Tageszusammenfassung - Montag 1-12-2014

End-of-Shift report

Timeframe: Freitag 28-11-2014 18:00 − Montag 01-12-2014 18:00 Handler: Stephan Richter Co-Handler: n/a

[Update] (Keine) Sicherheitsheitslücke in Ciscos H.264-Modul für Firefox

Cisco hat eine Sicherheitswarnung wegen seines jüngst für Firefox bereitgestellten Video-Codecs herausgegeben. [update]Allerdings soll dies nicht die im aktuellen Webbrowser verwendete Version betreffen.[/update]

http://www.heise.de/security/meldung/Update-Keine-Sicherheitsheitsluecke-in-Ciscos-H-264-Modul-fuer-Firefox-2468153.html

EVIL researchers dupe EVERY 32 bit GPG print

Keys fall in four seconds Researchers have found collision attacks for 32 bit GPG keys leaving the superseded technology well and truly dead.

http://go.theregister.com/feed/www.theregister.co.uk/2014/12/01/evil_researchers_dupe_every_32bit_gpg_print/

Critical denial of service vulnerability in OpenVPN servers

A critical denial of service security vulnerability affecting OpenVPN servers was recently brought to our attention. A fixed version of OpenVPN (2.3.6) will be released today/tomorrow (1st Dec 2014) at around 18:00 UTC.

https://forums.openvpn.net/topic17625.html

FIN4: Stealing Insider Information for an Advantage in Stock Trading?

FireEye tracks a threat group that we call “FIN4,” whose intrusions seem to have a different objective: to obtain an edge in stock trading. FIN4 appears to conduct intrusions that are focused on a single objective: obtaining access to insider information capable of making or breaking the stock prices of public companies. The group specifically targets the emails of C-level executives, legal counsel, regulatory, risk, and compliance personnel, and other individuals who would regularly discuss confidential, market-moving information.

https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html

ENISA survey: New Directions in securing personal Data

Under the growing interest in the areas of personal data protection and cryptography, ENISA has launched a project with the objective to detect the existing technological gaps in the fields.

http://www.enisa.europa.eu/media/news-items/enisa-survey-new-directions-in-securing-personal-data

Flushing out the Crypto Rats - Finding "Bad Encryption" on your Network, (Mon, Dec 1st)

Just when folks get around to implementing SSL, we need to retire SSL! Not a week goes buy that a client isnt asking me about SSL (or more usually TLS) vulnerabilities or finding issue son their network. In a recent case, my client had just finished a datacenter / PCI audit, and had one of his servers come up as using SSL 2.0, which of course has been deprecated since 1996 - the auditors recommendation was to update to SSL 3.0 (bad recommendation, keep reading on). When he then updated to SSL...

https://isc.sans.edu/diary.html?storyid=19009&rss

AGbot DDoS Attacks Internet VNC Servers

Last week, our FortiGuard Labs Threat Intelligence system was able to capture a DDoS attack targeting internet VNC servers. The attack was raised by a brand new IrcBot, which we are detecting as W32/AGbot.AB!tr. Let's now dig into the details of this attack.

http://blog.fortinet.com/post/agbot-ddos-attacks-internet-vnc-servers

Researchers identify POS malware targeting ticket machines, electronic kiosks

Electronic kiosks and ticketing systems are being targeted by a new type of point-of-sale (POS) threat known as "d4re|dev1|," which acts as an advanced backdoor with remote administration and has RAM scraping and keylogging features, according to IntelCrawler.

http://www.scmagazine.com/researchers-identify-pos-malware-targeting-ticket-machines-electronic-kiosks/article/385558/

Early version of new POS malware family spotted

A security researcher came across what appears to be a new family of point-of-sale malware that few antivirus programs were detecting. Nick Hoffman, a reverse engineer, wrote the Getmypass malware shares traits that are similar to other so-called RAM scrapers, which collect unencrypted payment card data held in a payment system's memory.

http://www.cio.com/article/2853274/early-version-of-new-pos-malware-family-spotted.html

Sandbox Escape Bug in Adobe Reader Disclosed

Details and exploit code for a vulnerability in Adobe Reader have surfaced and the bug can be used to break out of the Reader sandbox and execute arbitrary code. The bug was discovered earlier this year by a member of Google's Project Zero and reported to Adobe, which made a change to Reader that made it...

http://threatpost.com/sandbox-escape-bug-in-adobe-reader-disclosed/109637

Using Shodan from the Command-Line

Have you ever needed to write a quick script to download data from Shodan? Or setup a cronjob to check what Shodan found on your network recently? How about getting a list of IPs out of the Shodan API? For the times where you'd like to have easy script-friendly access to Shodan there's now a new command-line tool appropriately called shodan.

http://shodanio.wordpress.com/2014/12/01/using-shodan-from-the-command-line/

l+f: Türsteuerung mit Hintertür

Beim Türsteuerungsmodul Entrypass N5200 ist der Name Programm: Rein kommt jeder - zumindest wenn er nicht durch die Tür sondern übers Netz kommt.

http://www.heise.de/security/meldung/l-f-Tuersteuerung-mit-Hintertuer-2470024.html

Dridex Phishing Campaign uses Malicious Word Documents, (Mon, Dec 1st)

This is a guest diary submitted by Brad Duncan. During the past few months, Botnet-based campaigns have sent waves of phishing emails associated with Dridex. Today, well examine a wave that occurred approximately 3 weeks ago. The emails contained malicious Word documents, and with macros enabled, these documents infected Windows computers with Dridex malware. Various people have posted about Dridex [1] [2], and some sites like Dynamoos blog [3] and TechHelpList [4] often report on these and

https://isc.sans.edu/diary.html?storyid=19011&rss

Malware: Gefälschte Telekom-Rechnungen mit vollständigen Kundennamen

Die seit November 2014 kursierenden Mails mit Malware in Form von Dateianhängen an vermeintlichen Rechnungen der Telekom haben eine neue Qualität erreicht. Die Empfänger werden darin nun mit ihrem Vor- und Nachnamen angesprochen.

http://www.golem.de/news/malware-gefaelschte-telekom-rechnungen-mit-vollstaendigen-kundennamen-1412-110884-rss.html

Clubbing Seals - Exploring the Ecosystem of Third-party Security Seals

Is this website secure? Well, it just contains statically generated content and holds no personal information, so most likely it is. But how would you be able to tell whether it actually is secure? This problem is exactly what security seal providers are trying to tackle. These seal providers offer a service which allows website owners to show their customers that their website is secure, and therefore safe to use. This works as follows:...

https://vagosec.org/2014/11/clubbing-seals/