End-of-Shift report
Timeframe: Mittwoch 03-06-2015 18:00 − Freitag 05-06-2015 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
Zero-Day Disclosed in Unity Web Player
A zero-day vulnerability has been disclosed in the popular Unity Web Player browser plugin. The flaw allows an attacker crossdomain access to websites and services using the victims credentials.
http://threatpost.com/zero-day-disclosed-in-unity-web-player/113124
PCI Council releases PA-DSS 3.1, nixes SSL, early TLS
The PCI Security Standards Council revisions to PA-DSS addresses SSL vulnerabilities.
http://feedproxy.google.com/~r/SCMagazineHome/~3/Ybnmzlufdo4/
Embedded: Geldautomaten sollen von XP auf Windows 10 updaten
Die Branchenorganisation ATM Industry Association ruft die Hersteller dazu auf, bei Geldautomaten Windows 8 und 8.1. zu überspringen. Auf Windows XP ausruhen sollen sie sich nicht.
http://www.golem.de/news/embedded-geldautomaten-sollen-von-xp-auf-windows-10-updaten-1506-114475-rss.html
ICS Amsterdam 2015
SANS ICS Amsterdam 2015 hosts five dedicated training courses for those tasked with securing Industrial Control Systems as well as a two day ICS Security Summit. This specialist training event takes place at the Radisson Blue Amsterdam, from September 22nd - 28th.
https://www.sans.org/event/ics-amsterdam-2015
Critical vulnerabilities in JSON Web Token libraries
Great. So, what's wrong with that? ... Meet the "none" algorithm.
http://ab0files.com/critical-vulnerabilities-in-json-web-token-libraries
Achtung: Offene Intranets verraten zu viel
Viele Organisationen haben ein eigenes Intranet. Manche stellen versehentlich vertrauliche Dokumente online, die über Google auffindbar sind. Wir haben uns per Google Beispiele herausgepickt.
http://heise.de/-2680058
Asprox / Kuluoz Botnet Analysis
Introduction Kuluoz, aka Asprox, is a spam botnet that emerged in 2007. It has been known for sending mass of phishing emails used in conjunction with social engineering lures (e.g. booking confirmations, postal-themed spam, etc.) This article presents a view on the malware and its capabilities, how it communicates with the CnC, encryption schemes used,...
http://resources.infosecinstitute.com/asprox-kuluoz-botnet-analysis/
WLAN-Trick soll Apple-Pay-Nutzern Kreditkartendaten entlocken
Angreifer können die automatische WLAN-Verbindungsaufnahme von iOS dazu nutzen, um mit einem manipulierten Apple-Pay-Dialog auf Kreditkartenfang zu gehen, warnt eine Sicherheitsfirma.
http://heise.de/-2680369
IBM Security Bulletins
https://www-304.ibm.com/connections/blogs/PSIRT/?lang=en_us
McAfee ePolicy Orchestrator SSL/TLS spoofing
http://xforce.iss.net/xforce/xfdb/103610
Vulnerabilities in Cisco Products
Cisco FireSIGHT Management Center XSS and HTML Injection Vulnerabilities
http://tools.cisco.com/security/center/viewAlert.x?alertId=39171
Cisco ONS 15454 System Software Denial of Service Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=39172
Cisco Edge 340 Privilege Escalation Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=39187
Cisco TelePresence SX20 HTTP Response Splitting Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=39210
XZERES 442SR Wind Turbine CSRF Vulnerability
This advisory provides mitigation details for a cross-site request forgery vulnerability in XZERES's 442SR turbine generator operating system.
https://ics-cert.us-cert.gov/advisories/ICSA-15-155-01
Bugtraq: CA20150604-01: Security Notice for CA Common Services
http://www.securityfocus.com/archive/1/535684