End-of-Shift report
Timeframe: Freitag 03-10-2014 18:00 − Montag 06-10-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
CSAM: The Power of Virustotal to Turn Harmless Binaries Malicious, (Fri, Oct 3rd)
We all know that anti virus, the necessary evil of basic computer security, isnt a stranger to false positives. So no big surprise here when John is writing that he ran into such a false positive during an incident response: I was scanning a forensic drive image with clamav and scored a positive hit on a file. Great. ClamAV, a free anti-virus product. Of course, we dont trust it. So John did what most of use would have done, and submitted the suspect binary to Virustotal: Virustotal showed...
https://isc.sans.edu/diary.html?storyid=18759&rss
Detecting irregular programs and services installed in your network, (Sun, Oct 5th)
When the corporate network becomes target, auditing for security policy compliance can be challenging if you dont have a software controlling irregular usage of administrator privilege granted and being used to install unauthorized software or to change configuration by installing services that could cause an interruption in network service. Examples of this possible issues are additional DHCP Servers (IPv4 and IPv6), Dropbox, Spotify or ARP scanning devices. We can use nmap to detect all...
https://isc.sans.edu/diary.html?storyid=18763&rss
Testing for opened ports with firewalk technique, (Sat, Oct 4th)
There is an interesting way of knowing what kind of filters are placed in the gateway of a specific host. It is called firewalk and it is based on IP TTL expiration. The algorithm goes as follows: The entire route is determined using any of the traceroute techniques available A packet is sent with the TTL equal to the distance to the target If the packet times out, it is resent with the TTL equal to the distance to the target minus one. If an ICMP type 11 code 0 (Time-to-Live exceeded) is...
https://isc.sans.edu/diary.html?storyid=18761&rss
Shellshock-like Weakness May Affect Windows
A weakness in Windows, similar to Shellshock, may put Windows Server deployments at risk to remote code execution.
http://threatpost.com/shellshock-like-weakness-may-affect-windows/108696
Bugzilla Zero-Day Exposes Zero-Day Bugs
A previously unknown security flaw in Bugzilla -- a popular online bug-tracking tool used by Mozilla and many of the open source Linux distributions -- allows anyone to view detailed reports about unfixed vulnerabilities in a broad swath of software. Bugzilla is expected today to issue a fix for this very serious weakness, which potentially exposes a veritable gold mine of vulnerabilities that would be highly prized by cyber criminals and nation-state actors.
http://krebsonsecurity.com/2014/10/bugzilla-zero-day-exposes-zero-day-bugs/
Apple anti-malware update blocks new iWorm Mac botnet
Apple has updated its malware blacklisting system, known as XProtect, to block a Mac attack thought to have infected over 18,500 Macs.
http://www.zdnet.com/apple-anti-malware-update-blocks-new-iworm-mac-botnet-7000034364/
Using the Windows 10 Technical Preview? Microsoft might be watching your every move to help with feedback
One of the main goals with the Windows 10 Technical Preview is for Microsoft to collect feedback to help shape the final version of the operating system, which is said to be coming sometime in summer 2015. The Technical Preview requires users to register with the Windows Insider Program, which allows users to submit their own feedback about the operating system... but is Microsoft collecting more than what you think youre submitting?
http://www.winbeta.org/news/using-windows-10-technical-preview-microsoft-might-be-watching-your-every-move-help-feedback
SEO poisoning attacks still impacting legitimate websites
After recently helping a client rid their website of SEO spam, security company Sucuri detailed how SEO poisoning attacks are still impacting legitimate websites.
http://www.scmagazine.com/attackers-use-seo-spam-to-improve-the-rankings-of-their-websites-on-google-and-other-search-engines/article/375339/
Uni boffins: Accurate Android AV app outperforms most rivals
...Dont sweat, VXers, its STILL no use against obfuscated kit German researchers have built an Android app capable of detecting 94 percent of malware quick enough to run on mobile devices they say bests current offerings in effectiveness and description.
http://go.theregister.com/feed/www.theregister.co.uk/2014/10/06/uni_bods_say_accurate_android_av_app_blasts_rivals/
Bugtraq: BulletProof Security Wordpress v50.8 - POST Inject Vulnerability
http://www.securityfocus.com/archive/1/533611
Bugtraq: CVE-2014-7277 Stored Server XSS in ZyXEL SBG-3300 Security Gateway
http://www.securityfocus.com/archive/1/533609
Bugtraq: CVE-2014-7278 DoS in ZyXEL SBG-3300 Security Gateway
http://www.securityfocus.com/archive/1/533610
Cisco IOS XR Software Compression ACL Bypass Vulnerability
CVE-2014-3396
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3396
Cisco WebEx Meetings Server Password Disclosure Vulnerability
CVE-2014-3400
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3400
Cisco ASA Software Version Information Disclosure
CVE-2014-3398
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3398
Cisco ASA Software SharePoint RAMFS Integrity and Lua Injection Vulnerability
CVE-2014-3399
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3399
IBM Security Bulletins: Vulnerabilities in Bash affect various Products
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_vulnerabilities_in_bash_affect_ibm_worklight_quality_assurance_cve_2014_6271_cve_2014_7169_cve_2014_7186_cve_2014_7187_cve_2014_6277_cve_2014_6278?lang=en_us
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_vulnerabilities_in_bash_affect_ds8000_hmc_cve_2014_6271_cve_2014_7169_cve_2014_7186_cve_2014_7187_cve_2014_6277_cve_2014_6278?lang=en_us
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_vulnerabilities_in_bash_affect_power_hardware_management_console_cve_2014_6271_cve_2014_7169_cve_2014_7186_cve_2014_7187_cve_2014_6277_cve_2014_6278?lang=en_us
Identity Assurance Solution Client (IASC) 3.1 Hotfix 2
Abstract: This is an update to the shipping release of the Identity Assurance Solution Client (IASC) 3.1 also known as the Novell Enhanced Smart Card Method (NESCM). The IASC client 3.1 is a standalone method that provides smart card-based authentication for eDirectory. This Hotfix has been provided to address the following security vulnerabilities found in OpenSSL & CLDAP SDK: CVE-2014-0224 & CVE-2014-3508 (Bug 893314 / 892895) Files: NTLS.DLL, LDAPSSL.DLL Filename:...
https://download.novell.com/Download?buildid=s6M5LsksoOA~
Linux Kernel Seed Initialization Flaw Reduces Randomness in Certain Values and May Make TCP Sequence Numbers More Predictable
http://www.securitytracker.com/id/1030959
VMSA-2014-0010.7
VMware product updates address critical Bash security vulnerabilities
http://www.vmware.com/security/advisories/VMSA-2014-0010.html
DSA-3046 mediawiki
security update
http://www.debian.org/security/2014/dsa-3046
Bugtraq: [SECURITY] [DSA 3044-1] qemu-kvm security update
http://www.securityfocus.com/archive/1/533619
Bugtraq: [SECURITY] [DSA 3045-1] qemu security update
[SECURITY] [DSA 3045-1] qemu security update
http://www.securityfocus.com/archive/1/533621
SSA-860967 (Last Update 2014-10-06): GNU Bash Vulnerabilities in Siemens Industrial Products
https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-860967.pdf
[remote] - OpenVPN 2.2.29 - ShellShock Exploit
http://www.exploit-db.com/exploits/34879