Tageszusammenfassung - Mittwoch 21-09-2016

End-of-Shift report

Timeframe: Dienstag 20-09-2016 18:00 − Mittwoch 21-09-2016 18:00 Handler: Stephan Richter Co-Handler: n/a

Spear Phishing: Deutsche Politiker mit Malware-Mails angegriffen

Politiker aller Parteien waren im August Ziel von Spear-Phishing-Angriffen. Angebliche Nato-Informationen zum Putsch in der Türkei und zum Erdbeben in Italien sollten zum Klicken auf Malware verleiten.

http://www.golem.de/news/spear-phishing-deutsche-politiker-mit-malware-mails-angegriffen-1609-123355-rss.html

Windows Events log for IR/Forensics ,Part 2, (Tue, Sep 20th)

In a previous diary[i] I talked about Windows Events and I gave some examples about some of the most useful events for Forensics/IR. In this diary I will talk about how to use Windows PowerShell to search for events Get-WinEvent The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs, and the event logs that are generated by the Windows Event Log technology introduced in Windows Vista. It also gets events in log files generated by...

https://isc.sans.edu/diary.html?storyid=21501&rss

ISAKMP Scanning and Potential Vulnerabilities

Introduction As many of you are aware, we scan the Internet on a daily basis for many different protocols. We have added several new ones over time mostly depending on our own time available to engineer a scan for that protocol. Occasionally, we add one that is more topical and addresses a recent vulnerability or...

http://blog.shadowserver.org/2016/09/20/isakmp-scanning-and-potential-vulnerabilities/

Mamba Ransomware Encrypts Hard Drives Rather Than Files

A new ransomware strain called Mamba opts to encrypts hard drives rather than individual files and folders stored on the local disk.

http://threatpost.com/mamba-ransomware-encrypts-hard-drives-rather-than-files/120730/

Should you trust your security software?

The complaint that security is broken isn't new and even industry insiders are joining the chorus. Companies spent an estimated $75 billion last year on security products and yet cyber attacks and data breaches are still a common occurrence. Now, we're finding that security tools themselves have vulnerabilities that are putting organizations at risk. Given that vulnerabilities in software are the root cause of most attacks and security tools are inherently intrusive in order to...

https://www.helpnetsecurity.com/2016/09/21/security-software/

macOS Sierra beseitigt fast 70 Sicherheitslücken

Mit der neuen Version 10.12 hat Apple 68 Schwachstellen in macOS respektive OS X behoben, darunter kritische. Für ältere OS-X-Versionen liegt derzeit kein Sicherheits-Update vor.

http://heise.de/-3328701

Considerations on the Traffic Light Protocol

The Traffic Light Protocol (TLP) is a means for someone sharing information to inform their audience about any limitations in further spreading this information. It is used in almost all CSIRT communities and some Information Analysis and Sharing Centres (ISACs). The TLP can be used in all forms of communication, whether written or oral. This Glossary Entry presents the TLP and its possible variants, and proposes some considerations on its use and its limitations.

https://www.enisa.europa.eu/topics/national-csirt-network/glossary/considerations-on-the-traffic-light-protocol

Did You Really Lock that Door?

One of my favorite books about information security is Ghost in the Wires, by Kevin Mitnick. Kevin, of course is one of the notorious early hackers whose exploits are brilliant and quite entertaining. If you have not already done so, add that book to your reading list. This post however is not a book review. I was reminded of Kevin's book the other evening when my son went dashing to the door in the middle of the night to make sure that he locked it. Normally, like all teenagers, he just...

https://feeds.feedblitz.com/~/200516044/0/alienvault-blogs~Did-You-Really-Lock-that-Door

InfoArmor Uncovers Malicious Torrent Distribution Network

InfoArmor has identified a special tool used by cybercriminals to distribute malware by packaging it with the most popular torrent files on the Internet. The bad actors have analyzed trends on video, audio, software and other digital content downloads from around the globe and have created seeds on famous torrent trackers using weaponized torrents packaged with malicious code.

https://www.infoarmor.com/infoarmor-uncovers-malicious-torrent-distribution-network/

Opportunistic Encryption: Bringing HTTP/2 to the unencrypted web

Encrypting the web is not an easy task. Various complexities prevent websites from migrating from HTTP to HTTPS, including mixed content, which can prevent sites from functioning with HTTPS. Opportunistic Encryption provides an additional level of security to websites that have not yet moved to HTTPS and the performance benefits...

https://blog.cloudflare.com/opportunistic-encryption-bringing-http-2-to-the-unencrypted-web/

Bugtraq: ESA-2016-093: RSA Adaptive Authentication (On-Premise) Cross-Site Scripting Vulnerability

http://www.securityfocus.com/archive/1/539432

DSA-3671 wireshark - security update

Multiple vulnerabilities were discovered in the dissectors for H.225,Catapult DCT2000, UMTS FP and IPMI, which could result in denial ofservice or the execution of arbitrary code.

https://www.debian.org/security/2016/dsa-3671

Filr 2.0 - Hot Patch 3

Abstract: This patch provides a number of general bug fixes and security updates for Novell Filr, Search and MySQL 2.0.0 appliances including an updated Filr 2.0 Desktop client.Document ID: 5255170Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:preinstall-Search-20HP3.zip (24.95 MB)preinstall-MySQL-20HP3.zip (24.18 MB)preinstall-Filr-20HP3.zip (34.59 MB)Filr-2.0.0.474.HP.zip (155.89 MB)Search-2.0.0.417.HP.zip (10.67 MB)MySQL-2.0.0.197.HP.zip (1.44 kB)Products:Filr...

https://download.novell.com/Download?buildid=LMP8JAI5Lrc~

Apple Security Updates

Safari 10

https://support.apple.com/kb/HT207157

macOS Sierra 10.12

https://support.apple.com/kb/HT207170

tvOS 10

https://support.apple.com/kb/HT207142

iTunes 12.5.1 for Windows

https://support.apple.com/kb/HT207158

macOS Server 5.2

https://support.apple.com/kb/HT207171

iCloud for Windows 6.0

https://support.apple.com/kb/HT207147

Vuln: OpenStack Nova Denial of Service Vulnerability

http://www.securityfocus.com/bid/93068

ShoreTel Connect ONSITE Blind SQL Injection Vulnerability

Topic: ShoreTel Connect ONSITE Blind SQL Injection Vulnerability Risk: Medium Text:ShoreTel Connect ONSITE Blind SQL Injection Vulnerability == vulnerability type: Unauthenticated Blin...

https://cxsecurity.com/issue/WLB-2016090154

IBM Security Bulletins

IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Rational Software Architect, Rational Software Architect for WebSphere Software and Rational Software Architect RealTime Edition

http://www-01.ibm.com/support/docview.wss?uid=swg21990374

IBM Security Bulletin: Vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2016-2119)

http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009255

IBM Security Bulletin: Vulnerabilities in XML processing affect IBM DataPower Gateways

http://www-01.ibm.com/support/docview.wss?uid=swg21990046

IBM Security Bulletin: Multiple security vulnerabilities affect IBM WebSphere Application Server for Bluemix

http://www.ibm.com/support/docview.wss?uid=swg21990236

IBM Security Bulletin: IBM WebSphere MQ Invalid client protocol flows could cause denial of service (CVE-2016-0379)

http://www-01.ibm.com/support/docview.wss?uid=swg21984565

IBM Security Bulletin: IBM WebSphere Cast Iron Solution is affected by Apache Tomcat vulnerability CVE-2015-5174

http://www-01.ibm.com/support/docview.wss?uid=swg21988742