======================= = End-of-Shift report = =======================
Timeframe: Montag 24-10-2016 18:00 − Dienstag 25-10-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a
*** iOS 10.1 *** --------------------------------------------- https://support.apple.com/kb/HT207271
*** IoT Device Maker Vows Product Recall, Legal Action Against Western Accusers *** --------------------------------------------- A Chinese electronics firm pegged by experts as responsible for making many of the components leveraged in last weeks massive attack that disrupted Twitter and .. --------------------------------------------- https://krebsonsecurity.com/2016/10/iot-device-maker-vows-product-recall-leg...
*** Locky Ransomwares new .SHIT Extension shows that you cant Polish a Turd *** --------------------------------------------- To further show how ransomware is such a pile of crap, a new version of Locky has been released that appends the .shit extension on encrypted files. Like previous .. --------------------------------------------- http://www.bleepingcomputer.com/news/security/locky-ransomwares-new-shit-ext...
*** DSA-3698 php5 - security update *** --------------------------------------------- Several vulnerabilities were found in PHP, a general-purpose scriptinglanguage commonly used for web application development. --------------------------------------------- https://www.debian.org/security/2016/dsa-3698
*** Critical Patch Update - October 2016 *** --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
*** Kryptologe Hellman: NSA propagiert mittlerweile Verschlüsselung *** --------------------------------------------- Daten verlässlich zu verschlüsseln auch für Sicherheit von Staaten wichtig – Zusammensetzen sicherer Komponenten macht außerdem noch lange kein sicheres System --------------------------------------------- http://derstandard.at/2000046466661
*** Wosign und Startcom: Mozilla veröffentlicht Details des TLS-Rauswurfs *** --------------------------------------------- Mozillas Firefox-Browser wird keine TLS-Zertifikate der beiden skandalträchtigen Certificate Authorities mehr akzeptieren. Wie dies genau umgesetzt wird, hat die Stiftung nun erläutert. --------------------------------------------- http://www.golem.de/news/wosign-und-startcom-mozilla-veroeffentlicht-details...
*** Certificate Transparency: Betrug mit TLS-Zertifikaten wird fast unmöglich *** --------------------------------------------- Alle TLS-Zertifizierungsstellen müssen ab nächstem Herbst ihre Zertifikate vor der Ausstellung in ein öffentliches Log eintragen. Mittels Certificate Transparency kann Fehlverhalten bei der Zertifikatsausstellung leichter entdeckt werden - das TLS-Zertifikatssystem insgesamt wird vertrauenswürdiger. --------------------------------------------- http://www.golem.de/news/certificate-transparency-betrug-mit-tsl-zertifikate...
*** [20161002] - Core - Elevated Privileges *** --------------------------------------------- Incorrect use of unfiltered data allows for users to register on a site with elevated privileges. Affected Installs Joomla! CMS versions 3.4.4 through 3.6.3 Solution Upgrade to .. --------------------------------------------- https://developer.joomla.org/security-centre/660-20161002-core-elevated-priv...
*** [20161001] - Core - Account Creation *** --------------------------------------------- Inadequate checks allows for users to register on a site when registration has been disabled. Affected Installs Joomla! CMS versions 3.4.4 .. --------------------------------------------- https://developer.joomla.org/security-centre/659-20161001-core-account-creat...
*** BSI: Deutschland soll vernetzte Geräte besser schützen *** --------------------------------------------- Nach einem Angriff auf die Internet-Infrastruktur hat das Bundesamt für Sicherheit in der Informationstechnik (BSI) höhere Sicherheitsstandards verlangt. --------------------------------------------- https://futurezone.at/netzpolitik/bsi-deutschland-soll-vernetzte-geraete-bes...
*** Vulnerabilities in Slack could have led to account hijacking *** --------------------------------------------- Persistence pays off as security researcher nets bug bounty for unearthing an access control bypass allowing attackers to reset passwords if they know the usernames. --------------------------------------------- http://www.scmagazine.com/vulnerabilities-in-slack-could-have-led-to-account...
*** task_t considered harmful *** --------------------------------------------- Posted by Ian Beer, Project ZeroThis post discusses a design issue at the core of the XNU kernel which powers iOS and MacOS. Apple have shipped two iterations of mitigations followed yesterday by a large refactor in MacOS 10.12.1/iOS .. --------------------------------------------- http://googleprojectzero.blogspot.com/2016/10/posted-by-ian-beer-project-zer...
Aufgrund des Feiertages am morgigen Mittwoch, den 26.10.2016, erscheint der nächste End-of-Shift Report erst am 27.10.2016.