Tageszusammenfassung - Donnerstag 17-10-2013

End-of-Shift report

Timeframe: Mittwoch 16-10-2013 18:00 − Donnerstag 17-10-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a

Bug Hunters Find 25 ICS, SCADA Vulnerabilities

A trio of researchers have uncovered 25 security vulnerabilities in various supervisory control and data acquisition (SCADA) and industrial control system (ICS) protocols.

http://threatpost.com/bug-hunters-find-25-ics-scada-vulnerabilities/102599

Researchers uncover holes that open power stations to hacking

Hacks could cause power outages and dont need physical access to substations.

http://arstechnica.com/security/2013/10/researchers-uncover-holes-that-open-power-stations-to-hacking/

Raising awareness quickly: A look at basic password hygiene

Rapid7s tips for strengthing your first line of defense

http://www.csoonline.com/article/741540/raising-awareness-quickly-a-look-at-basic-password-hygiene?source=rss_application_security

Mass iFrame injection campaign leads to Adobe Flash exploits

We´ve intercepted an ongoing malicious campaign, relying on injected/embedded iFrames at Web sites acting as intermediaries for a successful client-side exploits to take place. Let´s dissect the campaign, expose the malicious domains portfolio/infrastructure it relies on, as well as directly connect it with historical malicious activity, in this particular case, a social engineering campaign pushing fake browser updates.

http://www.webroot.com/blog/2013/10/17/mass-iframe-injection-campaign-leads-adobe-flash-exploits/

Top 20 Free Digital Forensic Investigation Tools for SysAdmins

Here are 20 of the best free tools that will help you conduct a digital forensic investigation. Whether it´s for an internal human resources case, an investigation into unauthorized access to a server, or if you just want to learn a new skill, these suites and utilities will help you conduct memory forensic analysis, hard drive forensic analysis, forensic image exploration, forensic imaging and mobile forensics.

http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-for-sysadmins/

Hintergrund: Standardpasswörter kein Sicherheitsrisiko?

Das ICS-CERT, zuständig für kritische Infrastruktur wie Staudämme und Atomkraftwerke, sagt Standardpasswörter stellen kein Sicherheitsrisiko dar solange sie gut dokumentiert und änderbar sind. Ist das wirklich so?

http://www.heise.de/security/artikel/Standardpasswoerter-kein-Sicherheitsrisiko-1980853.html

Apple iMessage Open to Man in the Middle, Spoofing Attacks

The Apple iMessage protocol has been shrouded in secrecy for years now, but a pair of security researchers have reverse-engineered the protocol and found that Apple controls the encryption key infrastructure for the system and therefore has the ability to read users´ text messages or decrypt them and hand them over at the order of a government agency.

http://threatpost.com/apple-imessage-open-to-man-in-the-middle-spoofing-attacks/102610