End-of-Shift report
Timeframe: Donnerstag 30-04-2015 18:00 − Montag 04-05-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
eBay ignoriert XSS-Lücke ein Jahr lang
Eine Schwachstelle in eBay erlaubt es Angreifern eine Session mitzuschneiden und im schlimmsten Fall einen Account zu übernehmen. Die Lücke ist ein Jahr alt und wurde immer noch nicht geschlossen.
http://heise.de/-2630964
Threatpost News Wrap, May 1, 2015
Dennis Fisher and Mike Mimoso discuss the post-RSA news, including the MySQL bug, the progress of the OpenSSL overhaul and the wildly entertaining House hearing on crypto backdoors.
http://threatpost.com/threatpost-news-wrap-may-1-2015/112538
3062591 - Local Administrator Password Solution (LAPS) Now Available - Version: 1.0
Microsoft is offering the Local Administrator Password Solution (LAPS) that provides a solution to the issue of using a common local account with an identical password on every computer in a domain. LAPS resolves this issue by setting a different, random password for the common local administrator account on every computer in the domain. Domain administrators using the solution can determine which users, such as helpdesk administrators, are authorized to read passwords.
https://technet.microsoft.com/en-us/library/security/3062591
New Google Password Alert extension already hacked
A few hours after the presentation of the Google Password Alert extension a researcher already have developed two methods to bypass it. A few hours ago, Google released the Password Alert extension that was designed to warn users when they are submitting their Google credentials to fraudulent websites. Here's how it works for consumer accounts. Once you've...
http://securityaffairs.co/wordpress/36483/hacking/password-alert-extension-hacked.html
VolDiff, for memory image differential analysis, (Sun, May 3rd)
VolDiff is a bash script that runs Volatility plugins against memory images captured before and after malware execution providing a differential analysis, helping identify IOCs and understand advanced malware behaviour. I had intended to include it in my latest toolsmith article, Attack Detection: Hunting in-memory adversaries with Rekall and WinPmem, but quite literally ran out of space and time. Using WinPmem, as part of Rekall and GRR offerings, you can acquire two memory images, one clean
https://isc.sans.edu/diary.html?storyid=19651&rss
Traffic pattern change noted in Fiesta exploit kit, (Mon, May 4th)
A few hours ago, Jerome Segura, the Senior Security Researcher at Malwarebytes, tweeted about a change in traffic patterns from Fiesta exploit kit (EK) [1]. What had been semi-colons in the URLs from Fiesta EK are now commas. Here" /> Here" /> Any signatures for detecting Fiesta EK that depend on those semi-colons will need to be updated. A pcap of the traffic is available at
http://malware-traffic-analysis.net/2015/05/04/2015-05-04-Fiesta-EK-traffic.pcap, and a zip file of the
https://isc.sans.edu/diary.html?storyid=19655&rss
Securing the smart grid: European Network of Cyber Security
Dr. Klaus Kursawe is the Chief Scientist at the European Network of Cyber Security (ENCS), where he is leading the research and development activities for critical infrastructure security. In this int...
http://www.net-security.org/article.php?id=2270
Nasty Dyre malware bests white hat sandboxes
Core checker a defensive wrecker Seculert CTO Aviv Raff says a nasty piece of malware linked to widespread destruction and bank account plundering has become more dangerous with the ability to evade popular sandboxes.
http://go.theregister.com/feed/www.theregister.co.uk/2015/05/04/dyre_malware_sandbox_evasion/
Anti-Phishing-Erweiterung für Chrome mehrfach unterwandert
Eigentlich soll das Chrome-Plug-in Passwort-Warnung Alarm schlagen, wenn Nutzer ihre Log-in-Daten auf Phishing-Webseiten eingeben. Mittlerweile wurde die Funktion aber schon zum wiederholten Male ausgehebelt.
http://heise.de/-2632031
Linuxwochen von 7. bis 9. Mai in Wien
Am FH Technikum Wien finden von Donnerstag bis Sonntag Workshops und Vorträge zu Verschlüsselung, 3D-Druck und Open Hardware statt.
http://futurezone.at/produkte/linuxwochen-von-7-bis-9-mai-in-wien/128.621.444
AlphaCrypt
We've encountered yet another encrypting ransomware variant and at this point it's expected since the scam has exploaded in popularity since it's inception in late 2013. This one has a GUI that is almost...
http://www.webroot.com/blog/2015/05/04/alphacrypt/
Microsoft Security Bulletin MS15-032 - Critical
V2.0 (April 30, 2015): Updated bulletin to inform customers running Internet Explorer on Windows Server 2003 Service Pack 2 that the 3038314 update on the Microsoft Download Center was updated on April 22, 2015. Microsoft recommends that customers who installed the 3038314 update prior to April 22 should reinstall the update to be fully protected from the vulnerabilities discussed in this bulletin.
https://technet.microsoft.com/en-us/library/security/MS15-032
DSA-3249 jqueryui - security update
Shadowman131 discovered that jqueryui, a JavaScript UI library fordynamic web applications, failed to properly sanitize its titleoption. This would allow a remote attacker to inject arbitrary codethrough cross-site scripting.
https://www.debian.org/security/2015/dsa-3249
DSA-3244 owncloud - security update
Multiple vulnerabilities were discovered in ownCloud, a cloud storageweb service for files, music, contacts, calendars and many more.
https://www.debian.org/security/2015/dsa-3244
IBM Security Bulletins
https://www-304.ibm.com/connections/blogs/PSIRT/?lang=en_us
Cisco Finesse Server Cross-Site Scripting Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=38607
Squid SSL-Bump Certificate Validation Flaw Lets Remote Servers Bypass Client-side Certificate Validation
http://www.securitytracker.com/id/1032221
VMSA-2015-0003.6
VMware product updates address critical information disclosure issue in JRE
http://www.vmware.com/security/advisories/VMSA-2015-0003.html
VU#581276: EMC AutoStart is vulnerable to remote code execution via specially crafted packets
Vulnerability Note VU#581276 EMC AutoStart is vulnerable to remote code execution via specially crafted packets Original Release date: 30 Apr 2015 | Last revised: 30 Apr 2015 Overview EMC AutoStart, version 5.5.0 and earlier, is vulnerable to remote command execution via specially crafted packets. Description EMC AutoStart is an enterprise software application developed to help networks and service maintain a high level of availability. AutoStart can manage clusters of applications or nodes
http://www.kb.cert.org/vuls/id/581276
Splunk Enterprise 6.2.3 and Splunk Light 6.2.3 address five vulnerabilities
Description Splunk Enterprise 6.2.3 and Splunk Light 6.2.3 address five vulnerabilities. Multiple vulnerabilities in OpenSSL prior to 1.0.1m (SPL-98351) Disable SSLv3 in KV Store Replication (SPL-96280) Secure flag inconsistently set for session cookies when appServerPorts!=0 (SPL-95798) Cross-site scripting in Search (SPL-95594) Cross-site scripting in management and configuration (SPL-93516) At the time of this announcement, Splunk is not aware of any cases where these vulnerabilities have
http://www.splunk.com/view/SP-CAAANZ7
RSA Identity Management and Governance Password Reset Weakness Lets Remote Users Gain Privileged Access
http://www.securitytracker.com/id/1032218
Security Advisory: TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169
(SOL14190)
https://support.f5.com:443/kb/en-us/solutions/public/14000/100/sol14190.html?ref=rss
OPTO 22 Multiple Product Vulnerabilities
This advisory provides mitigation details for vulnerabilities that are present in the OPTO 22 PAC Project Professional, PAC Project Basic, OptoOPCServer, OptoDataLink, PAC Display Basic, and PAC Display Professional products.
https://ics-cert.us-cert.gov/advisories/ICSA-15-120-01
Clam AntiVirus Multiple File Processing Flaws Let Remote Users Deny Service
http://www.securitytracker.com/id/1032223
Dell SonicWALL Secure Remote Access Access Control Flaw in cgi-bin/editBookmark Lets Remote Users Conduct Cross-Site Request Forgery Attacks
http://www.securitytracker.com/id/1032227
SSA-311412 (Last Update 2015-05-04): Incorrect Certificate Verification in Android App HomeControl for Room Automation
https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-311412.pdf