End-of-Shift report
Timeframe: Mittwoch 31-07-2013 18:00 − Donnerstag 01-08-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
Inside the Security Model of BlackBerry 10
The new BlackBerry 10 operating system contains a number of security improvements and upgrades over earlier versions, but there are still some features and functions that an attacker may be able to exploit.
http://threatpost.com/inside-the-security-model-of-blackberry-10/101542
Malicious JavaScript flips ad network into rentable botnet
Enslaved machines helplessly press Apaches buttons Black Hat 2013 Security researchers have shown how hackers can use ad networks to create ephemeral, hard-to-trace botnets that can perform distributed-denial-of-service attacks at the click of a button.
http://www.theregister.co.uk/2013/07/31/whitehat_security_ad_networks_botnet/
Got an account on a site like Github? Hackers may know your e-mail address
Researcher de-anonymizes forum people posting extremist views.
http://arstechnica.com/security/2013/07/got-an-account-on-a-site-like-github-hackers-may-know-your-e-mail-address/
Black Hat: TLS-Erweiterung schwächt Sicherheit der Verschlüsselung
Sicherheitsforscher Florent Daignière hat sich bei der Black Hat mit TLS-Extensions befasst, die Session Tickets vorsehen. Kann ein Angreifer Daten des Webservers abgreifen, lassen sich mitgeschnittene Verbindungen im Nachhinein entschlüsseln.
http://www.heise.de/security/meldung/Black-Hat-TLS-Erweiterung-schwaecht-Sicherheit-der-Verschluesselung-1928081.html
Researchers reveal how to hack an iPhone in 60 seconds
Three Georgia Tech hackers have revealed how to hack iPhones and iPads with malware imitating ordinary apps in under sixty seconds using a "malicious charger."
http://www.zdnet.com/researchers-reveal-how-to-hack-an-iphone-in-60-seconds-7000018822/
Angriffe auf mit mTAN geschützte Konten
Die Banken bezeichnen das mTAN-Verfahren als sicher. Trotzdem gelingt es Kriminiellen, den Sicherheitsmechanismus zu umgehen. Der Aufwand ist hoch, die Beute aber groß.
http://www.heise.de/security/meldung/Angriffe-auf-mit-mTAN-geschuetzte-Konten-1928312.html
Teaching Old Malware New Tricks
Why Carberp, ZeuS, and Other Vintage Malware Have a Bigger Bite Than You Think (First in a three-part series) As a sales engineer working at FireEye, I spend my days running production pilots with prospects, discussing advanced persistent threats (APTs)
http://www.fireeye.com/blog/corporate/2013/08/teaching-old-malware-new-tricks.html
Cisco WAAS Central Manager Remote Code Execution Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130731-waascm
GnuPG / Libgcrypt RSA Secret Key Disclosure Weakness
https://secunia.com/advisories/54373
VMware ESXi Multiple Vulnerabilities
https://secunia.com/advisories/54339
TYPO3 Cross-Site Scripting and Arbitrary File Upload Vulnerabilities
https://secunia.com/advisories/53529
Subversion 1.7.9 remote DoS vulnerability.
http://cxsecurity.com/issue/WLB-2013080004
Subversion 1.6.21 arbitrary code execution
http://cxsecurity.com/issue/WLB-2013080003
Vuln: Drupal Flippy Module Access Bypass Vulnerability
http://www.securityfocus.com/bid/61546
Bugtraq: Open-Xchange Security Advisory 2013-07-31
http://www.securityfocus.com/archive/1/527662
GnuPG / Libgcrypt RSA Secret Key Disclosure Weakness
https://secunia.com/advisories/54373