[CERT-daily] Tageszusammenfassung - Donnerstag 1-08-2013

Thu Aug 1 18:01:45 CEST 2013

=======================
= End-of-Shift report =
=======================

Timeframe:   Mittwoch 31-07-2013 18:00 − Donnerstag 01-08-2013 18:00
Handler:     Matthias Fraidl
Co-Handler:  n/a


*** Inside the Security Model of BlackBerry 10 ***
---------------------------------------------
The new BlackBerry 10 operating system contains a number of security improvements and upgrades over earlier versions, but there are still some features and functions that an attacker may be able to exploit.
---------------------------------------------
http://threatpost.com/inside-the-security-model-of-blackberry-10/101542


*** Malicious JavaScript flips ad network into rentable botnet ***
---------------------------------------------
Enslaved machines helplessly press Apaches buttons Black Hat 2013 Security researchers have shown how hackers can use ad networks to create ephemeral, hard-to-trace botnets that can perform distributed-denial-of-service attacks at the click of a button.
---------------------------------------------
http://www.theregister.co.uk/2013/07/31/whitehat_security_ad_networks_botnet/


*** Got an account on a site like Github? Hackers may know your e-mail address ***
---------------------------------------------
Researcher de-anonymizes forum people posting extremist views.
---------------------------------------------
http://arstechnica.com/security/2013/07/got-an-account-on-a-site-like-github-hackers-may-know-your-e-mail-address/


*** Black Hat: TLS-Erweiterung schwächt Sicherheit der Verschlüsselung ***
---------------------------------------------
Sicherheitsforscher Florent Daignière hat sich bei der Black Hat mit TLS-Extensions befasst, die Session Tickets vorsehen. Kann ein Angreifer Daten des Webservers abgreifen, lassen sich mitgeschnittene Verbindungen im Nachhinein entschlüsseln.
---------------------------------------------
http://www.heise.de/security/meldung/Black-Hat-TLS-Erweiterung-schwaecht-Sicherheit-der-Verschluesselung-1928081.html


*** Researchers reveal how to hack an iPhone in 60 seconds ***
---------------------------------------------
Three Georgia Tech hackers have revealed how to hack iPhones and iPads with malware imitating ordinary apps in under sixty seconds using a "malicious charger."
---------------------------------------------
http://www.zdnet.com/researchers-reveal-how-to-hack-an-iphone-in-60-seconds-7000018822/


*** Angriffe auf mit mTAN geschützte Konten ***
---------------------------------------------
Die Banken bezeichnen das mTAN-Verfahren als sicher. Trotzdem gelingt es Kriminiellen, den Sicherheitsmechanismus zu umgehen. Der Aufwand ist hoch, die Beute aber groß.
---------------------------------------------
http://www.heise.de/security/meldung/Angriffe-auf-mit-mTAN-geschuetzte-Konten-1928312.html


*** Teaching Old Malware New Tricks ***
---------------------------------------------
Why Carberp, ZeuS, and Other Vintage Malware Have a Bigger Bite Than You Think (First in a three-part series) As a sales engineer working at FireEye, I spend my days running production pilots with prospects, discussing advanced persistent threats (APTs)
---------------------------------------------
http://www.fireeye.com/blog/corporate/2013/08/teaching-old-malware-new-tricks.html


*** Cisco WAAS Central Manager Remote Code Execution Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130731-waascm


*** GnuPG / Libgcrypt RSA Secret Key Disclosure Weakness ***
---------------------------------------------
https://secunia.com/advisories/54373


*** VMware ESXi Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/54339


*** TYPO3 Cross-Site Scripting and Arbitrary File Upload Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/53529


*** Subversion 1.7.9 remote DoS vulnerability. ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013080004


*** Subversion 1.6.21 arbitrary code execution ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013080003


*** Vuln: Drupal Flippy Module Access Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/61546


*** Bugtraq: Open-Xchange Security Advisory 2013-07-31 ***
---------------------------------------------
http://www.securityfocus.com/archive/1/527662


*** GnuPG / Libgcrypt RSA Secret Key Disclosure Weakness
---------------------------------------------
https://secunia.com/advisories/54373