End-of-Shift report
Timeframe: Montag 30-09-2013 18:00 − Dienstag 01-10-2013 18:00
Handler: Robert Waldner
Co-Handler: n/a
Asus RT-N66U 3.0.0.4.374_720 Cross Site Request Forgery
The Asus RT-N66U is a home wireless router. Its web application has a CSRF vulnerability that allows an attacker to execute arbitrary commands on the target device.
http://cxsecurity.com/issue/WLB-2013090194
What kind of target are you?
Some attackers want money or data, while others hope to make you look bad. What do you have that might put you on a hackers hit list?
http://www.csoonline.com/article/740614/what-kind-of-target-are-you-?source=rss_application_security
BYOD: Eigenes Handy als Notlösung
Neue Studie zeigt: Eigene Geräte im Beruf verwenden die meisten Anwender nur, weil ihnen die IT nicht die ausreichende Ausrüstung bieten kann für diese Mitarbeiter ist Bring Your Own Device eine Notlösung.
http://www.heise.de/newsticker/meldung/BYOD-Eigenes-Handy-als-Notloesung-1969927.html
Blog: Ad Plus instead of AdBlock Plus
Fake and malicious AdBlock Plus brings to your Android not an Ad protection but more Ad than even before.
http://www.securelist.com/en/blog/208214071/Ad_Plus_instead_of_AdBlock_Plus
Hand Me Downs: Exploit and Infrastructure Reuse Among APT Campaigns
Since we first reported on Operation DeputyDog, at least three other Advanced Persistent Threat (APT) campaigns known as Web2Crew, Taidoor, and th3bug have made use of the same exploit to deliver their own payloads to their own targets.
http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/hand-me-downs-exploit-and-infrastructure-reuse-among-apt-campaigns.html
Open-Xchange AppSuite multiple session hijacking
Open-Xchange AppSuite multiple session hijacking
http://xforce.iss.net/xforce/xfdb/87557
Open-Xchange AppSuite /ajax/defer servlet CRLF injection
Open-Xchange AppSuite /ajax/defer servlet CRLF injection
http://xforce.iss.net/xforce/xfdb/87558
Sweet murmuring Siri opens stalking security hole in iOS 7
Siri, hand over my contacts and history now. It has not been a good week for Apple on the security front, and theres no relief in sight after an Israeli researcher found a way to access a locked iPhones contacts and messages database using Siri.
http://www.theregister.co.uk/2013/09/30/sweettalking_siri_opens_stalking_security_hole_in_ios_7/
World War C: Understanding Nation-State Motives Behind Today´s Advanced Cyber Attacks
This report describes the unique characteristics of cyber attack campaigns waged by governments worldwide. We hope that, armed with this knowledge, security professionals can better identify their attackers and tailor their defenses accordingly...
http://www.fireeye.com/resources/pdfs/fireeye-wwc-report.pdf
It´s your digital life. Being safer online - citizens in focus of 1st European Cyber Security Month
The EU´s cyber security agency ENISA, together with the European Commission´s DG CONNECT, is launching the first fully fledged European Cyber Security Month campaign. During the month of October, more than 40 public and private stakeholders will promote cyber security among citizens and children, and advocate for a change in the perception of cyber-threats.
http://www.enisa.europa.eu/media/press-releases/it2019s-your-digital-life-being-safer-online-citizens-in-focus-of-1st-european-cyber-security-month
PayPal: Zweiter Faktor optional
Die iOS-App des Bezahldienstes PayPal kann sich ohne zusätzlichen Code aus Hardware-Token oder SMS beim Server anmelden, selbst wenn der Benutzer Zwei-Faktor-Authentifizierung aktiviert hat. Das führt das Sicherheitskonzept ad absurdum.
http://www.heise.de/security/meldung/PayPal-Zweiter-Faktor-optional-1970328.html
Quarter of TWO-MILLION-strong zombie PC army lured to their deaths
Pied piper Symantec says it led infected computers into sinkhole Symantec has claimed credit for luring a significant lump of the powerful ZeroAccess botnet into a sinkhole.
http://go.theregister.com/feed/www.theregister.co.uk/2013/10/01/zeroaccess_botnet_sunk_sorta/