End-of-Shift report
Timeframe: Mittwoch 22-01-2014 18:00 − Donnerstag 23-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Robert Waldner
SA-CONTRIB-2014-005 - Leaflet - Access bypass
Advisory ID: DRUPAL-SA-CONTRIB-2014-005
Project: Leaflet (third-party module)
Version: 7.xDate: 2014-January-22
Security risk: Critical
Exploitable from: Remote
Vulnerability: Access bypass
Description
The Leaflet module enables you to display an interactive map using the Leaflet library, using entities as map features.The module exposes complete data from entities used as map features to any site visitor with a Javascript inspector (like Firebug).
https://drupal.org/node/2179103
New Android Malware Steals SMS Messages, Intercepts Calls
A new strain of Android malware has emerged that masquerades as an Android security app but once installed, can steal text messages and intercept phone calls.
http://threatpost.com/new-android-malware-steals-sms-messages-intercepts-calls/103785
Official PERL Blogs hacked, 2,924 Author Credentials Leaked by ICR
The breach has seen 2,924 user account credentials published to quickleak.org as well as the blog having a deface page added but was not obtrusive to the actually website.
http://www.cyberwarnews.info/2014/01/22/official-perl-blogs-hacked-2924-author-credentials-leaked-by-icr/
CrowdStrike Takes On Chinese, Russian Attack Groups in Threat Report
Russian attackers targeted energy sector targets and a Chinese nexus intrusion group infected foreign embassies with malware using watering hole tactics in 2013, CrowdStrike researchers found in its first-ever Global Threat Report.
http://www.securityweek.com/crowdstrike-takes-chinese-russian-attack-groups-threat-report
Outdated energy, water and transport Industrial Control Systems without sufficient cyber security controls require coordinated testing of capability at EU levels, says the EU's cyber security Agency ENISA
Today, the EU's cyber security Agency ENISA published a new report to give advice regarding the next steps towards coordinated testing of capability of the often outdated Industrial Control Systems (ICS) for European industries. Among the key recommendations is the testing of ICS is a concern for all EU Member States and could be dealt with at EU levels according to ENISA.
http://www.enisa.europa.eu/media/press-releases/ics-without-sufficient-cybersecurity-controls-require-coordinated-testing-of-capability-at-eu-levels
Analysis: Spam in December 2013
In December, spammers continued to honor the traditions of the season and tried to attract potential customers with a variety of original gift and winter vacation offers, taking advantage of the approaching holidays.
http://www.securelist.com/en/analysis/204792323/Spam_in_December_2013
Chrome Eavesdropping Exploit Published
Exploit code has been published for a Google Chrome bug that allows malicious websites granted permission to use a computers microphone for speech recognition to continue listening after a user leaves the website.
http://threatpost.com/chrome-eavesdropping-exploit-published/103798