End-of-Shift report
Timeframe: Montag 07-04-2014 18:00 − Dienstag 08-04-2014 18:00
Handler: Robert Waldner
Co-Handler: n/a
Der GAU für Verschlüsselung im Web: Horror-Bug in OpenSSL
Ein äußerst schwerwiegender Programmierfehler gefährdet offenbar Verschlüsselung, Schlüssel und Daten der mit OpenSSL gesicherten Verbindungen im Internet. Angesichts der Verbreitung der OpenSource-Biliothek eine ziemliche Katastrophe.
http://www.heise.de/security/meldung/Der-GAU-fuer-Verschluesselung-im-Web-Horror-Bug-in-OpenSSL-2165517.html
VU#568252: Websense Triton Unified Security Center 7.7.3 information disclosure vulnerability
Vulnerability Note VU#568252 Websense Triton Unified Security Center 7.7.3 information disclosure vulnerability Original Release date: 07 Apr 2014 | Last revised: 07 Apr 2014 Overview Websense Triton Unified Security Center 7.7.3 and possibly earlier versions contains an information disclosure vulnerability which could allow an authenticated attacker to view stored credentials of a possibly higher privileged user. Description CWE-200: Information ExposureWhen logged into the Websense Triton
http://www.kb.cert.org/vuls/id/568252
Energieversorger testet Sicherheit – und fällt durch
In „Stirb langsam 4.0“ fahren Cyber-Gauner übers Internet die komplette Stromversorgung im Osten der USA herunter. Ein unrealistisches Szenario? Nicht ganz ...
http://www.heise.de/newsticker/meldung/Energieversorger-testet-Sicherheit-und-faellt-durch-2165153.html/from/rss09?wt_mc=rss.ho.beitrag.rdf
The Muddy Waters of XP End-of-Life and Public Disclosures
Security researchers who have privately disclosed Windows XP vulnerabilities to Microsoft may never see patches for their bugs with XPs end of life date at hand. Will there be a rash of public disclosures?
http://threatpost.com/the-muddy-waters-of-xp-end-of-life-and-public-disclosures/105295
2013 wurden Daten von über 500 Millionen Nutzern geklaut
Daten von mehr als einer halben Milliarde Internet-Nutzer sind im vergangenen Jahr nach Berechnung von IT-Sicherheitsexperten bei Online-Angriffen gestohlen worden.
http://futurezone.at/digital-life/2013-wurden-daten-von-ueber-500-millionen-nutzern-geklaut/59.792.048
Hintergrund: ct-Fritzbox-Test spürt verborgene Geräte auf
Manche Nutzer des Fritzbox-Tests erhalten unerwartete Ergebnisse. Nicht selten sind WLAN-APs, Repeater oder andere AVM-Geräte die Ursache. Darüber hinaus gibt es auch einige Fehlerquellen, die einen händischen Test erforderlich machen können.
http://www.heise.de/newsticker/meldung/Hintergrund-c-t-Fritzbox-Test-spuert-verborgene-Geraete-auf-2165771.html/from/rss09?wt_mc=rss.ho.beitrag.rdf
The 2013 Internet Security Threat Report: Year of the Mega Data Breach
Once again, it’s time to reveal the latest findings from our Internet Security Threat Report (ISTR), which looks at the current state of the threat landscape, based on our research and analysis from the past year. Key trends from this year’s report include the large increase in data breaches and targeted attacks, the evolution of mobile malware and ransomware, and the potential threat posed by the Internet of Things.
http://www.symantec.com/connect/blogs/2013-internet-security-threat-report-year-mega-data-breach
Cacti Multiple Vulnerabilities
Some vulnerabilities have been reported in Cacti, which can be exploited by malicious users to conduct script insertion and SQL injection attacks and compromise a vulnerable system.
* CVE-2014-2326
* CVE-2014-2708
* CVE-2014-2709
https://secunia.com/advisories/57647
Open-Xchange Email Autoconfiguration Information Disclosure Weakness
A weakness has been reported in Open-Xchange, which can be exploited by malicious people to disclose certain sensitive information.
The weakness is caused due to the application communicating certain information via parameters of a GET request when using the email autoconfiguration, which can be exploited to disclose the account password.
https://secunia.com/advisories/57654
VU#345337: J2k-Codec contains multiple exploitable vulnerabilities
Vulnerability Note VU#345337 J2k-Codec contains multiple exploitable vulnerabilities Original Release date: 08 Apr 2014 | Last revised: 08 Apr 2014 Overview J2k-Codec contains multiple exploitable vulnerabilities, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description J2k-Codec is a JPEG 2000 decoding library for Windows. J2k-Codec contains multiple exploitable exploitable vulnerabilities that can lead to arbitrary code execution.
http://www.kb.cert.org/vuls/id/345337