remote unauthorized access, disclosure of information, and other vulnerabilities.
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…
*** WordPress Relevanssi Plugin "category_name" SQL Injection Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/56641
*** Java OpenID Server 1.2.1 XSS / Session Fixation ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030037
*** VU#823452: Serena Dimensions CM 12.2 Build 7.199.0 web client vulnerabilities ***
---------------------------------------------
Serena Dimensions CM 12.2 Build 7.199.0 web client and possibly earlier versions contains multiple cross-site scripting vulnerabilities.CWE-79: Improper Neutralization of Input
---------------------------------------------
http://www.kb.cert.org/vuls/id/823452
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 03-03-2014 18:00 − Dienstag 04-03-2014 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** TLS: Sicherheitslücke bei Client-Authentifizierung ***
---------------------------------------------
Erneut gibt es Probleme mit dem TLS-Protokoll. Mit der Triple Handshake-Attacke kann ein bösartiger HTTPS-Server einem weiteren Server vorgaukeln, er hätte das Zertifikat eines Nutzers. Die meisten Anwender sind von dem Angriff vermutlich nicht betroffen.
---------------------------------------------
http://www.golem.de/news/tls-sicherheitsluecke-bei-client-authentifizierung…
*** Webspace: Sicherheitsrisiko FTP ***
---------------------------------------------
Wer eine eigene Webseite betreibt, überträgt sie meist per FTP zum Webhoster. Dabei kommt häufig keine Verschlüsselung zum Einsatz. Kein einziger großer Provider weist seine Kunden auf diese Risiken adäquat hin; bei manchen Providern ist eine verschlüsselte Verbindung überhaupt nicht möglich.
---------------------------------------------
http://www.golem.de/news/webspace-sicherheitsrisiko-ftp-1403-104889-rss.html
*** Großangriff auf Router: DNS-Einstellungen manipuliert ***
---------------------------------------------
Forscher entdeckten einen Großangriff auf Router: Bei über 300.000 Routern, die im Privat- oder Büroeinsatz sind, wurden angeblich die DNS-Einstellungen manipuliert. Die Angreifer hätten dadurch jederzeit den Datenverkehr der Geräte umleiten können.
---------------------------------------------
http://www.heise.de/security/meldung/Grossangriff-auf-Router-DNS-Einstellun…
*** Sicherheitslücke: GnuTLS jetzt mit "goto fail" ***
---------------------------------------------
Auch die Open-Source-Bibliothek für gesicherte Verbindungen weist einen schwerwiegenden Fehler beim überprüfen von Zertifikaten auf. Aktuelle Patches sollen ihn beheben.
---------------------------------------------
http://www.heise.de/security/meldung/Sicherheitsluecke-GnuTLS-jetzt-mit-got…
*** GNUTLS-SA-2014-2 - Certificate Verification Issue ***
---------------------------------------------
A vulnerability was discovered that affects the certificate verification functions of all gnutls versions. A specially crafted certificate could bypass certificate validation checks.
---------------------------------------------
http://gnutls.org/security.html#GNUTLS-SA-2014-2
*** WordPress plugin Google Analytics MU 2.3 CSRF ***
---------------------------------------------
Topic: WordPress plugin Google Analytics MU 2.3 CSRF Risk: Low Text:Details = Software: Google Analytics MU Version: 2.3 Homepage: http://wordpress.org/plugins/google-analytics-mu/ CVSS...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030018
*** Joomla 3.2.2 Cross Site Scripting ***
---------------------------------------------
Topic: Joomla 3.2.2 Cross Site Scripting Risk: Low Text:# == # Title ...| Persistent pre-auth XSS in Joomla # Version .| Joomla 3.2.2 # Date ....| 3.03.2014 #...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030030
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 28-02-2014 18:00 − Montag 03-03-2014 18:00
Handler: Alexander Riepl
Co-Handler: Christian Wojner
*** Komplexe Spionagesoftware namens Uroburos entdeckt ***
---------------------------------------------
Sicherheitsexperten von G Data haben eine mutmaßliche Geheimdienstsoftware entdeckt, die offenbar darauf abzielt, hochsensible und geheime Informationen von staatlichen Einrichtungen, Nachrichtendiensten und Großunternehmen zu stehlen.
---------------------------------------------
http://www.heise.de/security/meldung/Komplexe-Spionagesoftware-namens-Urobu…
Multiple vulnerabilities in Oracle Demantra 12.2.1
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030004http://cxsecurity.com/issue/WLB-2014030007http://cxsecurity.com/issue/WLB-2014030006http://cxsecurity.com/issue/WLB-2014030005
*** Wo-möglich-Verschlüsselung für mehr Sicherheit ***
---------------------------------------------
Harte Verschlüsselung oder nur Wo-möglich-Verschlüsselung gegen NSA und Konsorten? Darüber diskutierte der STRINT-Workshop der IETF und des W3C am Wochenende in London.
---------------------------------------------
http://www.heise.de/security/meldung/Wo-moeglich-Verschluesselung-fuer-mehr…
*** DSA-2868 php5 ***
---------------------------------------------
denial of service
---------------------------------------------
http://www.debian.org/security/2014/dsa-2868
*** WordPress VideoWhisper Live Streaming Plugin Multiple Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/57202
*** Apache Camel XSLT XML External Entities and Arbitrary Code Execution Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/57125
*** Hintergrund: VM-Erkennung in Malware ***
---------------------------------------------
Die rote oder die blaue Pille? Immer mehr Schädlinge wollen wissen, ob ihre Umgebung echt oder nur virtuell ist.
---------------------------------------------
http://www.heise.de/security/artikel/VM-Erkennung-in-Malware-2131459.html
*** The Mobile Cybercriminal Underground Market in China ***
---------------------------------------------
The availability of affordable mobile Internet access has changed the computing landscape everywhere. More and more people are using mobile devices both for work and for entertainment. China is no exception. According to a report published by the China Internet Network Information Center (CNNIC), 81% of Chinese Internet users went online using their mobile phone ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/the-mobile-cyber…
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 27-02-2014 18:00 − Freitag 28-02-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Are Automated Update Services the Next Surveillance Frontier? ***
---------------------------------------------
Automated update services that provide users with security patches and feature enhancements are also a potential hunting ground for intelligence agencies and law enforcement surveillance activity.
---------------------------------------------
http://threatpost.com/are-automated-update-services-the-next-surveillance-f…
*** DDoS and BCP 38, (Thu, Feb 27th) ***
---------------------------------------------
Quite often on many lists we will hear the term Best Current Practice (BCP) 38 bandied about and further recommendations to implement [1] [2][3][4] (See NANOG Mailing list archive) . Some will say "it will aid in DDoS mitigation" and even others will even state "All Internet Service Providers (ISP) should implement this." Now before the philosophical discussions ensue in the comments, it might be a good idea to discuss, technically, what it is? And perhaps what it can do?
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17735&rss
*** Oversharing, (Fri, Feb 28th) ***
---------------------------------------------
When ISC reader Michael contacted us about "odd UDP traffic from all over" that he was suddenly seeing in his firewall log, we at first assumed that his Internet connection had "inherited" a dynamic IP address that had before been used by a rampant file sharing user, and that Michael was now seeing the "after glow". We still asked for a PCAP (tcpdump) file though, and when we looked at what Michael sent back, we saw to our surprise...
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17737&rss
*** Highly Effective Joomla Backdoor with Small Profile ***
---------------------------------------------
It feels like every day we're finding gems, or what appear to be gems to us. We try to balance the use of the term, but I can't lie, these are truly gems. The things they are doing, and by they I mean the attackers, are in some instance ingenious. I think you'll agree that...
---------------------------------------------
http://blog.sucuri.net/2014/02/highly-effective-joomla-backdoor-with-small-…
*** Tilon/SpyEye2 intelligence report ***
---------------------------------------------
Tilon, son of Silon, or... SpyEye2 evolution of SpyEye? The malware family commonly known as Tilon has been around for several years now. While several public analysis reports have described the malware; no one has thus far linked it with the well-known SpyEye malware family. In light of the recent news of the guilty plea...
---------------------------------------------
http://blog.fox-it.com/2014/02/25/tilonspyeye2-intelligence-report/
*** Malicious Proxy Auto-Config redirection ***
---------------------------------------------
Internet banking credentials are a desired target for cybercriminals. They can be targeted with man-in-the-middle attacks or through password stealing trojans such as Fareit, Zbot or Banker. A less known, yet commonly found in South America and to a lesser extent in Russia, method to gain unauthorized access to a user's banking credentials is through malicious Proxy Auto-Config (PAC) files. Normally, PAC files offer similar functionality to the hosts file, allowing IP/website redirection,...
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2014/02/28/malicious-proxy-auto-con…
*** Notorious "Gameover" malware gets itself a kernel-mode rootkit... ***
---------------------------------------------
Zeus, also known as Zbot, is a malware family that we have written about many times on Naked Security...
---------------------------------------------
http://nakedsecurity.sophos.com/2014/02/27/notorious-gameover-malware-gets-…
*** [2014-02-28] Authentication bypass (SSRF) and local file disclosure in Plex Media Server ***
---------------------------------------------
The Plex Media Server proxy functionality fails to properly validate pre-authentication user requests. This allows unauthenticated attackers to make the Plex Media Server execute arbitrary HTTP requests and hence bypass all authentication and execute commands with administrative privileges. Furthermore, because of insufficient input validation, arbitrary local files can be disclosed without prior authentication including passwords and other sensitive information.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014…
*** [2014-02-28] Privilege escalation vulnerability in MICROSENS Profi Line Modular Industrial Switch Web Manager ***
---------------------------------------------
Attackers are able to elevate privileges during login from read-only user rights to full read/write or debug access rights by simply changing result values of the affected CGI script. This allows attackers to reconfigure the device.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014…
*** VU#534284: Synology DiskStation Manager VPN module hard-coded password vulnerability ***
---------------------------------------------
Synology DiskStation Manager 4.3-3810 update 1 and possibly earlier versions contain a VPN server module which contains a hard-coded password which cannot be changed. According to the original forum post...
---------------------------------------------
http://www.kb.cert.org/vuls/id/534284
*** Moodle 2.6.1 Cross Site Scripting ***
---------------------------------------------
Topic: Moodle 2.6.1 Cross Site Scripting Risk: Low Text:# == # Title ...| Moodle 2.6.1 # Version .| (Feb 27 2014) moodle-latest-26.zip # Date ....| 27.02.2014...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014020247
*** Cisco IPS MainApp SNMP Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the SNMP code of Cisco Intrusion Prevention System (IPS) Software could allow an unauthenticated, remote attacker to cause the MainApp process to become unresponsive. This creates a denial of service (DoS) condition because the Cisco IPS sensor is not able to execute several critical tasks including alert notification, event store management, and sensor authentication. The Cisco IPS web server will also be unavailable while the MainApp process is unresponsive. Additionally, due to this general system failure, other processes such as the Analysis Engine may not function properly.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** Cisco Unified Communications Domain Manager Cross-Site Scripting Vulnerability ***
---------------------------------------------
A vulnerability in the web framework of Cisco Unified Communications Domain Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface on the affected system.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** Schneider Electric Floating License Manager Vulnerability ***
---------------------------------------------
Schneider Electric had become aware of an "unquoted service path" vulnerability in the Schneider Electric Floating License Manager, produced a patch that mitigates this vulnerability, and notified NCCIC/ICS-CERT.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-14-058-01
*** Schneider Electric OFS Buffer Overflow Vulnerability ***
---------------------------------------------
Schneider Electric has reported to NCCIC/ICS-CERT a Stack Buffer Overflow vulnerability supplied with the Schneider Electric OPC Factory Server (OSF).
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-14-058-02
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 26-02-2014 18:00 − Donnerstag 27-02-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Avaya to Patch Zero Days That Turn IP Phone into Radio Transmitters ***
---------------------------------------------
Avaya is expected to patch zero-day vulnerabilities in its latest one-X IP phones. The vulnerabilities and an exploit will be demonstrated this week at RSA Conference 2014.
---------------------------------------------
http://threatpost.com/avaya-to-patch-zero-days-that-turn-ip-phone-in-radio-…
*** Detecting malware on Mac OS X with USM and MIDAS ***
---------------------------------------------
Let's briefly review what we accomplished in the first post: Understood the capabilities and design of MIDAS Deployed MIDAS on a Mac OS X endpoint installed the MIDAS plugin in AlienVault USM Verified the integration by running MIDAS and confirming the events in the SIEM. How does this make us safer? More generally, what does this mean? To answer these questions we need to understand what plists and kexts mean from a security perspective. PlistsProperty list files contain configuration data...
---------------------------------------------
http://www.alienvault.com/open-threat-exchange/blog/detecting-malware-on-ma…
*** Ongoing NTP Amplification Attacks, (Wed, Feb 26th) ***
---------------------------------------------
Brett, who alerted us earlier this month regarding the mass exploit against Linksys devices has surfaced a current issue hes facing with ongoing NTP amplification attacks. A good US-CERT summary of the attack is here: https://www.us-cert.gov/ncas/alerts/TA14-013A. Brett indicates that: "We are seeing massive attacks on our NTP servers, attempting to exploit the traffic amplification vulnerability reported last month. Our IPs are being probed by an address in the Netherlands, and a couple...
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17723&rss
*** Yes, You Too Can Be An Evil Network Overlord - On The Cheap With OpenBSD, pflow And nfsen ***
---------------------------------------------
Have you ever wanted to know whats really going on in your network? Some free tools with surprising origins can help you to an almost frightening degree.One question I get a lot (or variants that end up being very close) is, "How do you keep up with whats happening in your network?". A close cousin is "how much do you actually know about your users?".The exact answer to both can have legal implications, so before I proceed to the tech content, Ill ask you to make sure you...
---------------------------------------------
http://bsdly.blogspot.com/2014/02/yes-you-too-can-be-evil-network.html
*** Weekly Metasploit Update: Encoding-Fu, New Powershell Payload, Bug Fixes ***
---------------------------------------------
In this week's Metasploit weekly update, we begin with OJ TheColonial Reeves' new optimized sub encoding module (opt_sub.rb). As the name implies, this encoder takes advantage of the SUB assembly instruction to encode a payload with printable characters that are file path friendly. Encoders like this are incredibly useful for developing a memory corruption exploit...
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2014/02/26/weekly-me…
*** Security: Cisco öffnet Snort-Schnittstelle ***
---------------------------------------------
Wenige Wochen nach der Übernahme des Snort-Entwicklers Sourcefire hat Cisco die Schnittstelle zu dem Intrusion Detection System unter dem Namen OpenAppID öffentlich gemacht. Zudem wurde der Malware-Schutz des aufgekauften Unternehmens in Ciscos Sicherheitsportfolio integriert.
---------------------------------------------
http://www.golem.de/news/security-cisco-oeffnet-snort-schnittstelle-1402-10…
*** Mac OS X 10.6 Snow Leopard: Apple aktualisiert nicht mehr ***
---------------------------------------------
Die letzten zwei größeren Sicherheitsupdates von Apple standen nur noch für Mavericks, Mountain Lion und Lion bereit. Dabei ist OS X 10.6 noch relativ weit verbreitet.
---------------------------------------------
http://www.heise.de/security/meldung/Mac-OS-X-10-6-Snow-Leopard-Apple-aktua…
*** Was the iOS SSL Flaw Deliberate? ***
---------------------------------------------
Last October, I speculated on the best ways to go about designing and implementing a software backdoor. I suggested three characteristics of a good backdoor: low chance of discovery, high deniability if discovered, and minimal conspiracy to implement. The critical iOS vulnerability that Apple patched last week is an excellent example. Look at the code. What caused the vulnerability is...
---------------------------------------------
https://www.schneier.com/blog/archives/2014/02/was_the_ios_ssl.html
*** Android & iOS: Gratis-Werkzeuge zur Malware-Analyse ***
---------------------------------------------
Die Linux-Distribution Santoku bringt alle Werkzeuge mit, um Malware und andere Apps für iOS und Android professionell unter die Lupe zu nehmen. Eine Kombination aus einer App und einem Webdienst analysiert unter anderem Datenströme von Apps.
---------------------------------------------
http://www.heise.de/security/meldung/Android-iOS-Gratis-Werkzeuge-zur-Malwa…
*** Atlassian - Security Bypass Vulnerabilities in various Products ***
---------------------------------------------
Security Bypass Vulnerabilities in Atlassian Bamboo, Confluence, FishEye, JIRA, Crucible and Stash
---------------------------------------------
https://secunia.com/advisories/57086https://secunia.com/advisories/57088https://secunia.com/advisories/57095https://secunia.com/advisories/57105https://secunia.com/advisories/56842https://secunia.com/advisories/56936
*** [2014-02-27] Local Buffer Overflow vulnerability in SAS for Windows ***
---------------------------------------------
Attackers are able to completely compromise SAS clients when a malicious SAS program gets executed as the software "SAS for Windows" is affected by a local buffer overflow vulnerability.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014…
*** Drupal - Vulnerabilities in third-party Modules and Themes ***
---------------------------------------------
Vulnerabilities in Open Omega (third-party theme), Content locking (anti-concurrent editing) (third-party module), Project Issue File Review (third-party module) and Mime Mail (third-party module)
---------------------------------------------
https://drupal.org/node/2205877https://drupal.org/node/2205807https://drupal.org/node/2205767https://drupal.org/node/2205991
*** Schneider Electric CitectSCADA Products Exception Handler Vulnerability (Update A) ***
---------------------------------------------
This updated advisory is a follow-up to the original advisory titled ICSA-13-350-01 Schneider Electric SCADA Products Exception Handler Vulnerability that was published February 25, 2014, on the NCCIC/ICS-CERT web site. This advisory was originally posted to the US-CERT secure Portal library on December 16, 2013. Schneider Electric requested the title change to reduce confusion.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-350-01A