End-of-Shift report
Timeframe: Mittwoch 02-04-2014 18:00 − Donnerstag 03-04-2014 18:00
Handler: Robert Waldner
Co-Handler: n/a
Researchers Divulge 30 Oracle Java Cloud Service Bugs
Upset with the vulnerability handling process at Oracle, researchers yesterday disclosed over two dozen issues with the company’s Java Cloud Service platform.
http://threatpost.com/researchers-divulge-30-oracle-java-cloud-service-bugs/105190
Ad Violations: Why Search Engines Won’t Display Your Site If it’s Infected With Malware
As your site’s webmaster, have you ever seen an e-mail from Google like this: Hello, We wanted to alert you that one of your sites violates our advertising policies. Therefore, we won’t be able to run any of your ads that link to that site, and any new ads pointing to that site will alsoRead More
http://feedproxy.google.com/~r/sucuri/blog/~3/kz7JGX2ydIU/ad-violations-why-search-engines-wont-display-your-site-if-its-infected-with-malware.html
IBM Lotus Web Content Managemen cross-site scripting
IBM Lotus Web Content Management is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
http://xforce.iss.net/xforce/xfdb/90566
Watching the watchers, (Thu, Apr 3rd)
A lot of companies today have various IDS and IPS devices implemented in their internal network (especially if you must be compliant with PCI DSS, for example). So these devices get implemented to monitor various traffic at various interfaces/perimeters in a company, but the question I got asked is how can we be sure that the IDS/IPS is doing its job? Obviously, some simple monitoring should be in place – this typically consists of pinging the device or collecting various counters such
http://isc.sans.edu/diary.html?storyid=17895&rss
Macro-Enabled Files Used as Infection Vectors (Again)
Macro-based attacks were popular in the early 2000s, but they gained much notoriety with the much publicized coverage of the Melissa virus. However, macro-based attacks soon began to drop off the radar. One major reason for this would be the security measures implemented by Microsoft to address malicious macro files. Another probable reason would also […]Post from: Trendlabs Security Intelligence Blog - by Trend MicroMacro-Enabled Files Used as Infection Vectors (Again)
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/1X49GtDdVuU/
New Check_MK stable release 1.2.4p1
The most important changes are security patches for two CVEs (CVE-2014-2330 and CVE-2014-2331) which have been published on 2014-03-24 and 2014-03-28 on the bugtraq mailinglist. The mail from 2014-03-24 contained wrong information on the not-fixed issues, which had been corrected with the mail from 2014-03-28. All of the reported security related issues are fixed with this release.
http://lists.mathias-kettner.de/pipermail/checkmk-announce/2014-April/000083.html
A Series of Introductory Malware Analysis Webcasts
If you are looking to get started with malware analysis, tune into the webcast series I created to illustrate key tools and techniques for examining malicious software.
http://blog.zeltser.com/post/80874760857/introductory-malware-analysis-webcasts
Twelve sources of global cyber attack maps
1 - Cyber Warfare Real Time Map by Kaspersky
2 - Top Daily DDoS Attacks Worldwide by Google
3 - Security Tachometer by Deutche Telekom
4 - Cyberfeed Live Botnet Map by AnubisNetworks
5 - Real-time Web Monitor by Akamai
6 - IpViking Live Map by Norse
7 - Honeypots from the Honeynet Project
8 - Global Activity Maps by Arbor
9 - Global Botnet Threat Activity Map by Trend Micro
10 - DDoS Attacks by ShadowServer
11 - Internet Malicious Activity Maps by TeamCymru
12 - Globe and WorldMap by F-Secure
http://sseguranca.blogspot.com.br/2014/03/ten-sources-of-global-cyber-attack-maps.html
SNMPCheck - Enumerate the SNMP devices
Like to snmpwalk, snmpcheck allows you to enumerate the SNMP devices and places the output in a very human readable friendly format. It could be useful for penetration testing or systems monitoring.
http://hack-tools.blackploit.com/2014/04/snmpcheck-enumerate-snmp-devices.html
The Right Stuff: Staffing Your Corporate SOC
In my experience, passing a certification exam or getting a degree simply shows that a potential employee is a good test-taker or has the determination to plow through a degree program. Neither substitutes for the wealth of experience SOC analysts need to be good at their jobs.
Don’t get me wrong. Certification programs can be an important piece of a cyber-security practitioner’s complete education.
http://www.darkreading.com/operations/careers-and-people/the-right-stuff-staffing-your-corporate-soc/d/d-id/1127873
FortiBalancer SSH Access Security Bypass Vulnerability
A vulnerability has been reported in FortiBalancer, which can be exploited by malicious people to bypass certain security restrictions.
The vulnerability is caused due to a configuration error related to SSH access and can be exploited to gain otherwise restricted SSH access.
The vulnerability is reported in FortiBalancer 400, 1000, 2000, and 3000.
https://secunia.com/advisories/57673
Sicherheit: Fahnder entdecken Datensatz mit 18 Millionen Mailkonten
Schon wieder ist eine Datei mit Millionen gehackten Mailkonten sichergestellt worden. Alle großen deutschen E-Mail-Provider und mehrere internationale Anbieter sollen betroffen sein. (Spam, Computer)
http://www.golem.de/news/sicherheit-fahnder-entdecken-datensatz-mit-18-millionen-mailkonten-1404-105598-rss.html
Tool Estimates Incident Response Cost for Businesses
A new tool called CyberTab will help businesses estimate the cost of real and potential cyberattacks, and the amount a company could possibly save by investing in preventative measures and technologies.
http://threatpost.com/tool-estimates-incident-response-cost-for-businesses/105224
Bugtraq: [softScheck] Denial of Service in Microsoft Office 2007-2013
softScheck has identified a Denial of Service vulnerability in Microsoft Outlook 2007-2013. A remote attacker can send a plaintext email containing an XML bomb as the message body, causing Outlook to freeze while opening the email. This forces the user to terminate the Outlook process.
In the default Outlook configuration, in which email contents are displayed in a reading pane in the main window, the impact is more severe: Outlook will freeze while starting and will not be able to start anymore, since it tries to open and display the email during startup.
To resolve the issue, Outlook needs to be started in safe mode and the email needs to be deleted.
http://www.securityfocus.com/archive/1/531722
DFRWS EU 2014 Annual Conference
DFRWS has a long history of being the foremost digital forensics research venue and has decided to hold a sister conference to bring the same opportunities to Europe. The first annual DFRWS EU conference will be held from May 7 to 9, 2014 in Amsterdam, NL.
http://www.dfrws.org/2014eu/
Cisco IOS Software IKE Main Mode Vulnerability
A vulnerability in the Internet Key Exchange (IKE) module of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to delete established security associations on an affected device.
The vulnerability is due to improper handling of rogue IKE Main Mode packets. An attacker could exploit this vulnerability by sending a crafted IKE Main Mode packet to an affected device. An exploit could allow the attacker to cause valid, established IKE security associations on an affected device to drop.
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2143