=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 28-01-2014 18:00 − Mittwoch 29-01-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Introducing ModSecurity Status Reporting ***
---------------------------------------------
The Trustwave SpiderLabs Research team is committed to making ModSecurity the best open source WAF possible. To this end, we have deployed Buildbot platforms and revamped regression tests for our different ports to ensure code quality and reliability. But we want to take it even further. The question is, how else can we improve ModSecurity development and support? To best answer that question, we need some basic insight into the ModSecurity user community: How many ModSecurity deployments are...
---------------------------------------------
http://blog.spiderlabs.com/2014/01/introducing-modsecurity-status-reporting…
*** Defending Against Tor-Using Malware, Part 1 ***
---------------------------------------------
In the past few months, the Tor anonymity service as been in the news for various reasons. Perhaps most infamously, it was used by the now-shuttered Silk Road underground marketplace. We delved into the topic of the Deep Web in a white paper titled Deepweb and Cybercrime. In our 2014 predictions, we noted that cybercriminals would go deeper...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/F4F76IP9KP8/
*** Eyeing SpyEye ***
---------------------------------------------
Earlier this week, it was announced by the United States Department of Justice that the creator of the notorious SpyEye banking malware, Aleksandr Andreevich Panin (also known as Gribodemon or Harderman), had pleaded guilty before a federal court to charges related to creating and distributing SpyEye. Trend Micro was a key part of this investigation...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/4eIEz-KJvXo/
*** This tool demands access to YOUR ENTIRE DIGITAL LIFE. Is it from GCHQ? No - its by IKEA ***
---------------------------------------------
Order a flat-pack kitchen, surrender your HDDs contents If the Target hack - along with all its predecessors - taught us anything, its that the database isnt the vulnerability. Its the data thats the problem.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/01/29/ikea_demand…
*** Botnetz nutzt Lücke in alten Java-Versionen ***
---------------------------------------------
Sicherheitsexperten haben Schadsoftware entdeckt, die eine vor Monaten geschlossene Java-Lücke ausnutzt, um ein Botnetz aufzubauen. Das Programm läuft auf Windows, Linux und Mac OSX; Abhilfe ist einfach möglich.
---------------------------------------------
http://www.heise.de/security/meldung/Botnetz-nutzt-Luecke-in-alten-Java-Ver…
*** Cisco Network Time Protocol Distributed Reflective Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the Network Time Protocol (NTP) package of several Cisco products could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013…
*** Cisco Identity Services Engine Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** WordPress WebEngage Plugin Multiple Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
Multiple vulnerabilities have been discovered in the WebEngage plugin for WordPress, which can be exploited by malicious people to conduct cross-site scripting attacks.
---------------------------------------------
https://secunia.com/advisories/56700
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 27-01-2014 18:00 − Dienstag 28-01-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Making Your Printer Say "Feed Me a Kitten" and Also Exfiltrate Sensitive Data ***
---------------------------------------------
As of this last release, PJL (HP's Printer Job Language) is now a grown-up Rex::Proto protocol! Since extending a protocol in Metasploit is beyond the scope of this post, we'll just be covering how to use the PoC modules included with the new protocol. Feel free to dig around in lib/rex/proto/pjl*, though!
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2014/01/23/hacking-p…
*** Coordinated malware eradication ***
---------------------------------------------
Today, as an industry, we are very effective at disrupting malware families, but those disruptions rarely eradicate them. Instead, the malware families linger on, rearing up again and again to wreak havoc on our customers. To change the game, we need to change the way we work. It is counterproductive when you think about it. The antimalware ecosystem encompasses many strong groups: security vendors, service providers, CERTs, anti-fraud departments, and law enforcement. Each group uses their...
---------------------------------------------
https://blogs.technet.com/b/mmpc/archive/2014/01/27/industry-needs-to-work-…
*** Trustworthy electronic signatures, secure e-Government and trust: the way forward for improving EU citizens' trust in web services, outlined by EU Agency ENISA ***
---------------------------------------------
The EU's cyber security Agency, ENISA, is publishing a series of new studies about the current security practices of Trust Service Providers (TSPs) and recommendations for improving cross-border trustworthiness and interoperability for the new regulated TSPs and for e-Government services using them.
---------------------------------------------
http://www.enisa.europa.eu/media/press-releases/trustworthy-electronic-sign…
*** Android VPN redirect vuln now spotted lurking in Kitkat 4.4 ***
---------------------------------------------
Now may be a good time to check this out, says securo-bod Israeli researchers who specialise in ferreting out Android vulns have discovered a new flaw in KitKat 4.4 that allows an attacker to redirect secure VPN traffic to a third-party server.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/01/28/android_vpn…
*** File Infectors and ZBOT Team Up, Again ***
---------------------------------------------
File infectors and ZBOT don't usually go together, but we recently saw a case where these two kinds of threats did. This particular file infector - PE_PATNOTE.A - appends its code to all executable files on the infected system,...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/n_0oP1-kYzo/
*** Login-Diebstahl: Warnung vor manipuliertem Filezilla-Client ***
---------------------------------------------
Avast warnt vor manipulierten Programmversionen des beliebten Filezilla-Clients. Wer die falsche Version des FTP-Programms nutzt, gibt Kriminellen die Zugangsdaten für die verwendeten FTP-Server. Betroffen sind nur Anwender, die Filezilla von der falschen Quelle heruntergeladen haben.
---------------------------------------------
http://www.golem.de/news/login-diebstahl-warnung-vor-manipuliertem-filezill…
*** Blog: A cross-platform java-bot ***
---------------------------------------------
Early this year, we received a malicious Java application for analysis, which turned out to be a multi-platform bot capable of running on Windows, Mac OS and Linux. The bot was written entirely in Java. The attackers used vulnerability CVE-2013-2465 to infect users with the malware.
---------------------------------------------
http://www.securelist.com/en/blog/8174/A_cross_platform_java_bot
*** DDoS attacks become smarter, faster and more severe ***
---------------------------------------------
DDoS attacks will continue to be a serious issue in 2014 - as attackers become more agile and their tools become more sophisticated, according to Radware. Their report was compiled using data from over 300 cases and the Executive Survey consisting of personal interviews with 15 high-ranking security executives.
---------------------------------------------
http://www.net-security.org/secworld.php?id=16268
*** Worldwide Infrastructure Security Report ***
---------------------------------------------
Arbor's annual Worldwide Infrastructure Security Report offers unique insight from network operators on the front lines in the global battle against network threats.
---------------------------------------------
http://www.arbornetworks.com/resources/infrastructure-security-report
*** SI6 Networks IPv6 Toolkit ***
---------------------------------------------
A security assessment and troubleshooting tool for the IPv6 protocols
---------------------------------------------
http://www.si6networks.com/tools/ipv6toolkit/
*** Security Bulletin: Multiple vulnerabilities in IBM QRadar SIEM (CVE-2014-0838, CVE-2014-0835, CVE-2014-0836, CVE-2014-0837) ***
---------------------------------------------
Multiple vulnerabilities exist in the AutoUpdate settings page and the AutoUpdate process within the IBM QRadar SIEM that when used together could result in remote code execution.
---------------------------------------------
https://www-304.ibm.com/support/docview.wss?uid=swg21663066
*** VU#686662: Fail2ban postfix and cyrus-imap filters contain denial-of-service vulnerabilities ***
---------------------------------------------
Fail2ban versions prior to 0.8.11 are susceptible to a denial-of-service attack when a maliciously crafted email address is parsed by the postfix or cyrus-imap filters. If users have not deployed either of these filters then they are not affected.
---------------------------------------------
http://www.kb.cert.org/vuls/id/686662
*** VU#863369: Mozilla Thunderbird does not adequately restrict HTML elements in email message content ***
---------------------------------------------
Mozilla Thunderbird does not adequately restrict HTML elements in email content, which could allow an attacker to execute arbitrary script when a specially-crafted email message is forwarded or replied to. ---------------------------------------------
http://www.kb.cert.org/vuls/id/863369
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 24-01-2014 18:00 − Montag 27-01-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** ModSecurity Advanced Topic of the Week: HMAC Token Protection ***
---------------------------------------------
This blog post presents a powerful feature of ModSecurity v2.7 that has been highly under-utilized by most users: HMAC Token Protection. There was a previous blog post written that outlined some usage examples here, however we did not properly demonstrate the protection coverage gained by its usage. Specifically, by using the HMAC Token Protection capabilities of ModSecurity, you can reduce the attack surface of the following attacks/vulnerabilities: Forceful Browsing of Website Content
---------------------------------------------
http://feedproxy.google.com/~r/SpiderlabsAnterior/~3/4JiUhR_1fSQ/modsecurit…
*** Mitigation of NTP amplification attacks involving Junos ***
---------------------------------------------
When an NTP client or server is enabled within the [edit system ntp] hierarchy level of the Junos configuration, REQ_MON_GETLIST and REQ_MON_GETLIST_1 control messages supported by the monlist feature within NTP may allow remote attackers to cause a denial of service. NTP is not enabled in Junos by default. Once NTP is enabled, an attacker can exploit these control messages in two different ways:...
---------------------------------------------
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10613
*** Sicherheitslücke in Pages: Update angeraten ***
---------------------------------------------
Nutzer der Mac- und iOS-Version von Pages sollten die neueste Version installieren - eine Sicherheitslücke in älteren Versionen erlaubt unter Umständen das Ausführen von Schadcode.
---------------------------------------------
http://www.heise.de/security/meldung/Sicherheitsluecke-in-Pages-Update-ange…
*** First Android bootkit has infected 350,000 devices ***
---------------------------------------------
January 24, 2014 Russian anti-virus company Doctor Web is warning users about a dangerous Trojan for Android that resides in the memory of infected devices and launches itself early on in the OS loading stage, acting as a bootkit. This allows the Trojan to minimize the possibility that it will be deleted, without tampering with the devices file system. Currently, this malignant program is operating on more than 350,000 mobile devices belonging to users in various countries,...
---------------------------------------------
http://news.drweb.com/show/?i=4206&lng=en&c=9
*** Security Advisory-DoS Vulnerability in Eudemon8000E ***
---------------------------------------------
Huawei Eudemon8000E firewall allows users to log in to the device using Telnet or SSH. When an attacker sends to the device a mass of TCP packets with special structure, the logging process become slowly and users may be unable to log in to the device (HWNSIRT-2014-0101).
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor…
*** Security Bulletin: GSKit certificate chain vulnerability in IBM Security Directory Server and Tivoli Directory Server (CVE-2013-6747) ***
---------------------------------------------
A vulnerability has been identified in the GSKit component utilized by IBM Security Directory Server (ISDS) and IBM Tivoli Directory Server (TDS). A malformed certificate chain can cause the ISDS or TDS client application or server process using GSKit to hang or crash.
---------------------------------------------
https://www-304.ibm.com/support/docview.wss?uid=swg21662902
*** Security Bulletin: IBM Security SiteProtector System can be affected by a vulnerability in the IBM Java JRE (CVE-2013-5809) ***
---------------------------------------------
IBM Security SiteProtector System can be affected by vulnerability in the IBM Java JRE. This vulnerability could allow a remote attacker to affect confidentiality, integrity, and availability by means of unknown vectors related to the Java 2D component.
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21662685
*** Security Bulletin eDiscovery Manager (CVE-2013-5791 and CVE-2013-5763) ***
---------------------------------------------
CVE-2013-5791 - CVSS Score: 10 An unspecified vulnerability in Oracle Outside In Technology related to the Outside In Filters component could allow a local attacker to cause a denial of service. CVE-2013-5763 - CVSS Score: 6.8 Oracle Outside In technology is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the OS/2 Metafile parser. By causing a vulnerable application to process a malicious file, a remote attacker...
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21659481
*** Vulnerability Note VU#168751 - Emerson Network Power Avocent MergePoint Unity 2016 KVM switches contain a directory traversal vulnerability ***
---------------------------------------------
Emerson Network Power Avocent MergePoint Unity 2016 (MPU2016) KVM switches running firmware version 1.9.16473 and possibly previous versions contain a directory traversal vulnerability. An attacker can use directory traversal to download critical files such as /etc/passwd to obtain the credentials for the device.
---------------------------------------------
http://www.kb.cert.org/vuls/id/168751
*** Vulnerability Note VU#105686 - Thecus NAS Server N8800 contains multiple vulnerabilities ***
---------------------------------------------
CVE-2013-5667 - Thecus NAS Server N8800 Firmware 5.03.01 get_userid OS Command Injection CVE-2013-5668 - Thecus NAS Server N8800 Firmware 5.03.01 CVE-2013-5669 - Thecus NAS Server N8800 Firmware 5.03.01 plain text administrative password
---------------------------------------------
http://www.kb.cert.org/vuls/id/105686
*** Cisco Video Surveillance Operations Manager MySQL Database Insufficient Authentication Controls ***
---------------------------------------------
A vulnerability in the configuration of the MySQL database as installed by Cisco Video Surveillance Operations Manager (VSOM) could allow an unauthenticated, remote attacker to access the MySQL database.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** Security update available for Adobe Digital Editions ***
---------------------------------------------
Adobe has released a security update for Adobe Digital Editions for Windows and Macintosh. This update addresses a vulnerability in the software that could cause the application to crash and potentially allow an attacker to take control of the affected system.
---------------------------------------------
http://helpx.adobe.com/security/products/Digital-Editions/apsb14-03.html
*** Hitachi Cosminexus Products Multiple Java Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/56545
*** Drupal Doubleclick for Publishers Module Slot Names Script Insertion Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/56521
*** WordPress SS Downloads Plugin Multiple Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/56532
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 23-01-2014 18:00 − Freitag 24-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** Russische Spione im Tor-Netz enttarnt ***
---------------------------------------------
Forscher stießen auf 20 Exit Nodes, welche die HTTPS-Verbindungen von Tor-Nutzern aufzubrechen versuchten. Die meisten davon stammen aus Russland.
---------------------------------------------
http://www.heise.de/security/meldung/Russische-Spione-im-Tor-Netz-enttarnt-…
*** Bug Exposes IP Cameras, Baby Monitors ***
---------------------------------------------
A bug in the software that powers a broad array of Webcams, IP surveillance cameras and baby monitors made by Chinese camera giant Foscam allows anyone with access to the devices Internet address to view live and recorded video footage, KrebsOnSecurity has learned.
---------------------------------------------
http://krebsonsecurity.com/2014/01/bug-exposes-ip-cameras-baby-monitors/
*** "Syrian Electronic Army" attackierten Twitter-Account von CNN ***
---------------------------------------------
Sender: "Ja, es ist auch uns passiert. CNN-Accounts gehackt"
---------------------------------------------
http://derstandard.at/1389858074081
*** 65.000 E-Mail-Konten bei Salzburg AG gehackt ***
---------------------------------------------
Bei der Salzburg AG sind die Zugangsdaten von mehr als 65.000 E-Mail- und Internetkonten gehackt worden. Bankdaten seien nicht betroffen, betonte das Unternehmen. Die Hintergründe der Tat sind unklar. User und Kunden üben Kritik.
---------------------------------------------
http://news.orf.at/stories/2215391/
*** Angebliche Sicherheitslücke in aktuellem Chrome nicht zu finden ***
---------------------------------------------
Ein Fehler in Googles Browser lässt sich mit der aktuellen Version nicht reproduzieren. Google will die Lücke schon vor Längerem geschlossen haben.
---------------------------------------------
http://www.heise.de/security/meldung/Angebliche-Sicherheitsluecke-in-aktuel…
*** Malicious links for iOS users ***
---------------------------------------------
January 23, 2014 Russian anti-virus company Doctor Web is warning iOS device users about a growing number of incidents involving the distribution of links to bogus sites via mobile app advertisements. An iOS user misguided by such fraud can end up subscribed to a pseudo-service and thus lose money from their mobile account. Recently, users of mobile devices running iOS have been encountering advertisements with increasing frequency in the free applications on their smart phones and tablets. Ads
---------------------------------------------
http://news.drweb.com/show/?i=4204&lng=en&c=9
*** GE Proficy Multiple Vulnerabilities ***
---------------------------------------------
Researchers amisto0x07 and Z0mb1E of Zero Day Initiative (ZDI) have identified two vulnerabilities in the General Electric (GE) Proficy human-machine interface/supervisory control and data acquisition (HMI/SCADA) - CIMPLICITY application. GE has released security advisories, GEIP13-05 and GEIP13-06, to inform customers about these vulnerabilities.These vulnerabilities could be exploited remotely.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-14-023-01
*** DSA-2848 mysql-5.5 ***
---------------------------------------------
Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.35. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details.
---------------------------------------------
http://www.debian.org/security/2014/dsa-2848
*** Bugtraq: [CVE-2014-1607.] Cross Site Scripting(XSS) in Drupal Event calendar module ***
---------------------------------------------
Reflected cross-site scripting (XSS) vulnerability in Drupal 7.14 EventCalendar Module, found in eventcalendar/year allows remote attackers to inject arbitrary web scripts or HTML after the inproperly sanitizited Year Parameter.
---------------------------------------------
http://www.securityfocus.com/archive/1/530876
*** Cisco TelePresence Video Communication Server Expressway Default SSL Certificate Vulnerability ***
---------------------------------------------
A vulnerability in the Cisco TelePresence Video Communication Server (VCS) Expressway could allow an unauthenticated, remote attacker to execute a man-in-the-middle (MITM) attack between one or more affected devices.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 22-01-2014 18:00 − Donnerstag 23-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Robert Waldner
*** SA-CONTRIB-2014-005 - Leaflet - Access bypass ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2014-005
Project: Leaflet (third-party module)
Version: 7.xDate: 2014-January-22
Security risk: Critical
Exploitable from: Remote
Vulnerability: Access bypass
Description
The Leaflet module enables you to display an interactive map using the Leaflet library, using entities as map features.The module exposes complete data from entities used as map features to any site visitor with a Javascript inspector (like Firebug).
---------------------------------------------
https://drupal.org/node/2179103
*** New Android Malware Steals SMS Messages, Intercepts Calls ***
---------------------------------------------
A new strain of Android malware has emerged that masquerades as an Android security app but once installed, can steal text messages and intercept phone calls.
---------------------------------------------
http://threatpost.com/new-android-malware-steals-sms-messages-intercepts-ca…
*** Official PERL Blogs hacked, 2,924 Author Credentials Leaked by ICR ***
---------------------------------------------
The breach has seen 2,924 user account credentials published to quickleak.org as well as the blog having a deface page added but was not obtrusive to the actually website.
---------------------------------------------
http://www.cyberwarnews.info/2014/01/22/official-perl-blogs-hacked-2924-aut…
*** CrowdStrike Takes On Chinese, Russian Attack Groups in Threat Report ***
---------------------------------------------
Russian attackers targeted energy sector targets and a Chinese nexus intrusion group infected foreign embassies with malware using watering hole tactics in 2013, CrowdStrike researchers found in its first-ever Global Threat Report.
---------------------------------------------
http://www.securityweek.com/crowdstrike-takes-chinese-russian-attack-groups…
*** Outdated energy, water and transport Industrial Control Systems without sufficient cyber security controls require coordinated testing of capability at EU levels, says the EU's cyber security Agency ENISA ***
---------------------------------------------
Today, the EU's cyber security Agency ENISA published a new report to give advice regarding the next steps towards coordinated testing of capability of the often outdated Industrial Control Systems (ICS) for European industries. Among the key recommendations is the testing of ICS is a concern for all EU Member States and could be dealt with at EU levels according to ENISA.
---------------------------------------------
http://www.enisa.europa.eu/media/press-releases/ics-without-sufficient-cybe…
*** Analysis: Spam in December 2013 ***
---------------------------------------------
In December, spammers continued to honor the traditions of the season and tried to attract potential customers with a variety of original gift and winter vacation offers, taking advantage of the approaching holidays.
---------------------------------------------
http://www.securelist.com/en/analysis/204792323/Spam_in_December_2013
*** Chrome Eavesdropping Exploit Published ***
---------------------------------------------
Exploit code has been published for a Google Chrome bug that allows malicious websites granted permission to use a computers microphone for speech recognition to continue listening after a user leaves the website.
---------------------------------------------
http://threatpost.com/chrome-eavesdropping-exploit-published/103798
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 21-01-2014 18:00 − Mittwoch 22-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Robert Waldner
*** [2014-01-22] Backdoor account & command injection vulnerabilities in Allnet IP-Cam ALL2281 ***
---------------------------------------------
The IP camera Allnet ALL2281 is affected by critical vulnerabilities that allow an attacker to gain access to the webinterface via a backdoor account. Furthermore, executing arbitrary OS commands is possible.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014…
*** Feodo Tracker kämpft gegen Rechnungs-Spam ***
---------------------------------------------
Das Feodo-Botnet beschert Deutschland aktuell massenhaft Viren-Spam – vermeintlich im Namen bekannter Mobilfunkprovider und Banken. Der Feodo-Tracker sammelt Indizien, um das Spam-Netzwerk zu bremsen.
---------------------------------------------
http://www.heise.de/security/meldung/Feodo-Tracker-kaempft-gegen-Rechnungs-…
*** Security Bulletins: Citrix XenServer Multiple Security Updates ***
---------------------------------------------
A number of security vulnerabilities have been identified in Citrix XenServer. These vulnerabilities affect all currently supported versions of Citrix XenServer up to and including Citrix XenServer 6.2 Service Pack 1.
The following vulnerabilities have been addressed: CVE-2013-4494, CVE-2013-4554, CVE-2013-6885
---------------------------------------------
http://support.citrix.com/article/CTX140038
*** Security Bulletins: Citrix XenClient XT Multiple Security Updates ***
---------------------------------------------
A number of security vulnerabilities have been identified in Citrix XenClient XT. These vulnerabilities affect all currently supported versions of Citrix XenClient XT up to and including version 3.2.
The following vulnerabilities have been addressed: CVE-2013-4355, CVE-2013-4370, CVE-2013-4416, CVE-2013-4494, CVE-2013-4554
---------------------------------------------
http://support.citrix.com/article/CTX139624
*** SSL Labs: Stricter security requirements for 2014 ***
---------------------------------------------
Today, were releasing a new version of SSL Rating Guide as well as a new version of SSL Test to go with it. Because the SSL/TLS and PKI ecosystem continues to move at a fast pace, we have to periodically evaluate our rating criteria to keep up.
---------------------------------------------
http://blog.ivanristic.com/2014/01/ssl-labs-stricter-security-requirements-…
*** [2014-01-22] Critical vulnerabilities in T-Mobile HOME NET Router LTE (Huawei B593u-12) ***
---------------------------------------------
Attackers are able to completely compromise the T-Mobile Austria HOME NET router (based on Huawei B593u-12) without prior authentication. Depending on the configuration of the router it is also possible to exploit the flaws directly from the Internet.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014…
*** Digitally signed data-stealing malware targets Mac users in "undelivered courier item" attack ***
---------------------------------------------
Our colleagues at SophosLabs pointed us at a interesting item of malware the other day, namely a data-stealing Trojan aimed at Mac users. In fact, it was somewhat more than that: it was one of those "undelivered courier item" emails linking to a dodgy web server that guessed whether you were running Windows or OS X, and targeted you accordingly.
---------------------------------------------
http://nakedsecurity.sophos.com/2014/01/21/data-stealing-malware-targets-ma…
*** Cisco TelePresence System Software Command Execution Vulnerability ***
---------------------------------------------
Cisco TelePresence System Software contains a vulnerability in the System Status Collection Daemon (SSCD) code that could allow an unauthenticated, adjacent attacker to execute arbitrary commands with the privileges of the root user.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco TelePresence Video Communication Server SIP Denial of Service Vulnerability ***
---------------------------------------------
Cisco TelePresence Video Communication Server (VCS) contains a vulnerability that could allow an unauthenticated, remote attacker to trigger the failure of several critical processes which may cause active call to be dropped and prevent users from making new calls until the affected system is reloaded.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco TelePresence ISDN Gateway D-Channel Denial of Service Vulnerability ***
---------------------------------------------
Cisco TelePresence ISDN Gateway contains a vulnerability that could allow an unauthenticated, remote attacker to trigger the drop of the data channel (D-channel), causing all calls to be terminated and preventing users from making new calls.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 20-01-2014 18:00 − Dienstag 21-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Robert Waldner
*** Sicherheitstest eingerichtet: BSI meldet millionenfachen Identitätsdiebstahl ***
---------------------------------------------
Behörden haben bei der Analyse von Botnetzen rund 16 Millionen betroffene Benutzerkonten entdeckt. Das BSI bietet einen Sicherheitstest an, um E-Mails auf Identitätsdiebstahl zu überprüfen. (Internet, Security)
---------------------------------------------
http://www.golem.de/news/sicherheitstest-eingerichtet-bsi-meldet-millionenf…
*** Android Vulnerability Enables VPN Bypass ***
---------------------------------------------
A hole in Androids VPN feature could expose what should be securely communicated data as clear, unencrypted text.
---------------------------------------------
http://threatpost.com/android-vulnerability-enables-vpn-bypass/103719
*** Details on Patched Microsoft Office 365 XSS Vulnerability Disclosed ***
---------------------------------------------
A cross-site scripting vulnerability in Microsoft Office 365 casts attention on the need to shore up the security of cloud-based enterprise applications.
---------------------------------------------
http://threatpost.com/details-on-patched-microsoft-office-365-xss-vulnerabi…
*** Kampf um die Hintertüren einer vernetzten Welt ***
---------------------------------------------
Adam Philpott vom Netzwerk-Riesen Cisco bestreitet Kooperation mit Geheimdiensten und skizziert neue Bedrohungen im Netz der Zukunft
---------------------------------------------
http://derstandard.at/1389857261752
*** Blog: WhatsApp for PC - a guaranteed Trojan banker ***
---------------------------------------------
WhatsApp for PC - now from Brazil and bringing banker which will steal your money. It hides itself as an mp3 file and has a low VT detection.
---------------------------------------------
http://www.securelist.com/en/blog/208214225/WhatsApp_for_PC_a_guaranteed_Tr…
*** EU cyber security Agency ENISA calls for secure e-banking and e-payments: non-replicable, single-use credentials for e-identities are needed in the financial sector ***
---------------------------------------------
Different tokens, devices, mobile phones, e-signatures, etc. are used to authenticate our e-identities. Yet, some financial institutions are still not considering the risk of inadequate authentication mechanisms according to a new study by the EU Agency ENISA.
---------------------------------------------
http://www.enisa.europa.eu/media/press-releases/enisa-calls-for-secure-e-ba…
*** Spoiled Onions ***
---------------------------------------------
As of January 2014, the Tor anonymity network consists of 5,000 relays of which almost 1,000 are exit relays. As the diagram to the right illustrates, exit relays bridge the gap between the Tor network and the open Internet. As a result, exit relays are able to see anonymised network traffic as it is sent by Tor clients. While most exit relays are innocuous and run by well-meaning volunteers, there are exceptions: In the past, some exit relays were documented to have sniffed and
---------------------------------------------
http://www.cs.kau.se/philwint/spoiled_onions/
*** Merkur-Kundendaten mit Nocard geknackt ***
---------------------------------------------
Studenten der FH Salzburg ist mit dem Kundenkartengenerator Zugriff auf Kundenprofile gelungen
---------------------------------------------
http://derstandard.at/1389857747260
*** WordPress WordFence Plugin "User-Agent" Script Insertion Vulnerability ***
---------------------------------------------
Input passed via the "User-Agent" HTTP header is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a administrator's browser session in context of an affected site when the malicious data is being viewed.
---------------------------------------------
https://secunia.com/advisories/56558
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 17-01-2014 18:00 − Montag 20-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Robert Waldner
*** NCR: Weltweit 95 Prozent aller Geldautomaten mit Windows XP ***
---------------------------------------------
Laut einem hochrangigen Manager des Herstellers NCR laufen fast alle Geldautomaten weltweit noch mit Windows XP. Die Deutsche Kreditwirtschaft will davon nichts wissen, und erklärt, dass die Geldautomaten in Deutschland nicht am Internet hängen. Daher spiele die Art des Betriebssystems keine Rolle.
---------------------------------------------
http://www.golem.de/news/ncr-weltweit-95-prozent-aller-geldautomaten-mit-wi…
*** Adware vendors buy Chrome Extensions to send ad- and malware-filled updates ***
---------------------------------------------
A first-hand account of this, which was first spotted by OMGChrome, was given by Amit Agarwal, developer of the "Add to Feedly" extension. One morning, Agarwal got an e-mail offering "4 figures" for the sale of his Chrome extension. The extension was only about an hours worth of work, so Agarwal agreed to the deal, the money was sent over PayPal, and he transferred ownership of the extension to another Google account..
---------------------------------------------
http://arstechnica.com/security/2014/01/malware-vendors-buy-chrome-extensio…
*** VPN Related Vulnerability Discovered on an Android device - Disclosure Report ***
---------------------------------------------
As part of our ongoing mobile security research we have uncovered a network vulnerability on Android devices which has serious implications for users using VPN. This vulnerability enables malicious apps to bypass active VPN configuration (no ROOT permissions required) and redirect secure data communications to a different network address. These communications are captured in CLEAR TEXT (no encryption), leaving the information completely exposed. This redirection can take place while leaving the
---------------------------------------------
http://cyber.bgu.ac.il/blog/vpn-related-vulnerability-discovered-android-de…
*** Looking Forward Into 2014: What 2013′s Mobile Threats Mean Moving Forward ***
---------------------------------------------
2013 was the year that the Android malware not just grew, but matured into a full-fledged threat landscape. Not only did the number of threats grow, the sophistication and capabilities associated with these threats grew as well. As we noted earlier, the number of mobile malware threats has crossed the one million mark, and as of ...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/mF1EIjR8duU/
*** Open-Xchange Server Multiple Vulnerabilities ***
---------------------------------------------
Multiple vulnerabilities have been reported in Open-Xchange, which can be exploited by malicious users to disclose potentially sensitive information and by malicious people to conduct cross-site scripting and script insertion attacks.
---------------------------------------------
https://secunia.com/advisories/56390
*** F5 ARX Series Cyrus SASL NULL Pointer Dereference Vulnerability ***
---------------------------------------------
F5 has acknowledged a vulnerability in F5 ARX Series, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to a bundled vulnerable version of Cyrus SASL in relation to the ARX Manager Configuration utility.
---------------------------------------------
http://secunia.com/advisories/56077/
*** Moodle Security Bypass Security Issue and Cross-Site Request Forgery Vulnerability ***
---------------------------------------------
A security issue and a vulnerability have been reported in Moodle, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to conduct cross-site request forgery attacks.
---------------------------------------------
https://secunia.com/advisories/56556
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 16-01-2014 18:00 − Freitag 17-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Robert Waldner
*** JS-Binding-Over-HTTP Vulnerability and JavaScript Sidedoor: Security Risks Affecting Billions of Android App Downloads ***
---------------------------------------------
Third-party libraries, especially ad libraries, are widely used in Android apps. Unfortunately, many of them have security and privacy issues. In this blog, we summarize our findings related to the insecure usage of JavaScript binding in ad libraries.
---------------------------------------------
http://www.fireeye.com/blog/technical/2014/01/js-binding-over-http-vulnerab…
*** ECAVA INTEGRAXOR BUFFER OVERFLOW VULNERABILITY ***
---------------------------------------------
Overview: This advisory is a follow-up to the alert titled ICS-ALERT-14-015-01 Ecava IntegraXor Buffer Overflow Vulnerability that was published January 15, 2014, on the NCCIC/ICS-CERT Web site.
Independent researcher Luigi Auriemma identified a buffer overflow vulnerability in the Ecava IntegraXor application without coordination with NCCIC/ICS-CERT, the vendor, or any other coordinating entity known to NCCIC/ICS-CERT. Ecava has produced a patch version that mitigates this vulnerability.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-14-016-01
*** A Closer Look at the Target Malware, Part II ***
---------------------------------------------
Yesterdays story about the point-of-sale malware used in the Target attack has prompted a flood of reporting from antivirus and security vendors. Buried within those reports are some interesting details that speak to possible actors involved and to the timing and discovery of this breach.
---------------------------------------------
http://feedproxy.google.com/~r/KrebsOnSecurity/~3/V1LusjgMQk8/
*** HPSBUX02961 SSRT101420 rev.1 - HP-UX Running BIND, Remote Denial of Service (DoS) ***
---------------------------------------------
A potential security vulnerability has been identified with HP-UX running BIND. This vulnerability could be exploited remotely to create a Denial of Service (DoS).
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…
*** Thingbot: Botnetz infiziert Kühlschrank ***
---------------------------------------------
Ein US-Sicherheitsunternehmen hat ein Botnetz enttarnt. Das Besondere daran ist, dass etwa ein Viertel der infizierten Geräte keine Computer sind, sondern andere Internet-fähige Geräte - darunter ein Kühlschrank. (Spam, Malware)
---------------------------------------------
http://www.golem.de/news/thingbot-botnetz-infiziert-kuehlschrank-1401-10397…
*** Microsoft löscht Tor-Software nach Trojaner-Befall ***
---------------------------------------------
Von mehreren hunderttausend Windows-PCs hat Microsoft veraltete Tor-Software gelöscht, die ein Trojaner installiert hatte. Auf bis zu zwei Millionen Rechnern soll der heimlich eingerichtete Dienst immer noch aktiv sein.
---------------------------------------------
http://www.heise.de/security/meldung/Microsoft-loescht-Tor-Software-nach-Tr…
*** Oldboot: the first bootkit on Android ***
---------------------------------------------
A few days ago, we found an Android Trojan using brand new method to modify devices boot partition and booting script file to launch system service and extract malicious application during the early stage of systems booting. Due to the special RAM disk feature of Android devices boot partition, all current mobile antivirus product in the world can't completely remove this Trojan or effectively repair the system. We named this Android Trojan family as Oldboot. As far as we
---------------------------------------------
http://blogs.360.cn/360mobile/2014/01/17/oldboot-the-first-bootkit-on-andro…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 15-01-2014 18:00 − Donnerstag 16-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Robert Waldner
*** Compromised Sites Pull Fake Flash Player From SkyDrive ***
---------------------------------------------
On most days, our WorldMap shows more of the same thing. Today is an exception.One infection is topping so high in the charts that it pretty much captured our attention.Checking the recent history of this threat, we saw that these past few days, it has been increasing in infection hits.So we dug deeper It wasnt long before we saw that a lot of scripts hosted in various websites got compromised. Our telemetry actually showed that almost 40% of the infected websites were hosted in Germany. In
---------------------------------------------
http://www.f-secure.com/weblog/archives/00002659.html
*** Microsoft antimalware support for Windows XP ***
---------------------------------------------
Microsoft has announced the Windows XP end of support date of April 8, 2014. After this date, Windows XP will no longer be a supported operating system. To help organizations complete their migrations, Microsoft will continue to provide updates to our antimalware signatures and engine for Windows XP users through July 14, 2015. This does not affect the end-of-support date of Windows XP, or the supportability of Windows XP for other Microsoft products, which deliver and apply those signatures.
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2014/01/15/microsoft-antimalware-su…
*** SA-CORE-2014-001 - Drupal core - Multiple vulnerabilities ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CORE-2014-001Project: Drupal coreVersion: 6.x, 7.xDate: 2014-January-15Security risk: Highly criticalExploitable from: RemoteVulnerability: Multiple vulnerabilitiesDescriptionMultiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.Impersonation (OpenID module - Drupal 6 and 7 - Highly critical)A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack
---------------------------------------------
https://drupal.org/SA-CORE-2014-001
*** A First Look at the Target Intrusion, Malware ***
---------------------------------------------
Last weekend, Target finally disclosed at least one cause of the massive data breach that exposed personal and financial information on more than 110 million customers: Malicious software that infected point-of-sale systems at Target checkout counters. Todays post includes new information about the malware apparently used in the attack, according to two sources with knowledge of the matter.
---------------------------------------------
http://feedproxy.google.com/~r/KrebsOnSecurity/~3/OVODHvnhoQs/
*** Amazons public cloud fingered as USs biggest MALWARE LAIR ***
---------------------------------------------
Cyber-crooks lurve Bezos & Cos servers and their whitelisted IP addresses Amazons public cloud is the largest haven of malware spreaders in the US, according to security company Solutionary.…
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/01/16/amazon_clou…
*** Ecava IntegraXor Buffer Overflow Vulnerability ***
---------------------------------------------
NCCIC/ICS-CERT is aware of a public report of a buffer overflow vulnerability with proof-of-concept (PoC) exploit code affecting Ecava IntegraXor, a supervisory control and data acquisition/human-machine interface (SCADA/HMI) product. According to this report, the vulnerability is exploitable by using a command to load an arbitrary resource from an arbitrary DLL located in the program’s main folder.
---------------------------------------------
http://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-015-01
*** Advisory (ICSA-13-344-01) WellinTech Multiple Vulnerabilities ***
---------------------------------------------
NCCIC/ICS-CERT received reports from the Zero Day Initiative (ZDI) regarding a remote code execution vulnerability and an information disclosure vulnerability in WellinTech KingSCADA, KingAlarm&Event, and KingGraphic applications. These vulnerabilities were reported to ZDI by security researcher Andrea Micalizzi. WellinTech has produced a new version that mitigates these vulnerabilities. These vulnerabilities could be exploited remotely.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-344-01
*** Google verstärkt Anti-Spam-Team mit Zukauf ***
---------------------------------------------
Das Team des Startups Impermium, das ein System gegen E-Mail-Account-Missbrauch entwickelt, wechselt zum Internet-Giganten.
---------------------------------------------
http://www.heise.de/security/meldung/Google-verstaerkt-Anti-Spam-Team-mit-Z…
*** Telekom reagiert mit Blog-Eintrag auf gefälschte Rechnungen ***
---------------------------------------------
Erneut versenden Kriminelle gefälschte Online-Rechnungen der Telekom als Lockmittel, um Schadsoftware zu verbreiten. Dieses Mal reagiert der Konzern mit Warn-Mails und einem Blog-Eintrag, der Unterscheidungsmerkmale zu echten Rechnungen erklärt.
---------------------------------------------
http://www.heise.de/security/meldung/Telekom-reagiert-mit-Blog-Eintrag-auf-…
*** The Hidden Backdoors to the City of Cron ***
---------------------------------------------
An attackers key to creating a profitable malware campaign is its persistency. Malicious code that is easily detected and removed will not generate enough value for their creators. This is the reason why we are seeing more and more malware using creative backdoor techniques, different obfuscation methods, and using unique approaches to increase the lifespanRead More
---------------------------------------------
http://feedproxy.google.com/~r/sucuri/blog/~3/MCeUaRyYi88/the-hidden-backdo…
*** DynDNS-Dienst knickt unter DDoS-Attacke ein ***
---------------------------------------------
Dyn, Betreiber eines der bekanntesten DynDNS-Dienstes, ist Ziel eines DDoS-Angriffs geworden. Es ist zwar nur ein Teil der DNS-Infrastruktur des Anbieters betroffen, aber die Störung schlägt dennoch bis zu den Nutzern durch.
---------------------------------------------
http://www.heise.de/newsticker/meldung/DynDNS-Dienst-knickt-unter-DDoS-Atta…
*** Niederländische Behörden warnen vor Webcams ***
---------------------------------------------
Die niederländischen Justizbehörden warnen, dass die in Tablets und Latops eingebauten Webcams eine Sicherheitslücke darstellen, über die Hacker eindringen können. Abkleben wird empfohlen.
---------------------------------------------
http://www.heise.de/security/meldung/Niederlaendische-Behoerden-warnen-vor-…