[CERT-daily] Tageszusammenfassung - Dienstag 29-12-2015

Tue Dec 29 18:35:47 CET 2015

=======================
= End-of-Shift report =
=======================

Timeframe:   Montag 28-12-2015 18:00 − Dienstag 29-12-2015 18:00
Handler:     L. Aaron Kaplan
Co-Handler:  Stephan Richter


*** Security Updates Available for Adobe Flash Player (APSB16-01) ***
---------------------------------------------
A security bulletin (APSB16-01) has been published regarding security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an...
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1305


*** Quick Tips to Protect Your New (and old) Apple Devices ***
---------------------------------------------
Apple has projected yet another record holiday for sales, but this should come as no surprise to fellow "Macheads". I myself, am a huge fan of Apple and have been for a quite...read moreThe post Quick Tips to Protect Your New (and old) Apple Devices appeared first on Webroot Threat Blog.
---------------------------------------------
http://www.webroot.com/blog/2015/12/28/18251/


*** 2016 Reality: Lazy Authentication Still the Norm ***
---------------------------------------------
My PayPal account was hacked on Christmas Eve. The perpetrator tried to further stir up trouble by sending my PayPal funds to a hacker gang that recruits for the terrorist group ISIS. Although the intruder failed to siphon any funds, the successful takeover of the account speaks volumes about why most organizations -- including many financial institutions -- remain woefully behind the times in authenticating their customers and staying ahead of identity thieves.
---------------------------------------------
http://krebsonsecurity.com/2015/12/2016-reality-lazy-authentication-still-the-norm/


*** An Overview of the Upcoming libModSecurity ***
---------------------------------------------
libModSecurity is a major rewrite of ModSecurity. It preserves the rich syntax and feature set of ModSecurity while delivering improved performance, stability, and a new experience in easy integration on different. libModSecurity - Motivations While ModSecurity version 2.9.0 is available...
---------------------------------------------
http://trustwave.com/Resources/SpiderLabs-Blog/An-Overview-of-the-Upcoming-libModSecurity/


*** Forscher: Herzschrittmacher für Hackerangriffe und Softwarefehler anfällig ***
---------------------------------------------
Forscherin und Patientin Marie Moe sprach auf dem Hackerkongress 32C3 über das Thema
---------------------------------------------
http://derstandard.at/2000028215506


*** Lets Encrypt: Ein kostenfreies Zertifikat, alle zwei Sekunden ***
---------------------------------------------
Der Start der neuen Certificate Authority Lets Encrypt hat offenbar recht gut funktioniert. Nach nur rund einem Monat im Betabetrieb ist das Projekt schon die fünftgrößte CA der Welt. Doch es gibt noch einige Aufgaben zu bewältigen.
---------------------------------------------
http://www.golem.de/news/let-s-encrypt-ein-kostenfreies-zertifikat-alle-zwei-sekunden-1512-118228-rss.html


*** 32C3: pushTAN-App der Sparkasse nach wie vor angreifbar ***
---------------------------------------------
Zwischen Erlanger Sicherheitsforschern und dem Sparkassenverband hat sich ein Katz-und-Maus-Spiel um die Online-Banking-App "pushTAN" entwickelt. Die jüngste Version ließe sich weiter recht einfach angreifen, sagen Experten.
---------------------------------------------
http://heise.de/-3056667


*** 32C3: Verschlüsselung gängiger RFID-Schließanlagen geknackt ***
---------------------------------------------
RFID-Transponderkarten, die für die elektronische Zutrittskontrolle genutzt werden, lassen sich Sicherheitsexperten zufolge oft "trivial einfach" klonen.
---------------------------------------------
http://heise.de/-3056646


*** Geldautomaten-Skimming auf dem Rückzug ***
---------------------------------------------
Die Milliardeninvestitionen von Banken und Handel in mehr Sicherheit zeigen Wirkung: Datendiebe kommen am Geldautomat in Deutschland immer seltener zum Zug. Doch noch finden die Kriminellen Löcher im System.
---------------------------------------------
http://heise.de/-3056638


*** Microsoft Has Your Encryption Key If You Use Windows 10 ***
---------------------------------------------
An anonymous reader writes with this bit of news from the Intercept. If you login to Windows 10 using your Microsoft account, your computer automatically uploads a copy of your recovery key to a Microsoft servers. From the article: "The fact that new Windows devices require users to backup their recovery key on Microsofts servers is remarkably similar to a key escrow system, but with an important difference. Users can choose to delete recovery keys from their Microsoft accounts...
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/YfNKeGMMq1o/microsoft-has-your-encryption-key-if-you-use-windows-10


*** Voice over LTE: Angriffe auf mobile IP-Telefonie vorgestellt ***
---------------------------------------------
Talks, die Albträume über mobile Kommunikation auslösen, haben beim CCC Tradition. Dieses Mal haben zwei koreanische Studenten Angriffe auf Voice over LTE vorgeführt. In Deutschland soll das angeblich nicht möglich sein.
---------------------------------------------
http://www.golem.de/news/voice-over-lte-mobile-ip-telefonie-kann-abgehoert-werden-1512-118236-rss.html


*** Fixing JavaScripts Broken Random Number Generator ***
---------------------------------------------
szczys writes: It is surprising to learn how broken the JavaScript Random Number Generator has been for the past six years. The problem is compounded by the fact that Node.js uses the same broken Math.random() module. Learning about why this is broken is interesting, but perhaps even more interesting is how the bad code got there in the first place. It seems that a forum thread from way back in 1999 shared two versions of the code. If you read to the end of the thread you got the working
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/GG87DY0k6I4/fixing-javascripts-broken-random-number-generator


*** DFN-CERT-2015-2002: Roundcubemail: Zwei Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2015-2002/


*** libtiff bmp file Heap Overflow ***
---------------------------------------------
Topic: libtiff bmp file Heap Overflow Risk: High Text:Details = Product: libtiff Affected Versions: <= 4.0.6 Vulnerability Type: Heap Overflow Security Risk: High Vendor U...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2015120304