=======================
= End-of-Shift report =
=======================
Timeframe: Montag 06-05-2013 18:00 − Dienstag 07-05-2013 18:00
Handler: Stephan Richter
Co-Handler: Robert Waldner
*** Bugtraq: ESA-2013-015: RSA Archer® GRC Multiple Vulnerabilities ***
---------------------------------------------
ESA-2013-015: RSA Archer® GRC Multiple Vulnerabilities
---------------------------------------------
http://www.securityfocus.com/archive/1/526542
*** Is there an epidemic of typo squatting?, (Tue, May 7th) ***
---------------------------------------------
One of our readers, Jim, wrote in earlier today to say he has noticed an increase in "working" typo squatting over the last 2 months or so. That is, hes seen users accidently surfing to them or being redirected there by some sort of malicious javascript trickery. His question for us (and the rest of you) is, is this a local phenomenon or are the bad guys making more use of this tactic? Im not currently setup to monitor this type of activity, so I figured Id ask our loyal readers. Do...
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=15740&rss
*** Security Bulletin: IBM Content Collector affected by vulnerabilities in IBM Java SDK ***
---------------------------------------------
Multiple security vulnerabilities exist in the IBM Java SDK that is shipped with IBM Content Collector.
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21634236
*** Security Bulletin: IBM Notes PNG integer overflow (CVE-2013-2977) ***
---------------------------------------------
IBM Notes has an integer overflow vulnerability which may be triggered by viewing a malformed PNG image.
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21635878
*** Security Bulletin: Multiple security vulnerabilities addressed in IBM Sterling Secure Proxy ***
---------------------------------------------
IBM Sterling Secure Proxy is vulnerable to spoofing and information disclosure attacks.
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21636369
*** MyBB Game Section Plugin "des" and "s" Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/53296
*** Hacker verschafften sich Zugriff auf alle .edu-Domains ***
---------------------------------------------
Die Hackergruppe "Hack The Planet" veröffentlicht Informationen zu Lücken in MoinMoin und ColdFusion, über die sie sich unter anderem Zugriff auf alle .edu-Domains, die Website des Sicherheitstools Nmap sowie andere prominente Websites verschaffte.
---------------------------------------------
http://www.heise.de/security/meldung/Hacker-verschafften-sich-Zugriff-auf-a…
*** Wonderware Information Server Vulnerabilities ***
---------------------------------------------
This advisory provides mitigation details for multiple vulnerabilities that impact the Invensys Wonderware Information Server (WIS) software.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-113-01
*** Bugtraq: SEC Consult SA-20130507-0 :: Multiple vulnerabilities in NetApp OnCommand System Manager ***
---------------------------------------------
http://www.securityfocus.com/archive/1/526552
*** Honeywords sollen Passwortdiebe in die Falle locken ***
---------------------------------------------
Zwei Krypto-Forscher schlagen vor, Datendiebe mit Köder-Passwörten zu überführen. Loggt sich jemand mit einem der sogenannten Honeywords ein, ist ziemlich sicher etwas faul.
---------------------------------------------
http://www.heise.de/security/meldung/Honeywords-sollen-Passwortdiebe-in-die…
*** nginx "ngx_http_parse_chunked()" Buffer Overflow Vulnerability ***
---------------------------------------------
nginx "ngx_http_parse_chunked()" Buffer Overflow Vulnerability
---------------------------------------------
https://secunia.com/advisories/53248
*** XSS, LFI in Cisco, Linksys E4200 Firmware ***
---------------------------------------------
Reflected XSS + LFI Bugs in the Cisco, Linksys E4200 Wireless Router Firmware Version: 1.0.05 build 7 were discovered by our Researchers in January 2013 and finally acknowledged by Linksys in April 2013. The Vendor is unable to Patch the Vulnerability in a reasonable timeframe.
---------------------------------------------
http://www.cloudscan.me/2013/05/xss-lfi-linksys-e4200-firmware-0d.html
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 03-05-2013 18:00 − Montag 06-05-2013 18:00
Handler: Stephan Richter
Co-Handler: Robert Waldner
*** What’s a known source of malware doing in an iOS app? Ars investigates ***
---------------------------------------------
Trojans, false positives, and the case of accidental cross contamination.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/suyRCkbyIFE/
*** gpsd AIS driver packet parser denial of service ***
---------------------------------------------
gpsd AIS driver packet parser denial of service
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/83982
*** EMC Avamar Client Certificate Validation Flaw Lets Remote Users Spoof the System ***
---------------------------------------------
http://www.securitytracker.com/id/1028511
*** EMC Avamar Authorization Flaw Lets Remote Authenticated Users Access Files ***
---------------------------------------------
http://www.securitytracker.com/id/1028510
*** Microsoft Releases Security Advisory 2847140 ***
---------------------------------------------
Today, we released Security Advisory 2847140 regarding an issue that impacts Internet Explorer 8. Internet Explorer 6, 7, 9 and 10 are not affected by the vulnerability. This issue allows remote code execution if users browse to a malicious website with an affected browser. This would typically occur by an attacker convincing someone to click a link in an email or instant message. Internet Explorer 9 and 10 are not affected by this issue, so upgrading to these versions will help protect you...
---------------------------------------------
http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-secur…
*** Department of Labor IE 0-day Exploit (CVE-2013-1347) Now Available at Metasploit ***
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2013/05/05/departmen…
*** New version of DIY Google Dorks based mass website hacking tool spotted in the wild ***
---------------------------------------------
By Dancho Danchev Need a compelling reason to perform search engine reconnaissance on your website, for the purpose of securing it against eventual compromise? We’re about to give you a good one. A new version of a well known mass website hacking tool has been recently released, empowering virtually anyone who buys it with the capability to [...]
---------------------------------------------
http://feedproxy.google.com/~r/WebrootThreatBlog/~3/8hoG6XIwk8s/
*** Vuln: WordPress Advanced XML Reader Plugin XML External Entity Information Disclosure Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/59618
*** Cisco WebEx Cache Directory Read Vulnerability ***
---------------------------------------------
A vulnerability in HTTP processing in multiple Cisco WebEx products could allow an unauthenticated, remote attacker to read files from the cache directory.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013…
*** Cisco WebEx Uninitialized Memory Read Vulnerability ***
---------------------------------------------
A vulnerability in HTTP processing in multiple Cisco WebEx products could allow an unauthenticated, remote attacker to read uninitialized memory.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013…
*** Bugtraq: VULNERABLE and COMPLETELY outdated 3rd-party libraries/components used in 3CX Phone 6 ***
---------------------------------------------
http://www.securityfocus.com/archive/1/526541
*** Bugtraq: [SE-2012-01] New security vulnerabilities and broken fixes in IBM Java ***
---------------------------------------------
http://www.securityfocus.com/archive/1/526540
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 02-05-2013 18:00 − Freitag 03-05-2013 18:00
Handler: Matthias Fraidl
Co-Handler: Stephan Richter
*** Weekly Update: WordPress Total Cache and Mimikatz ***
---------------------------------------------
Someone once described PHP as a "web API for remote code execution," and it's true that PHP is definitely web programming without guardrails. This week's security news was dominated by a RCE vulnerability in a pair of wildly popular WordPress plugins, W3 Total Cache and WP Super Cache, which are written in (wait for it) PHP.
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2013/05/02/weekly-up…
*** A peek inside a CVE-2013-0422 exploiting DIY malicious Java applet generating tool ***
---------------------------------------------
On a regular basis we profile various DIY (do it yourself) releases offered for sale on the underground marketplace with the idea to highlight the re-emergence of this concept which allows virtually anyone obtaining the leaked tools, or purchasing them, to launch targeted malware attacks. Can DIY exploit generating tools be considered [...]
---------------------------------------------
http://blog.webroot.com/2013/05/02/a-peek-inside-a-cve-2013-0422-exploiting…
*** Android-Virenscanner sind leicht auszutricksen ***
---------------------------------------------
Forscher haben versucht, bekannte Android-Schädlinge an zehn Virenschutzprogramme vorbei zu schleusen und hatten damit zehn Mal Erfolg. Oft genügten minimale Veränderungen an der Malware.
---------------------------------------------
http://www.heise.de/security/meldung/Android-Virenscanner-sind-leicht-auszu…
*** Oracle 11g TNS listener remote Null Pointer Dereference (pre-auth) ***
---------------------------------------------
Topic: Oracle 11g TNS listener remote Null Pointer Dereference (pre-auth) Risk: High Text:High Risk Vulnerability in Oracle Database 11g 1 May 2013 Andy Davis of NCC Group has discovered a High risk vulnerability...
---------------------------------------------
http://cxsecurity.com/wlb/WLB-2013050020
*** New IRC/HTTP based DDoS bot wipes out competing malware ***
---------------------------------------------
Everyday, new vendors offering malicious software enter the underground marketplace. And although many will fail to differentiate their underground market proposition in market crowded with reputable, trusted and verified sellers, others will quickly build their reputation on the basis of their 'innovative' work, potentially stealing some market share and becoming rich by offering the [...]
---------------------------------------------
http://blog.webroot.com/2013/05/03/new-irchttp-based-ddos-bot-wipes-out-com…
*** Multi-Stage Exploit Attacks for More Effective Malware Delivery ***
---------------------------------------------
Most drive-by exploit kits use a minimal exploit shellcode that downloads and runs the final payload. This is akin to a two-stage ICBM (InterContinental Ballistic Missile) where the first stage, the exploit, puts the rocket in its trajectory and the second stage, the payload, inflicts the damage.
---------------------------------------------
http://www.trusteer.com/blog/multi-stage-exploit-attacks-for-more-effective…
*** Fast digital forensics sniff out accomplices ***
---------------------------------------------
Software that rapidly analyses digital devices and builds a list of a suspects known associates could be a powerful tool for solving crimes.
---------------------------------------------
http://www.newscientist.com/article/mg21829156.200-fast-digital-forensics-s…
*** Adobe to Patch Reader Information Leak Bug ***
---------------------------------------------
Adobe is planning to patch a fairly low severity security vulnerability in all of the current versions of Reader and Acrobat that could enable an attacker to track which users have opened a certain PDF document. The vulnerability can't be used for code execution, but researchers say it could be used as part of a [...]
---------------------------------------------
http://threatpost.com/adobe-to-patch-reader-information-leak-bug/
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 30-04-2013 18:00 − Donnerstag 02-05-2013 18:00
Handler: Matthias Fraidl
Co-Handler: Robert Waldner
*** Shamoon/DistTrack Malware (Update A) ***
---------------------------------------------
OverviewW32.DistTrack, also known as "Shamoon," is an information-stealing malware that also includes a destructive module. Shamoon renders infected systems useless by overwriting the Master Boot Record (MBR), the partition tables, and most of the files with random data. Once overwritten, the data are not recoverable. Based on initial reporting and analysis of the malware, no evidence exists that Shamoon specifically targets industrial control systems (ICSs) components or U.S.
---------------------------------------------
http://ics-cert.us-cert.gov/jsar/JSAR-12-241-01A
*** More Malware Showing Up on Fake SourceForge Web Sites ***
---------------------------------------------
Malware developers continue to clone SourceForge Web sites that appear to offer the source code for popular gaming software but are actually peddling malicious code tied to the ZeroAccess Trojan. Julien Sobrier, a security researcher for San Jose-based cloud security provider Zscaler, on Tuesday outlined several more malicious versions of the popular file-sharing sites, some [...]
---------------------------------------------
http://threatpost.com/more-malware-showing-up-on-fake-sourceforge-web-sites/
*** [webapps] - D-Link IP Cameras Multiple Vulnerabilities ***
---------------------------------------------
D-Link IP Cameras Multiple Vulnerabilities
---------------------------------------------
http://www.exploit-db.com/exploits/25138
*** DSA-2665 strongswan ***
---------------------------------------------
authentication bypass
---------------------------------------------
http://www.debian.org/security/2013/dsa-2665
*** MediaWiki 1.20.5 and 1.19.6 Multiple Vulns ***
---------------------------------------------
Topic: MediaWiki 1.20.5 and 1.19.6 Multiple Vulns Risk: Medium Text:I would like to announce the release of MediaWiki 1.20.5 and 1.19.6. These releases fix 2 security related issues that could a...
---------------------------------------------
http://feedproxy.google.com/~r/securityalert_database/~3/-pvFzkoA-H4/WLB-20…
*** FortiClient VPN Client Discloses Password to Remote Users in Certain Cases ***
---------------------------------------------
FortiClient VPN Client Discloses Password to Remote Users in Certain Cases
---------------------------------------------
http://www.securitytracker.com/id/1028501
*** Java applets run wild inside Notes ***
---------------------------------------------
Full compromise possible Attackers with a desire to rummage around inside the PCs of Notes users can do so merely by sending HTML emails containing a Java applet or JavaScript, IBM has admitted in a security advisory.…
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2013/05/02/java_runs_i…
*** Kritische Schwachstelle in hunderten Industrieanlagen ***
---------------------------------------------
heise Security hat etliche deutsche Industrieanlagen entdeckt, die leichtsinnig mit dem Internet verbunden sind. Doch damit nicht genug: Durch eine Schwachstelle kann quasi jeder die Kontrolle über Heizkraftwerke, Rechenzentren oder Brauereien übernehmen.
---------------------------------------------
http://www.heise.de/security/meldung/Kritische-Schwachstelle-in-hunderten-I…
*** Niederlande: Gesetzentwurf über Entschlüsselungsbefehl ***
---------------------------------------------
Verdächtige sollen gezwungen werden können, das Passwort für verschlüsselte Datenträger herauszugeben. Begründung: Die Festplattenverschlüsselung Truecrypt werde regelmäßig zur Verschleierung von Kinderporno-Besitz genutzt.
---------------------------------------------
http://www.heise.de/security/meldung/Niederlande-Gesetzentwurf-ueber-Entsch…
*** Red Hat update for JBoss Enterprise Application Platform and JBoss Enterprise Web Platform ***
---------------------------------------------
Red Hat update for JBoss Enterprise Application Platform and JBoss Enterprise Web Platform
---------------------------------------------
https://secunia.com/advisories/53208
*** Malicious PDFs On The Rise ***
---------------------------------------------
Throughout 2012, we saw a wide variety of APT campaigns leverage an exploit in Microsoft Word (CVE-2012-0158). This represented a shift, as previously CVE-2010-3333 was the most commonly used Word vulnerability. While we continue to see CVE-2012-0158 in heavy use, we have noticed increasing use of an exploit for Adobe Reader (CVE-2013-0640) that was made infamous by the “MiniDuke” campaign. The malware dropped by these malicious PDFs is not associated with MiniDuke, but it is
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/malicious-pdfs-o…
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 29-04-2013 18:00 − Dienstag 30-04-2013 18:00
Handler: Stephan Richter
*** Yahoo! Browser for Android Address Bar Spoofing Weakness ***
---------------------------------------------
https://secunia.com/advisories/53214
*** Ruggedcom ROS Hard-Coded RSA SSL Private Key Update ***
---------------------------------------------
OverviewThis Updated Advisory is a follow-up to the original advisory titled ICSA-12-354-01 RuggedCom ROS Hard-Coded RSA SSL Private Key that was published December 18, 2012, on the ICS-CERT Web page.Independent researcher Justin W. Clarke of Cylance Inc., has identified the use of hard-coded RSA SSL private key in RuggedCom's Rugged Operating System (ROS). RuggedCom, an independent subsidiary of Siemens, has produced a new version of the ROS that mitigates this vulnerability.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-12-354-01A
*** Admin beware: Attack hitting Apache websites is invisible to the naked eye ***
---------------------------------------------
Newly discovered Linux/Cdorked evades detection by running in shared memory.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/MpO11h_pn5M/
*** Apache attack drives traffic to malware ***
---------------------------------------------
Blackhole redirect served by modified daemon binary A security researcher is warning that an attack on the Apache Web server is increasingly showing up in the wild, and has published a free Python tool to check their configurations.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2013/04/30/apache_dcor…
*** TinyMCE Ajax File Manager Remote Code Execution *youtube ***
---------------------------------------------
http://cxsecurity.com/wlb/WLB-2013040207
*** phpMyAdmin 3.5.8 Authenticated Remote Code Execution Exploit ***
---------------------------------------------
http://cxsecurity.com/wlb/WLB-2013040203
*** WordPress Easy AdSense Lite Plugin Cross-Site Request Forgery Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/52953
*** FreeBSD NFS Server Input Validation Bug May Let Remote Users Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1028491
*** HP Service Manager Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/53260
*** [TYPO3-announce] [TYPO3-dev] Announcing TYPO3 CMS 6.1.0 Final Release ***
---------------------------------------------
http://typo3.org/download/release-notes/typo3-61-release-notes/
Next End-of-Shift report on 2013-05-02
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 26-04-2013 18:00 − Montag 29-04-2013 18:00
Handler: Matthias Fraidl
Co-Handler: Christian Wojner
*** Dutchman Arrested in Spamhaus DDoS ***
---------------------------------------------
A 35-year-old Dutchman thought to be responsible for launching whats been called "the largest publicly announced online attack in the history of the Internet" was arrested in Barcelona on Thursday by Spanish authorities. The man, identified by Dutch prosecutors only as "SK," was being held after a European warrant was issued for his arrest in connection with a series of massive online attacks last month against Spamhaus, an anti-spam organization ...
---------------------------------------------
http://krebsonsecurity.com/2013/04/dutchman-arrested-in-spamhaus-ddos/
*** McAfee ePolicy Orchestrator Input Validation Flaw Lets Remote Users Inject SQL Commands, Execute Arbitrary Code, and Upload Files ***
---------------------------------------------
McAfee ePolicy Orchestrator Input Validation Flaw Lets Remote Users Inject SQL Commands, Execute Arbitrary Code, and Upload Files
---------------------------------------------
http://www.securitytracker.com/id/1028479
*** Tracking PDF Usage Poses a Security Problem ***
---------------------------------------------
Looking back this year's RSA Conference, you might have the feeling that the current threat landscape is primarily a series of advanced attacks. This concept includes well-known advanced persistent threats (APTs) and zero-day vulnerability exploits. To respond to this trend in threats, McAfee Labs has launched several innovative projects, one of which we call the advanced exploit detection system (AEDS).
---------------------------------------------
http://blogs.mcafee.com/mcafee-labs/tracking-pdf-usage-poses-a-security-pro…
*** VMware security updates for vCenter Server VMSA-2013-0006 ***
---------------------------------------------
VMware security updates for vCenter Server
---------------------------------------------
https://www.vmware.com/support/support-resources/advisories/VMSA-2013-0006.…
*** Hacker klauen Daten von 50 Millionen LivingSocial-Kunden ***
---------------------------------------------
Aller Voraussicht nach sind Hacker in Besitz der auf den LivingSocial-Servern hinterlegten persönlichen Kundendaten gelangt.
---------------------------------------------
http://www.heise.de/security/meldung/Hacker-klauen-Daten-von-50-Millionen-L…
*** The Importance of Strong Passwords on Social Media ***
---------------------------------------------
Last Tuesday, April 23, the Twitter account of the Associated Press news agency was hacked and sent out a hoax tweet reporting that President Barack Obama had been injured by an explosion in the White House. Within seconds, Wall Street was in panic mode and US stock plunged. Situations like this illustrate once again the ...
---------------------------------------------
http://pandalabs.pandasecurity.com/the-importance-of-strong-passwords-on-so…
*** Manipulierte Apache-Binaries laden Schadcode ***
---------------------------------------------
Sicherheitsunternehmen haben nach eigenen Angaben Hunderte von manipulierten Apache-Servern gefunden, die sich von Angreifern steuern lassen. Sie leiten Requests auf Malware- und Porno-Seiten um.
---------------------------------------------
http://www.heise.de/security/meldung/Manipulierte-Apache-Binaries-laden-Sch…
*** BOINC Multiple vulnerabilities ***
---------------------------------------------
Topic: BOINC Multiple vulnerabilities Risk: Medium Text:There have been various recent(-ish) vulnerabilities found in the BOINC software for desktop grid computing. The major project...
---------------------------------------------
http://cxsecurity.com/wlb/WLB-2013040196
*** D-Link DIR-635 change password security bypass ***
---------------------------------------------
D-Link DIR-635 change password security bypass
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/83832
*** Gegen selbst-aktualisierende Apps: Googles Play Store schafft eine "Lex Facebook" ***
---------------------------------------------
Im März brachte Facebook erste Updates für seine Android-App heraus, die am Play Store vorbei geschleust wurden. Jetzt hat der Play Store seine Entwickler-Richtlinien geändert. Updates sind nur über den Play Store legitim.
---------------------------------------------
http://www.heise.de/security/meldung/Gegen-selbst-aktualisierende-Apps-Goog…
*** Library of Malware Traffic Patterns ***
---------------------------------------------
Traffic analysis has been the primary method of malware identification and thousands of IDS signatures developed are the daily proof. Signatures definitely help but ability to visually recognize malware traffic patterns and see the trends when they change has been always an important skill for anyone tasked with network defense.
---------------------------------------------
http://www.deependresearch.org/2013/04/library-of-malware-traffic-patterns.…
*** C&C Servers Reconfigured to Make Them More Advanced ***
---------------------------------------------
FireEye, which recently released a report The Advanced Cyber Attack Landscape describes cyber-criminals as doing better in bypassing identification by constantly changing the configurations of their central C&C structures so foremost malware is able to establish communication with localized C&C infrastructures, meaning the identical nation-based infrastructures where the newly-contaminated computers are situated, ...
---------------------------------------------
http://www.spamfighter.com/News-18322-CC-Servers-Reconfigured-to-Make-Them-…
*** The Security Risks of Unlocking Your Android Phone's Bootloader ***
---------------------------------------------
ndroid geeks often unlock their bootloaders to root their devices and install custom ROMs. But there's a reason devices come with locked bootloaders unlocking your bootloader creates security risks.
---------------------------------------------
http://www.howtogeek.com/142502/htg-explains-the-security-risks-of-unlockin…
*** The Latest Java Exploit with Security Prompt/Warning Bypass (CVE-2013-2423) ***
---------------------------------------------
>From Java SE 7 update 11 oracle has introduced a new security features called security warning that prompts a window every time an applet request for execution.
---------------------------------------------
http://security-obscurity.blogspot.co.at/2013/04/the-latest-java-exploit-wi…
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 25-04-2013 18:00 − Freitag 26-04-2013 18:00
Handler: Stephan Richter
Co-Handler: L. Aaron Kaplan
*** Bugtraq: Nginx ngx_http_close_connection function integer overflow ***
---------------------------------------------
http://www.securityfocus.com/archive/1/526439
*** Anti-Phishing Workgroup Publishes 2012 Global Phishing Report. Download here: http://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2012.pdf, (Thu, Apr 25th) ***
---------------------------------------------
-- John Bambenek bambenek \at\ gmail /dot/ com Bambenek Consulting (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=15683&rss
*** Vulnerability in Citrix NetScaler Access Gateway Enterprise Edition Could Result in Unauthorized Access to Network Resources ***
---------------------------------------------
A vulnerability has been identified in NetScaler Access Gateway Enterprise Edition that could allow a remote attacker to gain unauthorized access to internal network resources.
---------------------------------------------
http://support.citrix.com/article/ctx137238
*** HPSBPI02868 SSRT101017 rev.1 - HP Managed Printing Administration (MPA), Remote Cross Site Scripting (XSS) ***
---------------------------------------------
A potential security vulnerability has been identified with HP Managed Printing Administration (MPA). The vulnerability could be exploited remotely resulting in cross site scripting (XSS).
---------------------------------------------
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c037…
*** Multiple HP LaserJet products unauthorized access ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/83817
*** VMSA-2013-0006 VMware security updates for vCenter Server ***
---------------------------------------------
VMware has updated vCenter Server Appliance (vCSA) and vCenter Server running on Windows to address multiple security vulnerabilities.
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2013-0006.html
*** IBM Security Bulletin: Vulnerabilities in AppScan Standard ***
---------------------------------------------
The IBM Security AppScan Standard 8.6 (previously known as IBM Rational AppScan Standard Edition) release includes fixes to two security vulnerabilities.
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21609022
*** Security Bulletin: Vulnerability in Sametime Links (CVE-2013-0533) ***
---------------------------------------------
Sametime Links can be exploited to create a DOM-based XSS vulnerability. A fix is provided. CVE(s): CVE-2013-0533 Affected product(s) and affected version(s): Sametime Links 8.0.2, 8.5, 8.5.1, 8.5.1.1, 8.5.1.2, 8.5.2, 8.5.2.1 server on any platform. Refer to the following reference URLs for remediation and additional vulnerability details. ---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_vul…
*** Possible Exploit Vector for DarkLeech Compromises ***
---------------------------------------------
Often it is quite surprising how long old, well-known vulnerabilities continue to be exploited. Recently, a friend sent me an example of a malicious script used in an attempted attack against their server:...
---------------------------------------------
http://blogs.cisco.com/security/possible-exploit-vector-for-darkleech-compr…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 24-04-2013 18:00 − Donnerstag 25-04-2013 18:00
Handler: Stephan Richter
Co-Handler: L. Aaron Kaplan
*** Multiple Vulnerabilities in Cisco NX-OS-Based Products ***
---------------------------------------------
Multiple Vulnerabilities in Cisco NX-OS-Based Products
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Device Manager Command Execution Vulnerability ***
---------------------------------------------
Cisco Device Manager Command Execution Vulnerability
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Multiple Vulnerabilities in Cisco Unified Computing System ***
---------------------------------------------
Multiple Vulnerabilities in Cisco Unified Computing System
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Apache CloudStack Multiple vulnerabilities ***
---------------------------------------------
Topic: Apache CloudStack Multiple vulnerabilities Risk: High Text:Product: Apache CloudStack Vendor: The Apache Software Foundation CVE References: CVE-2013-2756, CVE-2013-2758 Vulnerability...
---------------------------------------------
http://cxsecurity.com/wlb/WLB-2013040178
*** phpMyAdmin 3.5.8 LFI & Array Overwrite & Remote code execution ***
---------------------------------------------
Topic: phpMyAdmin 3.5.8 LFI & Array Overwrite & Remote code execution Risk: High Text:[waraxe-2013-SA#103] - Multiple Vulnerabilities in phpMyAdmin = Author: Janek Vind "waraxe" Date...
---------------------------------------------
http://cxsecurity.com/wlb/WLB-2013040179
*** Travnet Botnet Steals Huge Amount of Sensitive Data ***
---------------------------------------------
In a McAfee Labs blog by my colleague Vikas Taneja last month, he discussed high-level functioning in the malware Travnet. Since then we have continued to analyze different samples and now classify Travnet as a botnet rather than a Trojan because of the presence of control code, and the malware's ability to wait for further commands from the malicious control server.
---------------------------------------------
http://blogs.mcafee.com/mcafee-labs/travnet-botnet-steals-huge-amount-of-se…
*** Joomla! Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/53202
*** ALFContact component for Joomla! unspecified cross-site scripting ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/83765
*** Citrix CloudPlatform Multiple Security Bypass Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/53204
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 23-04-2013 18:00 − Mittwoch 24-04-2013 18:00
Handler: Stephan Richter
Co-Handler: Robert Waldner
*** Kenneth van Wyk: Making safer iOS apps ***
---------------------------------------------
When it comes to developing secure apps for the iOS operating system, theres both good and bad news. Lets get the bad news out of the way first. There are a lot of apps out there, including ones developed by various businesses for their customers to use, that have egregious and easy-to-avoid security vulnerabilities.
---------------------------------------------
https://www.computerworld.com/s/article/9238618/Kenneth_van_Wyk_Making_safe…
*** Encrypted Disk Detector - Useful during incident response to quickly and non-intrusively check for encrypted volumes ***
---------------------------------------------
Encrypted Disk Detector - Useful during incident response to quickly and non-intrusively check for encrypted volumes
---------------------------------------------
http://info.magnetforensics.com/encrypted-disk-detector
*** Serial Offenders: Widespread Flaws in Serial Port Servers ***
---------------------------------------------
Serial Offenders: Widespread Flaws in Serial Port Servers
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2013/04/23/serial-of…
*** CVE-2013-2423 Java Vulnerability Exploit ITW ***
---------------------------------------------
A few days after Oracle released a critical patch, CVE-2013-2423 is found to already been exploited. Upon checking the history, the exploitation seems to have begun on April 21st and is still actively happening until a few hours ago:For a closer look, the image below contains a comparison of the classes found in the Metasploit module and that of the ITW sample:Interestingly, the Metasploit module was published on the 20th, and as mentioned earlier, the exploit was seen in the wild the day
---------------------------------------------
http://www.f-secure.com/weblog/archives/00002544.html
*** Malware Callbacks ***
---------------------------------------------
Today we released our first-ever analysis of malware callbacks. Our report can be accessed here: http://www2.fireeye.com/WEB2013ATLReport.html. FireEye monitored more than 12 million malware communications seeking instructions—or callbacks—across hundreds of thousands of infected enterprise hosts, capturing details of advanced attacks as … Continue reading →
---------------------------------------------
http://www.fireeye.com/blog/technical/malware-research/2013/04/malware-call…
*** Schneider Electric MiCOM S1 Studio Improper Authorization Vulnerability ***
---------------------------------------------
OverviewThis advisory provides mitigation details for a vulnerability affecting the Schneider Electric MiCOM S1 Studio Software.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-100-01
*** 3S CODESYS Gateway-Server Multiple Vulnerabilities (Update A) ***
---------------------------------------------
OverviewThis updated advisory is a follow-up to the original advisory titled ICSA-13-050-01, 3S CODESYS Gateway-Server Multiple Vulnerabilities that was published February 19, 2013, on the ICS-CERT Web page.This updated advisory provides mitigation details for multiple vulnerabilities in the 3S-Smart Software Solutions GmbH CODESYS Gateway-Server.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-050-01A
*** OpenText/IXOS ECM for SAP NetWeaver Remote ABAP Code Injection ***
---------------------------------------------
Topic: OpenText/IXOS ECM for SAP NetWeaver Remote ABAP Code Injection Risk: High Text:[ESNC-2013-004] Remote ABAP Code Injection in OpenText/IXOS ECM for SAP NetWeaver Please refer to http://www.esnc.de for the...
---------------------------------------------
http://cxsecurity.com/wlb/WLB-2013040165
*** ClamAV Unspecified Vulnerabilities ***
---------------------------------------------
ClamAV Unspecified Vulnerabilities
---------------------------------------------
https://secunia.com/advisories/53150
*** FSC-2013-1: Remote code execution vulnerability in DLL component ***
---------------------------------------------
A vulnerability in a legacy DLL component related to ActiveX control, in certain F-Secure’s server products, allows arbitrary connections to be made to the ODBC drivers when using the Internet Explorer (IE) web browser. If the local server is running using local authentication, an attacker may be able to execute arbitrary SQL statements.
---------------------------------------------
http://www.f-secure.com/en/web/labs_global/fsc-2013-1
*** Joomla! ALFContact Component Unspecified Cross-Site Scripting Vulnerability ***
---------------------------------------------
Joomla! ALFContact Component Unspecified Cross-Site Scripting Vulnerability
---------------------------------------------
https://secunia.com/advisories/53147
*** Verizon 2013 Data Breach Investigations Report ***
---------------------------------------------
This year’s DBIR combines the expertise of 19 organizations from around the globe. Download the report to discover stats that might surprise you—from the percentage of espionage-related attacks to the astonishing length of time it often takes to spot a security breach. By knowing today’s threats, you can better protect your organization tomorrow.
---------------------------------------------
http://www.verizonenterprise.com/DBIR/2013/
*** Wordpress: Gefährliche Lücken in Cache-Plug-Ins ***
---------------------------------------------
Zwei millionenfach genutzte Wordpress-Plug-Ins können für das Ausführen beliebigen Codes ausgenutzt werden. Die Lücken sind gestopft, jetzt muss gepatcht werden!
---------------------------------------------
http://www.heise.de/security/meldung/Wordpress-Gefaehrliche-Luecken-in-Cach…
*** CiviCRM Multiple Products Open Flash Chart Arbitrary File Creation Vulnerability ***
---------------------------------------------
CiviCRM Multiple Products Open Flash Chart Arbitrary File Creation Vulnerability
---------------------------------------------
https://secunia.com/advisories/53158
*** Interesting Credit Card transactions, are you seeing similar?, (Wed, Apr 24th) ***
---------------------------------------------
In my day job we get involved in payment systems, credit card transactions etc. We are also asked to investigate and explain incidents as well as "unusual" activity. When looking at credit card payments there are always payments for people like lkjsdflkjs and "famous person name", usually small value transactions $2, $5, $10 although recently weve started seeing $60 transactions. These are easily identified and the motive is very clear, test the card. If the transaction
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=15671&rss
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 22-04-2013 18:00 − Dienstag 23-04-2013 18:00
Handler: Stephan Richter
Co-Handler: Robert Waldner
*** Cisco Firewall Services Module time-range Object Security Bypass Security Issue ***
---------------------------------------------
Cisco Firewall Services Module time-range Object Security Bypass Security Issue
---------------------------------------------
https://secunia.com/advisories/53140
*** Cisco ASA Software time-range Object Security Bypass Security Issue ***
---------------------------------------------
Cisco ASA Software time-range Object Security Bypass Security Issue
---------------------------------------------
https://secunia.com/advisories/53131
*** CAPTCHA-solving Russian email account registration tool helps facilitate cybercrime ***
---------------------------------------------
By Dancho Danchev Just how challenged are cybercriminals when they’re being exposed to CAPTCHAs in 2013? Not even bothering to “solve the problem” by themselves anymore, thanks to the cost-efficient, effective, and fully working process of outsourcing the CAPTCHA solving process to humans thereby allowing the cybercriminals to abuse any given Web property, as if it were multiple [...]
---------------------------------------------
http://feedproxy.google.com/~r/WebrootThreatBlog/~3/SpUsORYAF3o/
*** MyBB Multiple Vulnerabilities ***
---------------------------------------------
MyBB Multiple Vulnerabilities
---------------------------------------------
https://secunia.com/advisories/52828
*** VirusTotal += PCAP Analyzer ***
---------------------------------------------
VirusTotal is a greedy creature, one of its gluttonous wishes is to be able to understand and characterize all the races it encounters, it already understood the insurgent collective of Portable Executables, the greenish creatures known as Android APKs, the talkative PDF civilization, etc. as of today it also figures out PCAPs, a rare group of individuals obsessed with recording everything they see.
---------------------------------------------
http://blog.virustotal.com/2013/04/virustotal-pcap-analyzer.html
*** Crypto guru: Dont blame users, get coders security training instead ***
---------------------------------------------
Murdochs infosec man adds arrogant techies also vulnerable Infosec 2013 Experts on both sides of the vendor-customer divide in the UK and a US cryptographer are at odds over whether or not security training is a waste of time.…
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2013/04/23/security_aw…