=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 03-09-2013 18:00 − Mittwoch 04-09-2013 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Hintergrund: Browser-SSL entschlüsselt ***
---------------------------------------------
Mit einem kleinen Trick speichern Firefox und Chrome die verwendeten Schlüssel so, dass Wireshark die damit verschlüsselten Daten gleich dekodieren kann.
---------------------------------------------
http://www.heise.de/security/artikel/Browser-SSL-entschluesselt-1948431.html
*** Software Developer Says Mega Master Keys Are Retrievable ***
---------------------------------------------
hypnosec writes that software developer Michael Koziarski has released a bookmarklet "which he claims has the ability to reveal Mega users master key. Koziarski went on to claim that Mega has the ability to grab its users keys and use them to access their files. Dubbed MegaPWN, the tool not only reveals a users master key, but also gives away a users RSA private key exponent. MEGApwn is a bookmarklet that runs in your web browser and displays your supposedly secret MEGA master key, showing
---------------------------------------------
http://yro.slashdot.org/story/13/09/03/1720223/software-developer-says-mega…
*** Cidox Trojan Spoofs HTTP Host Header to Avoid Detection ***
---------------------------------------------
Lately, we have seen a good number of samples generating some interesting network traffic through our automated framework. The HTTP network pattern generated contains a few interesting parameters, names like "&av" (for antivirus?) and "&vm="(VMware?), The response received looked to be encrypted, which drew my attention. Also, all the network traffic contained the same host Read more...
---------------------------------------------
http://blogs.mcafee.com/mcafee-labs/cidox-trojan-spoofs-http-host-header-to…
*** Styx-like Cool Exploit Kit: How It Works ***
---------------------------------------------
While the Blackhole Exploit Kit is the most well-known of the exploit kits that affect users, other exploit kits are also well known in the Russian underground. In this post, we will look at how these other kits work, and its differences from other exploit kits. One well-known Blackhole alternative is the Styx Exploit Kit.
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/styx-exploit-pac…
*** Researchers: Oracle's Java Security Fails ***
---------------------------------------------
Faced with an onslaught of malware attacks that leverage vulnerabilities and design weaknesses in Java, Oracle Corp. recently tweaked things so that Java now warns users about the security risks of running Java content. But new research shows that the integrity and accuracy of these warning messages can be subverted easily in any number of ways, and that Oracles new security scheme actually punishes Java application developers who adhere to it.
---------------------------------------------
http://krebsonsecurity.com/2013/09/researchers-oracles-java-security-fails/
*** The Red Book - The SysSec Roadmap for Systems Security Research ***
---------------------------------------------
The SysSec Red Book is a Roadmap in the area of Systems Security, as prepared by the SysSec consortium and its constituency. For preparing this roadmap a Task Force of young researchers with proven track of record in the area was assembled and collaborated with the senior researchers of SysSec. Additionally, the SysSec Community has been consulted to provide input on the contents of the roadmap.
---------------------------------------------
http://www.red-book.eu/
*** [Video] ThreatVlog, Episode 3: NYT, Twitter, and HuffPost hacked by Syrian Electronic Army ***
---------------------------------------------
In this episode of ThreatVlog, Grayson Milbourne covers the information behind the Syrian Electronic Army's hacking of New York Times, Twitter, and Huffington Post. Grayson includes a breakdown of the hack as well as information on how to keep your own websites protected form this malicious behavior.The post [Video] ThreatVlog, Episode 3: NYT, Twitter, and HuffPost hacked by Syrian Electronic Army appeared first on Webroot Threat Blog.
---------------------------------------------
http://www.webroot.com/blog/2013/09/04/video-threatvlog-episode-3-nyt-twitt…
*** Bugtraq: SEC Consult SA-20130904-0 :: GroupLink everything HelpDesk - undocumented password reset/admin takeover and XSS vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/528420
*** Samsung Galaxy S4 Polaris Viewer DOCX Buffer Overflow Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/54701
*** MediaWiki Security Release ***
---------------------------------------------
I would like to announce the release of MediaWiki 1.21.2, 1.20.7 and 1.19.8. These releases fix 3 security related bugs that could affect users of MediaWiki.
---------------------------------------------
http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/0001…
*** OpenVZ update for kernel ***
---------------------------------------------
https://secunia.com/advisories/54311
*** Linux Kernel PID Spoofing Privilege Escalation Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/54675
*** Sixnet Universal Protocol Undocumented Function Codes (Update A) ***
---------------------------------------------
OVERVIEW: This updated advisory is a follow-up to the original advisory titled ICSA-13-231-01 Sixnet Universal Protocol Undocumented Function Codes that was published August 19, 2013, on the ICS-CERT Web page.Independent researcher Mehdi Sabraoui has identified undocumented function codes in Sixnet's universal protocol. Sixnet has produced a new version of the remote terminal unit (RTU) firmware that mitigates this vulnerability.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-231-01A
*** Tridium Niagara Vulnerabilities (Update A) ***
---------------------------------------------
OVERVIEW--------- Begin Update A Part 1 of 2 --------This updated advisory is a follow-up to the original advisory titled ICSA-12-228-01 Tridium Niagara Multiple Vulnerabilities that was published August 15, 2012, on the ICS-CERT Web page. It is also a follow-up to ICS-ALERT-12-195-01 Tridium Niagara Directory Traversal and Weak Credential Storage Vulnerability that was published July 13, 2012, on the ICS-CERT Web page.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-12-228-01A
*** Cisco Mobility Services Engine Configuration Error Lets Remote Users Login Anonymously ***
---------------------------------------------
http://www.securitytracker.com/id/1028972
*** Cisco Secure Access Control System (ACS) TACACS+ Socket Denial of Service Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/54687
*** SAP NetWeaver "ABAD0_DELETE_DERIVATION_TABLE" SQL Injection Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/54702
*** Vuln: Supermicro IPMI Web Interface Multiple Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/bid/62094http://www.securityfocus.com/bid/62097http://www.securityfocus.com/bid/62098
*** Security Bulletin: Multiple security vulnerabilities exist in IBM InfoSphere Information Server (CVE-2013-0585, CVE-2013-3034, CVE-2013-3040 and CVE-2013-0599) ***
---------------------------------------------
Security Bulletin: Multiple security vulnerabilities exist in IBM InfoSphere Information Server (CVE-2013-0585, CVE-2013-3034, CVE-2013-3040 and CVE-2013-0599) CVE(s): CVE-2013-0585, CVE-2013-3034, CVE-2013-3040, and CVE-2013-0599 Affected product(s) and affected version(s): IBM InfoSphere Information Server version 9.1 running on all platforms Refer to the following reference URLs for remediation and additional vulnerability details. Source Bulletin:
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul…
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 02-09-2013 18:00 − Dienstag 03-09-2013 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Blog: NetTraveler Is Back: The Red Star APT Returns With New Tricks ***
---------------------------------------------
NetTraveler, which we described in depth in a previous post, is an APT that infected hundreds of high profile victims in more than 40 countries. Known targets of NetTraveler (also known as ‘Travnet’ or “Netfile”) include Tibetan/Uyghur activists, oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies and military contractors.
---------------------------------------------
http://www.securelist.com/en/blog/208214039/NetTraveler_Is_Back_The_Red_Sta…
*** 353,436 Exposed ZTE Devices Found In Net Census ***
---------------------------------------------
mask.of.sanity writes "Hundreds of thousands of internet-accessible devices manufactured Chinese telco ZTE have been found with default or hardcoded usernames and passwords. The devices were discovered in analysis of the huge dataset from the Internet Census run this year. ZTE topped the charts, accounting for 28 percent of all affected devices worldwide. Only one manufacturer has responded to the researchers bid to supply the data in efforts to stop production of insecure devices."
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/Ev4LKChpZbQ/story01.htm
*** USB-Tastatur kapert Linux-Kern ***
---------------------------------------------
Der Speicher eines Linux-Systems kann durch USB-Endgeräte fast beliebig manipuliert werden, wie ChromeOS-Entwickler Kees Cook entdeckte. Einen Patch für das Problem lieferte er gleich mit.
---------------------------------------------
http://www.heise.de/newsticker/meldung/USB-Tastatur-kapert-Linux-Kern-19475…
*** cPanel Multiple Vulnerabilities ***
---------------------------------------------
A security issue and multiple vulnerabilities have been reported in cPanel, which can be exploited by malicious, local users to disclose potentially sensitive information, bypass certain security restrictions, manipulate certain data, and gain escalated privileges and by malicious users to conduct script insertion attacks, bypass certain security restrictions, and compromise a vulnerable system.
---------------------------------------------
https://secunia.com/advisories/54601
*** Bugtraq: PayPals "invalid" aksession Padding Oracle Flaw ***
---------------------------------------------
The main PayPal web site sets a cookie named "aksession" which contains a blob of base64-encoded ciphertext. This ciphertext is encrypted using a 64-bit block cipher in CBC mode and does not have any other integrity protection. Naturally, this means the aksession cookie is vulnerable to a padding oracle attack allowing full decryption and forgery.
---------------------------------------------
http://www.securityfocus.com/archive/1/528403
*** [remote] - Mikrotik RouterOS sshd (ROSSSH) - Remote Preauth Heap Corruption ***
---------------------------------------------
During an audit the Mikrotik RouterOS sshd (ROSSSH) has been identified to have a remote previous to authentication heap corruption in its sshd component.
Exploitation of this vulnerability will allow full access to the router device.
---------------------------------------------
http://www.exploit-db.com/exploits/28056
*** [webapps] - TP-Link TD-W8951ND - Multiple Vulnerabilities ***
---------------------------------------------
Tested on TP-Link TD-W8951ND Firmware 4.0.0 Build 120607 Rel.30923
---------------------------------------------
http://www.exploit-db.com/exploits/28055
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 30-08-2013 18:00 − Montag 02-09-2013 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Njw0rm - Brother From the Same Mother ***
---------------------------------------------
FireEye Labs has discovered an intriguing new sibling of the njRAT remote access tool (RAT) that one-ups its older "brother" with a couple of diabolically clever features. Created by the same author as njRAT - a freelance coder who goes by...
---------------------------------------------
http://www.fireeye.com/blog/technical/malware-research/2013/08/njw0rm-broth…
*** US Mounted 231 Offensive Cyber-operations In 2011, Runs Worldwide Botnet ***
---------------------------------------------
An anonymous reader sends this news from the Washington Post: "U.S. intelligence services carried out 231 offensive cyber-operations in 2011, the leading edge of a clandestine campaign that embraces the Internet as a theater of spying, sabotage and war, according to top-secret documents [from Edward Snowden]. Additionally, under an extensive effort code-named GENIE, U.S. computer specialists break into foreign networks so that they can be put under surreptitious U.S. control. Budget...
---------------------------------------------
http://yro.slashdot.org/story/13/08/31/2223212/us-mounted-231-offensive-cyb…
*** Boffins follow TOR breadcrumbs to identify users ***
---------------------------------------------
Anonymity? Fuggedaboutit! Watching TOR for months reveals true names Its easier to identify TOR users than they believe, according to research published by a group of researchers from Georgetown University and the US Naval Research Laboratory (USNRL).
---------------------------------------------
http://www.theregister.co.uk/2013/09/01/tor_correlation_follows_the_breadcr…
*** Cisco IOS TCP ACK Processing Lets Remote Users Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1028969
*** Cisco ASA Idle Timeout Processing Flaw Lets Remote Users Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1028968
*** IBM WebSphere Commerce Search Denial of Service Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/54734
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 29-08-2013 18:00 − Freitag 30-08-2013 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** CoreText Font Rendering Bug Leads To iOS, OS X Exploit ***
---------------------------------------------
redkemper writes with this news from BGR.com (based on a report at Hacker News), excerpting: "Android might be targeted by hackers and malware far more often than Apples iOS platform, but that doesnt mean devices like the iPhone and iPad are immune to threats. A post on a Russian website draws attention to a fairly serious vulnerability that allows nefarious users to remotely crash apps on iOS 6, or even render them unusable. The vulnerability is seemingly due to a bug in Apples CoreText...
---------------------------------------------
http://apple.slashdot.org/story/13/08/29/155221/coretext-font-rendering-bug…
*** Cloud-Dienst als Malware-Einfallstor ***
---------------------------------------------
IT-Sicherheitsforscher haben eine Methode gezeigt, mit der über Dropbox und Co. Sicherheitsmechanismen von Firmen überwunden werden können.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Cloud-Dienst-als-Malware-Einfallstor…
*** Sicherheitsforscher knacken Dropbox ***
---------------------------------------------
Client entschlüsselt - Zwei-Weg-Authentifizierung kann umlaufen werden
---------------------------------------------
http://derstandard.at/1376535110812
*** TeleGeographys Interactive Submarine Cable Map ***
---------------------------------------------
....Ever want to know where all the submarine cables are that provide part of the physical infrastructure of the Internet? Or which cities in the world have the most connectivity via submarine cables? (or which regions might be single points of failure?) In doing some research I stumbled across this excellent site from the folks at TeleGeography ...
---------------------------------------------
http://www.submarinecablemap.com/
*** FinFisher range of attack tools ***
---------------------------------------------
FinFisher is a range of attack tools developed and sold by a company called Gamma Group.Recently, some FinFisher sales brochures and presentations were leaked on the net. They contain many interesting details about these tools.In the background part of the FinFisher presentation, they go on to explain how Gamma hired the (at-the-time) main developer of Backtrack Linux to build attack tools for Gamma. This is a reference to Martin Johannes Münch. They also boast how their developers have...
---------------------------------------------
http://www.f-secure.com/weblog/archives/00002601.html
*** vBulletin users warned of potential exploit ***
---------------------------------------------
The forum softwares developers advise users to delete the install folder
---------------------------------------------
http://www.csoonline.com/article/738959/vbulletin-users-warned-of-potential…
*** MatrikonOPC SCADA DNP3 Master Station Improper Input Validation ***
---------------------------------------------
OVERVIEW: This updated advisory was originally posted to the US-CERT secure Portal library on August 02, 2013, and is now being released to the ICS-CERT Web page.Adam Crain of Automatak and independent researcher Chris Sistrunk have identified a buffer overflow vulnerability in MatrikonOPC’s SCADA DNP3 OPC Server application. MatrikonOPC has produced a patch that mitigates this vulnerability. The researchers tested the patch to validate that it resolves the vulnerability.This vulnerability...
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-213-04A
*** Cisco Identity Services Engine Discloses Authentication Credentials to Remote Users ***
---------------------------------------------
http://www.securitytracker.com/id/1028965
*** IBM InfoSphere Information Server Web Console Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/54698
*** Schneider Electric OFS XML External Entities Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/54616
*** Cisco ASA Software TFTP Protocol Inspection Denial of Service Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/54699
*** LibTIFF Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/54628
*** VMSA-2013-0011 ***
---------------------------------------------
VMware ESXi and ESX address an NFC Protocol Unhandled Exception
---------------------------------------------
http://www.vmware.com/support/support-resources/advisories/VMSA-2013-0011.h…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 28-08-2013 18:00 − Donnerstag 29-08-2013 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Bugtraq: Cisco Security Advisory: Cisco Secure Access Control Server Remote Command Execution Vulnerability ***
---------------------------------------------
Cisco Security Advisory: Cisco Secure Access Control Server Remote Command Execution Vulnerability
---------------------------------------------
http://www.securityfocus.com/archive/1/528295
*** Kelihos Relying on CBL Blacklists to Evaluate New Bots ***
---------------------------------------------
The Kelihos botnet is leveraging legitimate security services such as composite blocking lists (CBLs) to test the reliability of victim IP addresses before using them to push spam and malware.
---------------------------------------------
http://threatpost.com/kelihos-relying-on-cbl-blacklists-to-evalute-new-bots…
*** Java Native Layer Exploits Going Up ***
---------------------------------------------
Recently, security researchers disclosed two Java native layer exploits (CVE-2013-2465 and CVE-2013-2471). This caused us too look into native layer exploits more closely, as they have been becoming more common this year. At this year’s Pwn2Own competition at CanSecWest, Joshua Drake showed CVE-2013-1491, which was exploitable on Java 7 running on Windows 8. CVE-2013-1493 has […]Post from: Trendlabs Security Intelligence Blog - by Trend MicroJava Native Layer Exploits Going Up
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/--YBZ1lrFxM/
*** Cisco Secure Access Control Server EAP-FAST Authentication Flaw Lets Remote Users Execute Arbitrary Commands ***
---------------------------------------------
Cisco Secure Access Control Server EAP-FAST Authentication Flaw Lets Remote Users Execute Arbitrary Commands
---------------------------------------------
http://www.securitytracker.com/id/1028958
*** Unpatched Mac bug gives attackers “super user” status by going back in time ***
---------------------------------------------
Exploiting the five-month-old "sudo" flaw in OS X just got easier.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/r1T9FKbYWWY/story01…
*** Triangle MicroWorks Improper Input Validation ***
---------------------------------------------
OVERVIEWAdam Crain of Automatak and independent researcher Chris Sistrunk have identified an improper input validation vulnerability in multiple Triangle MicroWorks’ products and third‑party components. Triangle MicroWorks has produced an update that mitigates this vulnerability. Adam Crain has tested the update to validate that it resolves the vulnerability.This vulnerability could be exploited remotely.AFFECTED PRODUCTSThe following Triangle MicroWorks products are affected:
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-240-01
*** Bugtraq: 30C3 Call for Participation ***
---------------------------------------------
30C3 Call for Participation
---------------------------------------------
http://www.securityfocus.com/archive/1/528298
*** Suspect Sendori software, (Thu, Aug 29th) ***
---------------------------------------------
Reader Kevin wrote in to alert us of an interesting discovery regarding Sendori. Kevin stated that two of his clients were treated to malware via the auto-update system for Sendori. In particular, they had grabbed Sendori-Client-Win32/2.0.15 from 54.230.5.180 which is truly an IP attributed to Sendori via lookup results. Sendoris reputation is already a bit sketchy; search results for Sendori give immediate pause but this download in particular goes beyond the pale. With claims that "As of
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=16466&rss
*** WordPress Wordfence 3.8.1 Cross Site Scripting ***
---------------------------------------------
Topic: WordPress Wordfence 3.8.1 Cross Site Scripting Risk: Low Text:# Exploit Title: Wordpress Plugin Wordfence 3.8.1 - Cross Site Scripting # Date: 28 de Agosto del 2013 # Exploit Author: Dyla...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013080221
*** Google Docs Information Disclosure ***
---------------------------------------------
Topic: Google Docs Information Disclosure Risk: Medium Text:I reported this problem to Google in June but I did not get the usual reply saying they were working on it, so I guess it isn...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013080224
*** Bugtraq: Drupal Node View Permissions module and Flag module Vulnerabilities ***
---------------------------------------------
Drupal Node View Permissions module and Flag module Vulnerabilities
---------------------------------------------
http://www.securityfocus.com/archive/1/528310
*** Cybercrime-friendly underground traffic exchanges help facilitate fraudulent and malicious activity – part two ***
---------------------------------------------
By Dancho Danchev The list of monetization tactics a cybercriminal can take advantage of, once they manage to hijack a huge portion of Web traffic, is virtually limitless and is entirely based on his experience within the cybercrime ecosystem. Through the utilization of blackhat SEO (search engine optimization), RFI (Remote File Inclusion), DNS cache poisoning, or […]
---------------------------------------------
http://feedproxy.google.com/~r/WebrootThreatBlog/~3/zWNtszZsWRs/
*** IBM InfoSphere Information Server Multiple Vulnerabilities ***
---------------------------------------------
IBM InfoSphere Information Server Multiple Vulnerabilities
---------------------------------------------
https://secunia.com/advisories/54666
*** Office 2003s burial will resurrect hacker activity ***
---------------------------------------------
The end of Microsofts support for popular suite come April 2014 will usher in an era of infinite zero-day attacks, analyst predicts
---------------------------------------------
http://www.csoonline.com/article/738914/office-2003-s-burial-will-resurrect…
*** [papers] - Metasploit -The Exploit Learning Tree ***
---------------------------------------------
Metasploit -The Exploit Learning Tree
---------------------------------------------
http://www.exploit-db.com/download_pdf/27935
*** Outage Analyzer - Track Web Service Outages,in Real Time ***
---------------------------------------------
....Outage Analyzer lets you view internet service outages as they occur around the world. The application lists the outages that are occurring now or can provide a view of outages that have closed recently......
---------------------------------------------
http://www.compuware.com/en_us/application-performance-management/products/…
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 27-08-2013 18:00 − Mittwoch 28-08-2013 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Security Bulletin: IBM Tivoli Monitoring clients affected by vulnerabilities in IBM JRE executed under a security manager. ***
---------------------------------------------
IBM Tivoli Monitoring ships and uses a Java Runtime Environment (JRE). This alert addresses several vulnerabilities for the Tivoli Enterprise Portal browser JRE which might allow remote untrusted Java WebStart applications and untrusted Java applets to affect confidentiality, availability and integrity. CVE(s): CVE-2013-2467, CVE-2013-2448, CVE-2013-2459, CVE-2013-2463, CVE-2013-2464, CVE-2013-2465, CVE-2013-2466, CVE-2013-2468, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471,
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm…
*** Firefox Extension HTTP Nowhere Allows Users to Browse in Encrypted-Only Mode ***
---------------------------------------------
It’s no secret that the Web wasn’t really meant to be a secure platform, for communications or commerce or anything else. But it’s used for all of these functions every day, and for the most part they depend upon the sites they deal with using SSL and doing so correctly. That’s not always a sure [...]
---------------------------------------------
http://threatpost.com/firefox-extension-http-nowhere-allows-users-to-browse…
*** Microsoft Releases Revisions to 4 Existing Updates, (Tue, Aug 27th) ***
---------------------------------------------
Four patches have undergone signficant revision according to Microsoft. The following patches were updated today by Microsoft, and are set to roll in the automatic updates: MS13-057 - Critical - https://technet.microsoft.com/security/bulletin/MS13-057 - Reason for Revision: V3.0 (August 27, 2013): Bulletin revised to rerelease security update 2803821 for Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008; security update 2834902 for Windows XP and Windows Server 2003;
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=16448&rss
*** Asterisk SIP Request Processing Flaw With Invalid SDP Lets Remote Users Deny Service ***
---------------------------------------------
Asterisk SIP Request Processing Flaw With Invalid SDP Lets Remote Users Deny Service
---------------------------------------------
http://www.securitytracker.com/id/1028957
*** Linux-Trojaner analysiert ***
---------------------------------------------
Avast hat den bislang wohl ersten Online-Banking-Trojaner, der es auf Linux-Nutzer abgesehen hat, in seinem Virenlabor untersucht: Der Entwickler hat sich große Mühe gegeben, damit sein Baby unentdeckt bleibt.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Erster-Banking-Trojaner-fuer-Linux-a…
*** Exploit für ungepatchte Lücke in Java 6 aufgetaucht ***
---------------------------------------------
Ein Werkzeug enthält Code, der eine seit Juni bekannte Lücke in Java 6 ausnutzt. Oracle hat die Wartung für diese Version eingestellt, die sich jedoch noch häufig im Einsatz befindet.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Exploit-fuer-ungepatchte-Luecke-in-J…
*** Cybercriminals offer spam-ready SMTP servers for rent/direct managed purchase ***
---------------------------------------------
By Dancho Danchev We continue to observe an increase in underground market propositions for spam-ready bulletproof SMTP servers, with the cybercriminals behind them trying to differentiate their unique value proposition (UVP) in an attempt to attract more customers. Let’s profile the underground market propositions of what appears to be a novice cybercriminal offering such spam-ready […]
---------------------------------------------
http://feedproxy.google.com/~r/WebrootThreatBlog/~3/eWR3avR3M7k/
*** IBM FileNet Content Manager / Content Foundation XML Parser Denial of Service Vulnerability ***
---------------------------------------------
IBM FileNet Content Manager / Content Foundation XML Parser Denial of Service Vulnerability
---------------------------------------------
https://secunia.com/advisories/54632
*** IBM TRIRIGA Application Platform Multiple Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
IBM TRIRIGA Application Platform Multiple Cross-Site Scripting Vulnerabilities
---------------------------------------------
https://secunia.com/advisories/54641
*** Bugtraq: Two Instagram Android App Security Vulnerabilities ***
---------------------------------------------
Two Instagram Android App Security Vulnerabilities
---------------------------------------------
http://www.securityfocus.com/archive/1/528292
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 26-08-2013 18:00 − Dienstag 27-08-2013 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** [Video] ThreatVlog, Episode 1: Tor and Apple exploits revealed ***
---------------------------------------------
What is Tor? Is it really secure? What about the Apple App Store approval process? Are all these applications really looked at? In today's episode, Grayson Milbourne covers the exploitation of the Tor network through Firefox and a proof of concept showing just how insecure Apple app testing can be.
---------------------------------------------
http://blog.webroot.com/2013/08/20/tor-and-apple-exploits-revealed/
*** [Video] ThreatVlog, Episode 2: Keyloggers and your privacy ***
---------------------------------------------
Commercial and black hat keyloggers can infect any device, from your PC at home to the phone in your hand. What exactly are these programs trying to steal? How can this data be used harmfully against you? And what can you do to protect all your data and devices from this malicious data gathering? In...
---------------------------------------------
http://blog.webroot.com/2013/08/26/video-threatvlog-episode-2-keyloggers-an…
*** "thereisnofatebutwhatwemake" - Turbo-charged cracking comes to long passwords ***
---------------------------------------------
Cracking really long passwords just got a whole lot faster and easier.
---------------------------------------------
http://arstechnica.com/security/2013/08/thereisnofatebutwhatwemake-turbo-ch…
*** Feature Phone Hack Can Block Calls, Texts On Some Networks ***
---------------------------------------------
Trailrunner7 writes, quoting Threat Post "By tweaking the firmware on certain kinds of phones, a hacker could make it so other phones in the area are unable to receive incoming calls or SMS messages, according to research presented at the USENIX Security Symposium. The hack involves modifying the baseband processor on some Motorola phones and tricking some older 2G GSM networks into not delivering calls and messages. By watching the messages sent from phone towers and not delivering them
---------------------------------------------
http://it.slashdot.org/story/13/08/26/2254224/feature-phone-hack-can-block-…
*** Patch Management Guidance from NIST, (Tue, Aug 27th) ***
---------------------------------------------
The National Institute of Standards and Technology (NIST) released a new version of guidance around Patch Management last week, NIST SP800-40. The latest release takes a broader look at etnerprise patch management than the previous version, so well worth the read. Patch Management is clearly called out as a "Quick Win" in Critical Control #3 "Secure Configurations for Hardware and Software". Additionally, Patch Management is something that is required by many of the cyber
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=16445&rss
*** NSA: Hardening Tips For Mac OS X ***
---------------------------------------------
....The National Security Agency (NSA) offers "Hardening Tips for Mac OS X" a tri-fold security brochure for the agencys Information Assurance Mission. Its packed with useful tips...... Siehe auch: http://www.nsa.gov/ia/_files/factsheets/macosx_10_6_hardeningtips.pdf
---------------------------------------------
http://www.nsa.gov/ia/_files/factsheets/macosx_hardening_tips.pdf
*** The SCADA That Cried Wolf: Who's Really Attacking Your ICS Devices- Part 2 ***
---------------------------------------------
The concern on ICS/SCADA security gained prominence due to high-profile attacks targeting these devices, most notably Flame and Stuxnet. However, we noted recent findings, which prove that the interest in ICS/SCADA devices as attack platforms is far from waning. We've all read about how insecure ICS/SCADA devices are and how certain threat actors are targeting...
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/the-scada-that-c…
*** Malware-Erkennung für Medizingeräte ***
---------------------------------------------
US-Informatiker wollen über Veränderungen im Stromverbrauch von Medizingeräten Datenschädlinge im Gesundheitsbereich feststellen.
---------------------------------------------
http://www.heise.de/security/meldung/Malware-Erkennung-fuer-Medizingeraete-…
*** Security Bulletin: IBM Notes & Domino fixes for multiple vulnerabilities in IBM JRE ***
---------------------------------------------
IBM Notes and Domino are vulnerable to multiple attacks listed in the Oracle Java SE Critical Patch Update Advisories (February, April and June 2013) as well as miscellaneous client-side attacks listed below. The repaired IBM JRE is available in Notes and Domino 8.5.3 Fix Pack 5 and is also planned for Notes and Domino 9.0.1. CVE(s): CVE-2013-0464, CVE-2012-3325, and CVE-2011-4858 Affected product(s) and affected version(s): IBM Notes and Domino 9.0 IBM Notes and Domino 8.5.x IBM Notes and...
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm…
*** Security Bulletin: IBM Notes & Domino fixes for multiple vulnerabilities in IBM JRE ***
---------------------------------------------
IBM Notes and Domino are vulnerable to multiple attacks listed in the Oracle Java SE Critical Patch Update Advisories (February, April and June 2013) as well as miscellaneous client-side attacks listed below. The repaired IBM JRE is available in Notes and Domino 8.5.3 Fix Pack 5 and is also planned for Notes and Domino 9.0.1. CVE(s): CVE-2013-0809, CVE-2013-1493, CVE-2013-3012, CVE-2013-3011, CVE-2013-3010, CVE-2013-3009, CVE-2013-3008, CVE-2013-3007, CVE-2013-3006, CVE-2013-2455, and
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm…
*** Security Bulletin: IBM Security SiteProtector System can be affected by a vulnerability in the IBM Eclipse Help System (IEHS) (CVE-2013-0467) ***
---------------------------------------------
IBM Security SiteProtector System can be affected by a vulnerability in the IBM Eclipse Help System (IEHS). This vulnerability could allow a remote attacker to obtain the source code of the Help System. CVE(s): and CVE-2013-0467 Affected product(s) and affected version(s): IBM Security SiteProtector System: 2.8.1 and 2.9 Refer to the following reference URLs for remediation and additional vulnerability details. Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21647392
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm…
*** Security Bulletin: IBM Content Collector - Eclipse Help System Cross Site Scripting Vulnerability (CVE-2013-0464) ***
---------------------------------------------
Cross-Site Scripting vulnerability exists in IBM Eclipse Help System, a component bundled with IBM Content Collector, which is used to display the IBM Content Collector help content. CVE(s): and CVE-2013-0464 Affected product(s) and affected version(s): IBM Content Collector 3.0 Refer to the following reference URLs for remediation and additional vulnerability details. Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21646473 X-Force Database:
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm…
*** IBM Lotus iNotes Input Validation Flaws Permit Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1028954
*** Sixnet Universal Protocol Undocumented Function Codes ***
---------------------------------------------
OVERVIEW: This updated advisory is a follow-up to the original advisory titled ICSA-13-231-01 Sixnet Universal Protocol Undocumented Function Codes that was published August 19, 2013, on the ICS-CERT Web page. Independent researcher Mehdi Sabraoui has identified undocumented function codes in Sixnet's universal protocol. Sixnet has produced a new version of the remote terminal unit (RTU) firmware that mitigates this vulnerability.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-231-01A
*** RoundCube Webmail Edit Email Script Insertion Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/54536
*** IBM DB2 / DB2 Connect Unspecified Security Bypass Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/54644
*** Atlassian 4.x Confluence Sensitive Information Leakage ***
---------------------------------------------
Topic: Atlassian 4.x Confluence Sensitive Information Leakage Risk: Low Text:Since vendor does not seem to care about this issue more than a year after initial report (https://jira.atlassian.com/browse/C...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013080213
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 23-08-2013 18:00 − Montag 26-08-2013 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Mozilla und Chrome erhöhen Anforderungen an Zertifikate ***
---------------------------------------------
In Zukunft wollen die beiden freien Browser SSL-Zertifikate mit einer besonders langen Laufzeit nicht mehr akzeptieren. Die Änderungen betreffen jedoch nur relativ wenige Server.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Mozilla-und-Chrome-erhoehen-Anforder…
*** EU-Meldepflicht bei Datenklau tritt in Kraft ***
---------------------------------------------
Ab sofort müssen Kommunikations-Unternehmen innerhalb von 24 Stunden melden, wenn ein Datenschutzverstoß von nicht oder nicht ausreichend gesicherten Personendaten vorliegt. Auch die Betroffenen müssen in einigen Fällen informiert werden.
---------------------------------------------
http://futurezone.at/netzpolitik/17910-eu-meldepflicht-bei-datenklau-tritt-…
*** RealPlayer Two Vulnerabilities ***
---------------------------------------------
1) An error when handling filenames in RMP can be exploited to cause a stack-based buffer overflow.
2) An error when parsing RealMedia files can be exploited to cause a memory corruption.
Successful exploitation may allow execution of arbitrary code.
---------------------------------------------
https://secunia.com/advisories/54621
*** OpenSSL erzeugt zu oft den gleichen Zufall ***
---------------------------------------------
Der Zufallszahlengenerator der freien Krypto-Bibliothek liefert unter bestimmten Voraussetzungen relativ kurz hintereinander dieselben Zahlen. Noch ist nicht entschieden, ob die OpenSSL-Entwickler oder -Nutzer ihren Code ändern müssen.
---------------------------------------------
http://www.heise.de/security/meldung/OpenSSL-erzeugt-zu-oft-den-gleichen-Zu…
*** IBM WebSphere Commerce Tools Pages Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
IBM WebSphere Commerce Tools Pages Cross-Site Scripting Vulnerabilities
---------------------------------------------
https://secunia.com/advisories/54643
*** IBM Tivoli Workload Scheduler OpenSSL Multiple Vulnerabilities ***
---------------------------------------------
IBM Tivoli Workload Scheduler OpenSSL Multiple Vulnerabilities
---------------------------------------------
https://secunia.com/advisories/54655
*** IBM Lotus iNotes Multiple Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
IBM Lotus iNotes Multiple Cross-Site Scripting Vulnerabilities
---------------------------------------------
https://secunia.com/advisories/54645
*** Cacti Script Insertion and SQL Injection Vulnerabilities ***
---------------------------------------------
Cacti Script Insertion and SQL Injection Vulnerabilities
---------------------------------------------
https://secunia.com/advisories/54531
*** Bugtraq: Wordpress post-gallery Plugin Xss vulnerabilities ***
---------------------------------------------
Wordpress post-gallery Plugin Xss vulnerabilities
---------------------------------------------
http://www.securityfocus.com/archive/1/528243
*** [remote] - Belkin G Wireless Router Firmware 5.00.12 - RCE PoC ***
---------------------------------------------
Belkin G Wireless Router Firmware 5.00.12 - RCE PoC
---------------------------------------------
http://www.exploit-db.com/exploits/27873
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 22-08-2013 18:00 − Freitag 23-08-2013 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Top Server OPC Improper Input Validation Vulnerability ***
---------------------------------------------
OVERVIEW: Adam Crain of Automatak and independent researcher Chris Sistrunk have identified an improper input validation vulnerability in the Software Toolbox TOP Server DNP Master OPC product. Software Toolbox has produced a new version that mitigates this vulnerability. The researchers have tested the new version to validate that it resolves the vulnerability. This vulnerability could be exploited remotely. AFFECTED PRODUCTS: The following Software Toolbox products are affected:...
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-234-02
*** Read of the Week: A Fuzzy Future in Malware Research, (Thu, Aug 22nd) ***
---------------------------------------------
The August 2013 ISSA Journal includes an excellent read from Ken Dunham: A Fuzzy Future in Malware Research. Ken is a SANS veteran (GCFA Gold, GREM Gold, GCIH Gold, GSEC, GCIA) who spends a good bit of his time researching, writing and presenting on malware-related topics. From Kens abstract: "Traditional static analysis and identification measures for malware are changing, including the use of fuzzy hashes which offers a new way to find possible related malware samples on a computer or
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=16427
*** How Exploit Kits Dodge Security Vendors and Researchers ***
---------------------------------------------
Websites with exploit kits are one thing that security vendors and researchers frequently try to look into, so it shouldn't be a surprise that attackers have gone to some length to specifically dodge the good guys. How do they do it? The most basic method used by attackers is an IP blacklist. Just like security...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/qf9ZXjwNgn0/
*** How Can Social Engineering Training Work Effectively? ***
---------------------------------------------
One particular aspect of DEF CON that always gets some media coverage is the Social Engineering Capture the Flag (SECTF) contest, where participants use nothing more than a phone call to get victims at various Fortune 500 to give up bits of information. These are the sort of social engineering attacks that give security professionals...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/D-0-ZRv5fSY/
*** Angeblicher Adobe-Reader-Exploit vermutlich ein Fake ***
---------------------------------------------
Es verdichten sich die Indizien dafür, dass es das kritische Sicherheitsloch, dass in der aktuellen Reader-Version klaffen soll, gar nicht gibt.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Angeblicher-Adobe-Reader-Exploit-ver…
*** Pixel Perfect Timing Attacks with HTML5 ***
---------------------------------------------
"This paper describes a number of timing attack techniques that can be used by a malicious web page to steal sensitive data from a browser, breaking cross-origin restrictions. The new requestAnimationFrame API can be used to time browser rendering operations and infersensitive data based on timing data."
---------------------------------------------
http://contextis.co.uk/files/Browser_Timing_Attacks.pdf
*** BSI: Trotz "kritischer Aspekte" keine Warnung vor Windows 8 ***
---------------------------------------------
In einer Stellungnahme stellt das Bundesamt klar, dass es keine grundsätzlichen Sicherheitsbedenken gegen den Einsatz von Windows 8 und Trusted Computing habe. Das BSI kritisiert allerdings bestimmte Aspekte des Betriebssystems.
---------------------------------------------
http://www.heise.de/security/meldung/BSI-Trotz-kritischer-Aspekte-keine-War…
*** Setuid-Probleme auf Debian-Abkömmlingen ***
---------------------------------------------
Ein schlampig programmiertes Setuid-Tool aus dem VMware-Paket beschert Root-Rechte; doch die Ursachen reichen tiefer.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Setuid-Probleme-auf-Debian-Abkoemmli…https://secunia.com/advisories/54580
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 21-08-2013 18:00 − Donnerstag 22-08-2013 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** If you ever use text VTs, dont run XMir right now ***
---------------------------------------------
Itd be easy to assume that in a Mir-based world, the Mir server receives input events and hands them over to Mir clients. In fact, as I described here, XMir uses standard Xorg input drivers and so receives all input events directly. This led to issues like the duplicate mouse pointer seen in earlier versions of XMir - as well as the pointer being drawn by XMir, Mir was drawing its own pointer.But theres also some more subtle issues. Mir recently gained a fairly simple implementation of VT...
---------------------------------------------
http://mjg59.dreamwidth.org/27327.html
*** Jumping Out of IE's Sandbox With One Click ***
---------------------------------------------
Software vendors often give intentionally vague and boring names to the updates they use to fix security vulnerabilities. The lamer the name, the less attention it may attract from attackers looking to reverse-engineer the patch. There was one patch in Microsoft's August Patch Tuesday release earlier this month that fit that bill, MS13-059, Cumulative Security [...]
---------------------------------------------
http://threatpost.com/jumping-out-of-ies-sandbox-with-one-click/102054
*** BSI: Trotz "kritischer Aspekte" keine Warnung vor Windows 8 ***
---------------------------------------------
In einer Stellungnahme stellt das Bundesamt klar, dass es keine grundsätzlichen Sicherheitsbedenken gegen den Einsatz von Windows 8 und Trusted Computing habe. Das BSI kritisiert allerdings bestimmte Aspekte des Betriebssystems.
---------------------------------------------
http://www.heise.de/security/meldung/BSI-Trotz-kritischer-Aspekte-keine-War…
*** Siemens COMOS Privilege Escalation Vulnerability ***
---------------------------------------------
OVERVIEW: Siemens has notified ICS-CERT of a privilege escalation vulnerability in the Siemens COMOS database application. Siemens has produced a patch that mitigates this vulnerability. AFFECTED PRODUCTS: The following Siemens COMOS versions are affected:...
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-233-01
*** Cisco Prime Central for Hosted Collaboration Solution Assurance Denial of Service Vulnerabilities ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** MySQL Debian/Ubuntu Installation Script Lets Local Users Obtain Potentially Sensitive Information ***
---------------------------------------------
http://www.securitytracker.com/id/1028927
*** Hotel Software and Booking system 1.8 SQL Injection & Cross Site Scripting ***
---------------------------------------------
Topic: Hotel Software and Booking system 1.8 SQL Injection & Cross Site Scripting Risk: Medium Text: # Exploit Title: Hotel Software and Booking system 1.8 - SQL Injection / Cross Site Scripting # Date: 21 de A...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013080175
*** Drupal Zen 7.x Cross Site Scripting ***
---------------------------------------------
Topic: Drupal Zen 7.x Cross Site Scripting Risk: Low Text:View online: https://drupal.org/node/2071157 * Advisory ID: DRUPAL-SA-CONTRIB-2013-070 * Project: Zen [1] (third-party ...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013080180
*** Debian update for cacti ***
---------------------------------------------
https://secunia.com/advisories/54181
*** Multiple NetGear ProSafe Switches CVE-2013-4776 Remote Denial of Service Vulnerability ***
---------------------------------------------
A range of ProSafe switches are affected by two different vulnerabilities. CVE-2013-4775: Unauthenticated startup-config disclosure. CVE-2013-4776: Denial of Service vulne...
---------------------------------------------
http://www.encripto.no/forskning/whitepapers/Netgear_prosafe_advisory_aug_2…
*** [webapps] - Netgear ProSafe - Denial of Service Vulnerability ***
---------------------------------------------
http://www.exploit-db.com/exploits/27775
*** [webapps] - Netgear ProSafe - Information Disclosure Vulnerability ***
---------------------------------------------
http://www.exploit-db.com/exploits/27774