End-of-Shift report
Timeframe: Mittwoch 02-03-2016 18:00 − Donnerstag 03-03-2016 18:00
Handler: Stephan Richter
Co-Handler: Alexander Riepl
Cisco Unified Communications Domain Manager Cross-Site Scripting Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-cucdm
LibreSSL Unaffected By DROWN
The OpenBSD people forked and heavily cleaned up OpenSSL to create LibreSSL due to dissatisfaction with the maintainance of OpenSSL, culminating in the heartbleed bug. The emphasis has been on cleaning up the code and improving security, which includes removing things such as SSL2 which has fundamental security flaws. As a result, LibreSSL is not ..
http://it.slashdot.org/story/16/03/02/1620221/libressl-unaffected-by-drown
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2016
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-openssl
Cisco Prime Infrastructure Log File Remote Code Execution Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-cpi1
Schneider Electric Building Operation Automation Server Vulnerability
This advisory contains mitigation details for a vulnerability in servers programmed with Schneider Electric's StruxureWare Building Operation software.
https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01
Rockwell Automation Allen-Bradley CompactLogix Reflective Cross-Site Scripting Vulnerability
This advisory is a follow-up to the alert titled ICS-ALERT-15-225-01A Rockwell Automation 1766-L32 Series Vulnerability that was published August 13, 2015, on the NCCIC/ICS-CERT web site. This advisory contains mitigation details for a cross-site scripting vulnerability in Rockwell Automation's CompactLogix application.
https://ics-cert.us-cert.gov/advisories/ICSA-16-061-02
Windows Built-In PDF Reader Exposes Edge Browser To Hacking
Edge, Microsofts new browser, uses the WinRT PDF library to automatically embed and present PDF files while navigating the web. This is what Java does with applets, and Flash with SWF files -- it unintentionally allows a hacker to append malicious code to PDF files and trigger drive-by attacks, which exploit WinRT ..
http://news.slashdot.org/story/16/03/02/2210256/windows-built-in-pdf-reader-exposes-edge-browser-to-hacking
Open-Xchange Guard Access Control Flaw Lets Remote Authenticated Users Obtain Private Keys in Certain Cases
http://www.securitytracker.com/id/1035174
Google Analytics Counter - Moderately Critical - CSRF - SA-CONTRIB-2016-011
The Google Analytics Counter module provides total pageview counts for each page on a website. In that it is similar to the core Statistics module counter, but it is much lighter and ultimately faster because it draws on ..
https://www.drupal.org/node/2679515
Register now for the International NCSC One Conference 2016
Protecting Bits & Atoms is the theme for our international One Conference 2016. It is especially timely given the increasingly connected physical and digital worlds and how information and communication technologies (ICT) have ingrained themselves into the very fabric of our society. The ONE conference will take place on Tuesday April 5 and Wednesday April 6 at the World Forum in The Hague, The Netherlands.
https://www.ncsc.nl/english/current-topics/news/register-now-for-the-international-ncsc-one-conference-2016.html
Wie Betrüger Apple Pay missbrauchen können
Apple Pay ist praktisch und gilt als sicher. Doch das System lässt sich von Kriminellen missbrauchen, um digitale Kreditkartenkopien zu erstellen.
http://www.golem.de/news/security-wie-betrueger-apple-pay-missbrauchen-koennen-1603-119537.html
Java Deserialization Attacks with Burp
This blog is about Java deserialization and the Java Serial Killer Burp extension. If you want to download the extension and skip past all of this, head to the Github page here. The recent Java deserialization attack that was discovered has provided a large window of opportunity for penetration testers to gain access to the underlying systems that Java applications communicate with.
https://blog.netspi.com/java-deserialization-attacks-burp/
Valve informiert Steam-Nutzer über Weihnachts-Datenpanne
Fast drei Monate nach der massiven Datenpanne informiert Valve nun die betroffenen Nutzer. Die hatten das Problem in der Zwischenzeit wahrscheinlich längst vergessen.
http://heise.de/-3127829