[CERT-daily] Tageszusammenfassung - Dienstag 1-10-2013

Daily end-of-shift report team at cert.at
Tue Oct 1 18:00:56 CEST 2013


=======================
= End-of-Shift report =
=======================

Timeframe:   Montag 30-09-2013 18:00 − Dienstag 01-10-2013 18:00
Handler:     Robert Waldner
Co-Handler:  n/a

*** Asus RT-N66U 3.0.0.4.374_720 Cross Site Request Forgery ***
---------------------------------------------
The Asus RT-N66U is a home wireless router. Its web application has a CSRF vulnerability that allows an attacker to execute arbitrary commands on the target device.
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013090194




*** What kind of target are you? ***
---------------------------------------------
Some attackers want money or data, while others hope to make you look bad. What do you have that might put you on a hackers hit list?
---------------------------------------------
http://www.csoonline.com/article/740614/what-kind-of-target-are-you-?source=rss_application_security




*** BYOD: Eigenes Handy als Notlösung ***
---------------------------------------------
Neue Studie zeigt: Eigene Geräte im Beruf verwenden die meisten Anwender nur, weil ihnen die IT nicht die ausreichende Ausrüstung bieten kann für diese Mitarbeiter ist Bring Your Own Device eine Notlösung.
---------------------------------------------
http://www.heise.de/newsticker/meldung/BYOD-Eigenes-Handy-als-Notloesung-1969927.html




*** Blog: Ad Plus instead of AdBlock Plus ***
---------------------------------------------
Fake and malicious AdBlock Plus brings to your Android not an Ad protection but more Ad than even before.
---------------------------------------------
http://www.securelist.com/en/blog/208214071/Ad_Plus_instead_of_AdBlock_Plus




*** Hand Me Downs: Exploit and Infrastructure Reuse Among APT Campaigns ***
---------------------------------------------
Since we first reported on Operation DeputyDog, at least three other Advanced Persistent Threat (APT) campaigns known as Web2Crew, Taidoor, and th3bug have made use of the same exploit to deliver their own payloads to their own targets.
---------------------------------------------
http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/hand-me-downs-exploit-and-infrastructure-reuse-among-apt-campaigns.html




*** Open-Xchange AppSuite multiple session hijacking ***
---------------------------------------------
Open-Xchange AppSuite multiple session hijacking
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/87557




*** Open-Xchange AppSuite /ajax/defer servlet CRLF injection ***
---------------------------------------------
Open-Xchange AppSuite /ajax/defer servlet CRLF injection
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/87558




*** Sweet murmuring Siri opens stalking security hole in iOS 7 ***
---------------------------------------------
Siri, hand over my contacts and history now. It has not been a good week for Apple on the security front, and theres no relief in sight after an Israeli researcher found a way to access a locked iPhones contacts and messages database using Siri.
---------------------------------------------
http://www.theregister.co.uk/2013/09/30/sweettalking_siri_opens_stalking_security_hole_in_ios_7/




*** World War C: Understanding Nation-State Motives Behind Today´s Advanced Cyber Attacks ***
---------------------------------------------
This report describes the unique characteristics of cyber attack campaigns waged by governments worldwide. We hope that, armed with this knowledge, security professionals can better identify their attackers and tailor their defenses accordingly...
---------------------------------------------
http://www.fireeye.com/resources/pdfs/fireeye-wwc-report.pdf




*** It´s your digital life. Being safer online - citizens in focus of 1st European Cyber Security Month ***
---------------------------------------------
The EU´s cyber security agency ENISA, together with the European Commission´s DG CONNECT, is launching the first fully fledged European Cyber Security Month campaign. During the month of October, more than 40 public and private stakeholders will promote cyber security among citizens and children, and advocate for a change in the perception of cyber-threats.
---------------------------------------------
http://www.enisa.europa.eu/media/press-releases/it2019s-your-digital-life-being-safer-online-citizens-in-focus-of-1st-european-cyber-security-month




*** PayPal: Zweiter Faktor optional ***
---------------------------------------------
Die iOS-App des Bezahldienstes PayPal kann sich ohne zusätzlichen Code aus Hardware-Token oder SMS beim Server anmelden, selbst wenn der Benutzer Zwei-Faktor-Authentifizierung aktiviert hat. Das führt das Sicherheitskonzept ad absurdum.
---------------------------------------------
http://www.heise.de/security/meldung/PayPal-Zweiter-Faktor-optional-1970328.html




*** Quarter of TWO-MILLION-strong zombie PC army lured to their deaths ***
---------------------------------------------
Pied piper Symantec says it led infected computers into sinkhole Symantec has claimed credit for luring a significant lump of the powerful ZeroAccess botnet into a sinkhole.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2013/10/01/zeroaccess_botnet_sunk_sorta/





More information about the Daily mailing list