End-of-Shift report
Timeframe: Montag 13-07-2015 18:00 − Dienstag 14-07-2015 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
Been hacked? Now to decide if you chase the WHO or the HOW
Imagine a security researcher has plucked your customer invoice database from a command and control server. Youre nervous and angry. Your boss will soon be something worse and will probably want you to explain who pulled off the heist, and how. But only one of these questions, the how, is worth your precious resources; security experts say the who is an emotional distraction.
http://www.theregister.co.uk/2015/07/14/attribution_feature/
Hacking Team Uses UEFI BIOS Rootkit to Keep RCS 9 Agent in Target Systems
Hacking Team uses a UEFI BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets' systems. This means that even if the user formats the hard disk, reinstalls the OS, and even buys a new hard disk, the agents are implanted after Microsoft Windows is up and running. They have written a procedure specifically for Insyde BIOS (a very popular BIOS vendor for laptops). However, the code can very likely work on AMI BIOS as well. A Hacking Team slideshow...
http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-uses-uefi-bios-rootkit-to-keep-rcs-9-agent-in-target-systems/
Lowering Defenses to Increase Security
Starting at WhiteHat was a career change for me. I wasn't sure exactly what to expect, but I knew there was a lot of unfamiliar terminology: "MD5 signature", "base64", "cross-site request forgery", "'Referer' header", to name a few. When I started testing real websites, I was surprised that a lot of what I was doing...
https://blog.whitehatsec.com/lowering-defenses-to-increase-security/
Adobe Updates Flash Player, Shockwave and PDF Reader, (Tue, Jul 14th)
In a warm up to patch Tuesday, it looks like we have a new version for Adobe Flash Player, Shockwave Player and PDF Reader. Given that some of the exploits against the vulnerabilities patchedare public, you may want to expedite patching and review your Flash Player and browser configuration. the latest (patched) versions are (thanks Dave!): - FlashPlayer 18.0.0.209 - Flash Player EST 13.0.0.305 - Reader 10.1.15 - Reader 11.0.12 - Shockwave Player">12.1.9.159 Bulletins:
https://isc.sans.edu/diary.html?storyid=19917&rss
Adobe: Look, honestly, we really do take Flash security seriously
Mozilla: Right, THATS IT. You, Flash, behind the shed with me. *snick snack*
FLASH MUST DIE, says Facebook security chief
http://go.theregister.com/feed/www.theregister.co.uk/2015/07/14/adobe_response_to_security_holes/
http://go.theregister.com/feed/www.theregister.co.uk/2015/07/14/firefox_blocks_flash/
http://go.theregister.com/feed/www.theregister.co.uk/2015/07/14/facebook_flash_kill/
Security Bulletins Posted
Security Bulletins for Adobe Acrobat and Reader (APSB15-15), Adobe Shockwave Player (APSB15-17) and Adobe Flash Player (APSB15-18) have been published. These updates address critical vulnerabilities, and Adobe recommends users update their product installations to the latest versions using the instructions referenced...
https://blogs.adobe.com/psirt/?p=1247
SSA-632547 (Last Update 2015-07-14): Authentication Bypass Vulnerability in SICAM MIC
https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-632547.pdf
VU#919604: Kaseya Virtual System Administrator contains multiple vulnerabilities
Vulnerability Note VU#919604 Kaseya Virtual System Administrator contains multiple vulnerabilities Original Release date: 13 Jul 2015 | Last revised: 13 Jul 2015 Overview Kaseya Virtual System Administrator (VSA), versions R9 and possibly earlier, contains arbitrary file download and open redirect vulnerabilities. Description CWE-22: Improper Limitation of Pathname to a Restricted Directory (Path Traversal) - CVE-2015-2862Kaseya VSA is an IT management platform with a help desk ticketing
http://www.kb.cert.org/vuls/id/919604
Cisco Vulnerability Alerts
Cisco Identity Services Engine Cross-Frame Scripting Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=39871
Cisco TelePresence Integrator C Series Multiple Request Parameter Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=39880
Cisco Identity Services Engine Cross-Site Scripting Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=39873
Cisco Unified Communications Manager Denial of Service Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=39877
Cisco FireSIGHT Management Center Cross-Site Scripting Vulnerabilities
http://tools.cisco.com/security/center/viewAlert.x?alertId=39879
Cisco Unified Communications Manager ccmivr Page Cross-Site Scripting Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=39905
IBM Security Bulletins
https://www-304.ibm.com/connections/blogs/PSIRT/?lang=en_us
Moodle Bugs Permit Cross-Site Scripting and Open Redirect Attacks and Let Remote Authenticated Users Modify Data
http://www.securitytracker.com/id/1032877
F5 Security Advisory: Multiple PHP CDF vulnerabilities CVE-2014-0237 and CVE-2014-0238
https://support.f5.com:443/kb/en-us/solutions/public/16000/900/sol16954.html?ref=rss
DFN-CERT-2015-1009: Django: Mehrere Schwachstellen ermöglichen u.a. Denial-of-Service-Angriffe
https://portal.cert.dfn.de/adv/DFN-CERT-2015-1009/