End-of-Shift report
Timeframe: Dienstag 17-11-2015 18:00 − Mittwoch 18-11-2015 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
Adobe releases out-of-band security patches - amazingly not for Flash
ColdFusion, LiveCycle and Premiere get fixed ... Adobe says that it hasnt seen any evidence that these flaws are being exploited in the wild, but that users should patch anyway, just to be on the safe side - certainly before hackers reverse-engineer the updates and start abusing the bugs...
http://www.theregister.co.uk/2015/11/17/adobe_releases_outofband_security_patches_amazingly_not_for_flash/
Introducing Chuckle and the importance of SMB signing
Digital signing is a feature of SMB designed to allow a recipient to confirm the authenticity of SMB packets and to prevent tampering during transit - this feature was first made available back in Windows NT 4.0 Service Pack 3. By default, only domain controllers require packets to be signed and this default behavior is usually seen in most corporate networks.
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/november/introducing-chuckle-and-the-importance-of-smb-signing/
Team Cymru: Free tools for incident response
We at Team Cymru would like to be helpful to incident response vendors in implementing the USG's growing security strategy. To that end, we have identified a few of our free community resources (and one commercial service) that would be most useful to IR.
https://blog.team-cymru.org/2015/11/free-tools-for-incident-response-and-a-word-from-the-us-government/
How two seconds become two days
At 3:37PM PST, we had a power blip in one of our datacenters. In those two seconds, over 1,000 systems blinked offline. As a non-profit, we don't have all of those niceties such as hot-hot datacenters or those new fangled UPSes. Instead, we do it the old fashioned way, which means we are susceptible to...
http://blog.shadowserver.org/2015/11/17/how-two-seconds-become-two-days/
A flaw in D-Link Switches opens corporate networks to hack
A flaw in certain D-Link switches can be exploited by remote attackers to access configuration data and hack corporate networks. The independent security researcher Varang Amin and the chief architect at Elastica's Cloud Threat Labs Aditya Sood have discovered a vulnerability in the D-Link Switches belonging to the DGS-1210 Series Gigabit Smart Switches. The security experts revealed...
http://securityaffairs.co/wordpress/42054/hacking/d-link-switches-flaw.html
Blast from the Past: Blackhole Exploit Kit Resurfaces in Live Attacks
The year is 2015 and a threat actor is using the defunct Blackhole exploit kit in active drive-by download campaigns via compromised websites.Categories: ExploitsTags: drive-by downloadsexploitexploit kitwebsite(Read more...)
https://blog.malwarebytes.org/exploits-2/2015/11/blast-from-the-past-blackhole-exploit-kit-resurfaces-in-live-attacks/
Google VirusTotal - now with autoanalysis of OS X malware
Google just announced that its virus classification and auto-analysis service, VirusTotal, is now officially interested in OS X malware.
http://feedproxy.google.com/~r/nakedsecurity/~3/buCfkbvoJqQ/
Nishang: A Post-Exploitation Framework
Introduction I was recently doing an external penetration test for one of our clients, where I got shell access to Windows Server 2012(Internal WebServer sitting behind an IPS) with Administrative Privileges. It also appears to have an Antivirus installed on the system as everything I was uploading on to the machine was being deleted on...
http://resources.infosecinstitute.com/nishang-a-post-exploitation-framework/
10 dumb security mistakes sys admins make
Security isn't merely a technical problem -- its a people problem. There's only so much technology you can throw at a network before dumb human mistakes trip you up.But guess what? Those mistakes are often committed by the very people who should know better: system administrators and other IT staff.[ Also on InfoWorld: 10 security mistakes that will get you fired. | Deep Dive: How to rethink security for the new world of IT. | Discover how to secure your systems with InfoWorlds...
http://www.cio.com/article/3006147/security/10-dumb-security-mistakes-sys-admins-make.html#tk.rss_security
SANS Pentest Sumit: Evil DNS tricks by Ron Bowes - slide deck
Things Im gonna talk about: * How to use DNS in pentesting * How to use DNSs indirect nature * DNS tunnelling (dnscat2)
https://docs.google.com/presentation/d/1Jxh6PPO9JbUqXwOCTQFyA00uQoFMDBh-1PedDOp1Z0Y/edit?pli=1
Cyber Security Assessment Netherlands 2015: cross-border cyber security approach necessary
The CSAN has five Core Findings: * Cryptoware and other ransomware constitute the preferred business model for cyber criminals * Geopolitical tensions manifest themselves increasingly often in (impending) digital security breaches * Phishing is often used in targeted attacks and can barely be recognised by users * Availability becomes more important as alternatives to IT systems are disappearing * Vulnerabilities in software are still the Achilles heel of digital security
https://www.ncsc.nl/english/current-topics/Cyber+Security+Assessment+Netherlands/cyber-security-assessment-netherlands-2015%5B2%5D.html
Inside the Conficker-Infected Police Body Cameras
A Florida integrator who discovered the Conficker worm lurking in body cameras meant for police use takes Threatpost inside the story, including a frustrating disclosure with a disbelieving manufacturer.
http://threatpost.com/inside-the-conficker-infected-police-body-cameras/115407/
EMC VPLEX GeoSynchrony Default Log Level Lets Local Users View Passwords
http://www.securitytracker.com/id/1034169
F5 security advisory: NTP vulnerability CVE-2015-5300
A man-in-the-middle attacker able to intercept network time protocol (NTP) traffic between a connecting client and an NTP server could use this flaw to force that client to make multiple steps larger than the panic threshold, effectively changing the time to an arbitrary value at any time.
https://support.f5.com/kb/en-us/solutions/public/k/10/sol10600056.html?ref=rss
Atlassian Hipchat XSS to RCE
Topic: Atlassian Hipchat XSS to RCE Risk: Medium Text:Two issues exist in Atlassian’s HipChat desktop client that allow an attacker to retrieve files or execute remote code when a...
https://cxsecurity.com/issue/WLB-2015110164
[HTB23272]: RCE and SQL injection via CSRF in Horde Groupware
Product: Horde Groupware v5.2.10 Vulnerability Type: Cross-Site Request Forgery [CWE-352]Risk level: High Creater:
http://www.horde.orgAdvisory Publication: September 30, 2015 [without technical details]Public Disclosure: November 18, 2015 CVE Reference: CVE-2015-7984 CVSSv2 Base Score: 8.3 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H] Vulnerability Details: High-Tech Bridge Security Research Lab discovered three Cross-Site Request Forgery (CSRF) vulnerabilities in a popular collaboration...
https://www.htbridge.com/advisory/HTB23272
Security Advisory - Information Leak Vulnerability in Huawei DSM Product
There is a information leak vulnerability in DSM (Document Security Management) Product. The DSM does not clear the clipboard after data in a secure file opened using the DSM is copied and the secure file is closed. Data in the clipboard can be copied in common documents that do not use the DSM, leading to information leaks. (Vulnerability ID: HWPSIRT-2015-09009) Huawei has released software updates to fix these vulnerabilities.
http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-462410.htm
Symantec Endpoint Protection Elevation of Privilege Issues SYM15-011
11/16/2015 - Assigned a new CVE ID, CVE-2015-8113 and Bugtraq ID 77585, to the SEP Client Binary Planting Partial Fix to differentiate between the original fix released in 12.1-RU6-MP1 and the updated issue and fix released in 12.1-RU6-MP3
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20151109_00
Cisco Security Advisories
Cisco Firepower 9000 USB Kernel Denial of Service Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151116-fire
Cisco Firepower 9000 Command Injection at Management I/O Command-Line Interface Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151116-fire1
Cisco Firepower 9000 Persistent Cross-Site Scripting Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151117-firepower2
Cisco Firepower 9000 Cross-Site Request Forgery Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151117-firepower3
Cisco Firepower 9000 Series Switch Clickjacking Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151117-firepower4
Cisco Firepower 9000 Arbitrary File Read Access Script Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151117-firepower1
IBM Security Bulletins
IBM Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-4852)
http://www.ibm.com/support/docview.wss?uid=swg21970575
IBM Security Bulletin: IBM Sterling B2B Integrator has Cross Site Scripting vulnerabilities in Queue Watcher (CVE-2015-7431)
http://www.ibm.com/support/docview.wss?uid=swg21970676
IBM Security Bulletin: Multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 1.5.0 and 1.7.0 affect IBM Flex System Manager (FSM)
http://www.ibm.com/support/docview.wss?uid=isg3T1022835
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK 7 affect IBM Systems Director Storage Control (CVE-2015-2613 CVE-2015-2601 CVE-2015-2625 CVE-2015-1931 )
http://www.ibm.com/support/docview.wss?uid=isg3T1022936
IBM Security Bulletin: IBM Tivoli Monitoring (CVE-2015-1829, CVE-2015-3183, CVE-2015-1283, CVE-2015-4947, CVE-2015-2808)
http://www.ibm.com/support/docview.wss?uid=swg21970056
IBM Security Bulletin: Multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 1.5.0 and 1.7.0 affect IBM Flex System Manager (FSM)
http://www.ibm.com/support/docview.wss?uid=isg3T1022820