End-of-Shift report
Timeframe: Donnerstag 11-08-2016 18:00 − Freitag 12-08-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
An ATM hack and a PIN-pad hack show chip cards aren't impervious to fraud
The good news? Hacks are limited for now. The bad news? Hackers will get better.
http://arstechnica.com/security/2016/08/an-atm-hack-and-a-pin-pad-hack-show-chip-cards-arent-impervious-to-fraud/
Four free tools for handling Amazon Web Services security incident response
Responding to security incidents that involve deployments within Amazon Web Services is a lot different from responding to incidents that happen on corporate-owned gear, and two researchers have come up with free tools to make that process easier.Obtaining forensic evidence is different, primarily because security pros can't obtain physical access to the machines on which their AWS instances are running.+More on Network World: Black Hat: 9 free security tools for defense...
http://www.cio.com/article/3106302/security/four-free-tools-for-handling-amazon-web-services-security-incident-response.html#tk.rss_security
Looking for the insider: Forensic Artifacts on iOS Messaging App, (Thu, Aug 11th)
Most of the times we care about and focus on external threats, looking for actors that may attack us via phishing emails, vulnerable web services, misconfigured network devices, etc. However, sometimes the threat may come from the inside. In fact, it is not so uncommon to have disloyal/disgruntled employees exfiltrating information from the company (e.g. Intellectual Property to competitors, confidential information to the press, etc.). In such situations, a full forensics analysis of the...
https://isc.sans.edu/diary.html?storyid=21363&rss
Decrypting Chimera ransomware
We take a technical look at validating the leaked Chimera ransomware keys as well as if we can decrypt files with these keys.
https://blog.malwarebytes.com/cybercrime/2016/08/decrypting-chimera-ransomware/
Ransomware Decryption Tools
IMPORTANT! Before downloading and starting the solution, read the how-to guide. Make sure you remove the malware from your system first, otherwise it will repeatedly lock your system or encrypt files.
https://www.nomoreransom.org/decryption-tools.html
Analyzing and Cleaning Hijacked Google SEO Spam Results
Blackhat SEO spam comes in many forms, and one of the most nefarious is hijacked search results. This happens when search engines crawl and display unwanted content in the title and description of infected web pages. The negative impact to the infected website cannot be understated. This harms the website's reputation with visitors and will...
https://blog.sucuri.net/2016/08/cleaning-hijacked-google-seo-spam-results.html
Microsofts compromised Secure Boot implementation
Theres been a bunch of coverage of this attack on Microsofts Secure Boot implementation, a lot of which has been somewhat confused or misleading. Heres my understanding of the situation.Windows RT devices were shipped without the ability to disable Secure Boot. Secure Boot is the root of trust for Microsofts User Mode Code Integrity (UMCI) feature, which is what restricts Windows RT devices to running applications signed by Microsoft. This restriction is somewhat inconvenient for developers, so...
http://mjg59.dreamwidth.org/44223.html
Security-Fixes für Ruby on Rails verfügbar
Die Updates verhindern Cross-Site-Scritping-Attacken über html_safe in den Hauptversionen 3, 4 und 5 sowie die Möglichkeit, Queries in Rails 4.2.x zu manipulieren.
http://heise.de/-3293426
This is strictly a violation of the TCP specification
I was asked to debug another weird issue on our network. Apparently every now and then a connection going through CloudFlare would time out with 522 HTTP error. 522 error on CloudFlare indicates a connection issue between our edge server and the...
https://blog.cloudflare.com/this-is-strictly-a-violation-of-the-tcp-specification/
Finding and Enumerating Processes within Memory: Memory and Volatility
In this article series, we will learn about how processes reside in memory and various ways to find and enumerate them. I will be using Volatility plugins to find processes in memory. Once we know how to find processes within memory, in Part 2 we will see how to enumerate through them. Note: The scope...
http://resources.infosecinstitute.com/finding-and-enumerating-processes-within-memory-part-1/
VU#301735: ZModo ZP-NE14-S DVR and ZP-IBH-13W cameras contain hard-coded credentials
Vulnerability Note VU#301735 ZModo ZP-NE14-S DVR and ZP-IBH-13W cameras contain hard-coded credentials Original Release date: 12 Aug 2016 | Last revised: 12 Aug 2016 Overview The ZModo ZP-NE14-S DVR and ZP-IBH-13W cameras contain hard-coded credentials and run telnet by default. Description CWE-798: Use of Hard-coded Credentials - CVE-2016-5081According to the reporter, the Zmodo ZP-NE14-S DVR and ZP-IBH-13W cameras contain undocumented credentials for accessing the device via telnet.
http://www.kb.cert.org/vuls/id/301735
HPSBHF03440 rev.1 - HPE iLO 3 using JQuery, Remote Cross-Site Scripting (XSS)
A potential security vulnerability in JQuery was addressed by HPE Integrated Lights-Out 3. The vulnerability could be remotely exploited to allow Cross-Site Scripting (XSS).
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05232730
HPSBGN03630 rev.2 - HP Operations Manager for Unix, Solaris, and Linux using Apache Commons Collections (ACC), Remote Code Execution
A vulnerability in Apache Commons Collections (ACC) for handling Java object deserialization was addressed in the AdminUI of HP Operations Manager for Unix, Solaris and Linux. The vulnerability could be exploited remotely to allow remote code execution.
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05206507
IDM 4.5 SOAP Driver Version 4.0.0.4
Abstract: Patch update for the Novell Identity Manager SOAP driver. The patch will take the driver version to 4.0.0.4. You must have IDM 4.0.2 or later to use this driver. Document ID: 5251690Security Alert: YesDistribution Type: Field Test FileEntitlement Required: NoFiles:IDM45_SOAP_4004.zip (161.66 kB)Products:Identity Manager 4.5Superceded Patches:IDM 4.5 SOAP Driver Version 4.0.0.3
https://download.novell.com/Download?buildid=95cHErCKIOQ~
F5 Security Advisory: libssh2 vulnerability CVE-2016-0787
https://support.f5.com:443/kb/en-us/solutions/public/k/21/sol21531693.html?ref=rss
F5 Security Advisory: TMM vulnerability CVE-2016-5023
https://support.f5.com:443/kb/en-us/solutions/public/k/19/sol19784568.html?ref=rss
VU#332115: D-Link routers contain buffer overflow vulnerability
Vulnerability Note VU#332115 D-Link routers contain buffer overflow vulnerability Original Release date: 11 Aug 2016 | Last revised: 11 Aug 2016 Overview D-Link DIR routers contain a stack-based buffer overflow vulnerability, which may allow a remote attack to execute arbitrary code. Description CWE-121: Stack-based Buffer Overflow - CVE-2016-5681A stack-based buffer overflow occurs in the function within the cgibin binary which validates the session cookie.This function is used by a service...
http://www.kb.cert.org/vuls/id/332115
Rockwell Automation MicroLogix 1400 SNMP Credentials Vulnerability
This advisory contains mitigation details for a privileged simple network management protocol vulnerability in Rockwell Automation's MicroLogix 1400 programmable logic controllers.
https://ics-cert.us-cert.gov/advisories/ICSA-16-224-01
DSA-3646 postgresql-9.4 - security update
Several vulnerabilities have been found in PostgreSQL-9.4, a SQLdatabase system.
https://www.debian.org/security/2016/dsa-3646
FortiVoice 5.0 Filter Bypass & Persistent Web Vulnerabilities
A vulnerablity in FortiVoice 5.0 web-application could allow malicious script being injected in the affected module; this potentially enables XSS attacks.
http://fortiguard.com/advisory/fortivoice-5-0-filter-bypass-persistent-web-vulnerabilities
Cisco Aironet 1800, 2800, and 3800 Series Access Point Platforms ARP Request Handling Denial of Service Vulnerability
A vulnerability exists in Cisco Access Point (AP) platforms when processing Address Resolution Protocol (ARP) packets that could allow an unauthenticated, adjacent attacker to inject crafted entries into the ARP table and eventually cause a reload of the affected device.The vulnerability is due to improper processing of illegal ARP packets. An attacker could exploit this vulnerability by sending crafted ARP packets to be processed by an affected device. An exploit could allow the attacker to...
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160608-aironet
IBM Security Bulletins
IBM Security Bulletin: IBM Security Access Manager for Web is affected by vulnerabilities in OpenSSL
http://www.ibm.com/support/docview.wss?uid=swg21987903
IBM Security Bulletin: Vulnerabilities in OpenSSL affects IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2109, CVE-2016-2176).
http://www-01.ibm.com/support/docview.wss?uid=swg21988350
IBM Security Bulletin: Multiple security vulnerabilities have been identified in WebSphere Application Server and bundling products shipped with IBM Cloud Orchestrator (CVE-2016-3426, CVE-2016-3427)
http://www-01.ibm.com/support/docview.wss?uid=swg2C1000178
IBM Security Bulletin: IBM Security Access Manager for Mobile is affected by vulnerabilities in OpenSSH (CVE-2016-3115, CVE-2016-1908)
http://www.ibm.com/support/docview.wss?uid=swg21987636
IBM Security Bulletin: IBM Security Access Manager for Web is affected by vulnerabilities in OpenSSH (CVE-2016-3115, CVE-2016-1908)
http://www.ibm.com/support/docview.wss?uid=swg21987638
IBM Security Bulletin: IBM Netezza SQL Extensions is vulnerable to an OpenSource PCRE Vulnerability (CVE-2016-1283, CVE-2016-3191)
http://www-01.ibm.com/support/docview.wss?uid=swg21985982
Next End-of-Shift report: 2016-08-16