End-of-Shift report
Timeframe: Mittwoch 11-01-2017 18:00 − Donnerstag 12-01-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
Personalisierte card complete-Phishingmail
Eine personalisierte cardcomplete-Phishingmail, die EmpfÄnger/innen direkt beim Namen benennt, ist im Umlauf. In dieser behaupten Kriminelle, dass es zu verdÄchtigen Transaktionen gekommen sei, weshalb Kund/innen sich auf einer Website legitimieren sollen. Es handelt sich um einen Versuch, mit dem Kriminelle an fremde Kreditkartendaten gelangen wollen.
https://www.watchlist-internet.at/phishing/personalisierte-card-complete-phishingmail/
The Most Dangerous User Right You (Probably) Have Never Heard Of
One user right I overlooked, until Ben Campbell's post on constrained delegation, was SeEnableDelegationPrivilege. This right governs whether a user account can "Enable computer and user accounts to be trusted for delegation." Part of the reason I overlooked it is stated right in the documentation:...
http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
Sicherheitsloch im Herzschrittmacher
Ein Firmware-Update soll Patienten mit Herzschrittmachern oder implantierten Defibrillatoren davor schützen, dass Hacker die Kontrolle über die Geräte übernehmen. Es gibt jedoch Zweifel daran, dass die Geräte nach dem Update sicher sind.
https://heise.de/-3593932
Latest Adobe Acrobat Reader Update Silently Installs Chrome Extension
An anonymous reader writes: The latest Adobe Acrobat Reader security update (15.023.20053), besides delivering security updates, also secretly installs the Adobe Acrobat extension in the users Chrome browser. There is no mention of this "special package" on Acrobats changelog, and surprise-surprise, the extension comes with anonymous data collection turned on by default. Bleeping Computer reports: "This extension allows users to save any web page theyre on as a PDF file and share...
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/s_zCwl6BNOY/latest-adobe-acrobat-reader-update-silently-installs-chrome-extension
Some tools updates, (Thu, Jan 12th)
A coupleof tools were updated and release today. Network Miner was updated. Version 2.1 is not available for download. Network Miner is packet sniffer/analyzer focused on extracting application layer forensic artifacts. The update adds new protocols and enhances email reassembly options.
http://www.netresec.com//Blogmonth=2017-01post=NetworkMiner-2-1-Released BlackhillsInformation Security released a Powershellversion of theDNSCAT2client. DNSCAT2 is a popular command and control tool...
https://isc.sans.edu/diary.html?storyid=21925&rss
System Resource Utilization Monitor, (Thu, Jan 12th)
The attackers have come and gone and youare left behind to clean up the mess. You arrive on site to figure out how the bad guysgot in, what they took and how badly it will affect the customer. But, the customer doesnt syslog the firewall logs, so youare limited to the three days of logs that are held in thefirewalls memory. The Windows Event logs on most of the systems roll over every 5 minutes, and there is no centralized long term logging. There is no IDS. There is no full packet capture.
https://isc.sans.edu/diary.html?storyid=21927&rss
Hintergrund: Open Bug Bounty: Sicherheitslücken gegen Prämie
heise Security machte nicht ganz freiwillig Bekanntschaft mit einer bisher weitgehend unbekannten Plattform, auf der Hacker und andere Forscher Sicherheitslücken melden können.
https://heise.de/-3593886
Ansible: Update soll kritischen Fehler in den 2.x-Versionen beheben
Da die Schwachstelle als hohes Risiko eingestuft wird, haben die Macher Release Candidates der Versionen 2.1.4 und 2.2.1 veröffentlicht, die den Fehler beheben.
https://heise.de/-3594254
Rent an IP, Own a Domain
The other day I was on a mission to locate a contact of mine that lived nearby. I had an address, but no phone, or email address. So I got the GPS out, programmed in the address, and away I went. Arriving at the location, I turned into the driveway, and it was an apartment...
https://blog.domaintools.com/2017/01/rent-an-ip-own-a-domain/
WordPress 4.7.1 Security and Maintenance Release
This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Bugtraq: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)
http://www.securityfocus.com/archive/1/540011
Vuln: libgit2 badssl.c Security Bypass Vulnerability
http://www.securityfocus.com/bid/95354
Bugtraq: IKEv1 cipher suite configuration mismatch in Siemens SIMATIC CP 343-1 Advanced
http://www.securityfocus.com/archive/1/540003
Vuln: Zimbra CVE-2016-3403 Multiple Cross Site Request Forgery Vulnerabilities
http://www.securityfocus.com/bid/95383
NetIQ Privileged Account Manager 3.0.1 HF3 (3.0.1-3)
Abstract: NetIQ Privileged Account Manager 3.0.1 Hot Fix 3 (3.0.1.3). The purpose of the patch is to provide an upgrade of OpenSSL to eliminate potential security vulnerabilities. This release addresses does not contain new features.Document ID: 5267862Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:netiq-npam-packages-3.0.1-3.tar.gz (175.63 MB)Products:Privileged Account Manager 3.0.1Superceded Patches:NetIQ Privileged Account Manager 3.0.1 HF 1NetIQ Privileged
https://download.novell.com/Download?buildid=Ciuap7psZuo~
DFN-CERT-2017-0054: ISC BIND: Mehrere Schwachstellen ermöglichen verschiedene Denial-of-Service-Angriffe
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0054/
Vuln: SAP NetWeaver XML External Entity Information Disclosure Vulnerability
http://www.securityfocus.com/bid/95373
Vuln: SAP ERP Defence Forces and Public Security Remote Authorization Bypass Vulnerability
http://www.securityfocus.com/bid/95367
Juniper Security Advisories
JSA10772 - 2017-01 Security Bulletin: Junos: RPD crash while processing RIP advertisements (CVE-2017-2303)
http://kb.juniper.net/index/content&id=JSA10772&actp=RSS
JSA10774 - 2017-01 Security Bulletin: Network and Security Manager (NSM): Multiple OpenSSH vulnerabilities affect NSM Appliance OS.
http://kb.juniper.net/index/content&id=JSA10774&actp=RSS
JSA10773 - 2017-01 Security Bulletin: QFX3500, QFX3600, QFX5100, QFX5200, EX4300 and EX4600: Etherleak memory disclosure in Ethernet padding data (CVE-2017-2304)
http://kb.juniper.net/index/content&id=JSA10773&actp=RSS
JSA10771 - 2017-01 Security Bulletin: Junos: Denial of Service vulnerability in RPD (CVE-2017-2302)
http://kb.juniper.net/index/content&id=JSA10771&actp=RSS
JSA10770 - 2017-01 Security Bulletin: Junos Space: Multiple vulnerabilities resolved in 16.1R1 release.
http://kb.juniper.net/index/content&id=JSA10770&actp=RSS
JSA10769 - 2017-01 Security Bulletin: Junos: Denial of service vulnerability in jdhcpd due to crafted DHCPv6 packets (CVE-2017-2301)
http://kb.juniper.net/index/content&id=JSA10769&actp=RSS
JSA10768 - 2017-01 Security Bulletin: Junos: SRX Series denial of service vulnerability in flowd due to crafted multicast packets (CVE-2017-2300)
http://kb.juniper.net/index/content&id=JSA10768&actp=RSS
IBM Security Bulletin
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Application Dependency Discovery Manager (TADDM) IBM Java SDK updates October 2016
http://www-01.ibm.com/support/docview.wss?uid=swg21995972
IBM Security Bulletin: Multiple Security Vulnerabilities in OpenSSL affect IBM Netezza Analytics
http://www-01.ibm.com/support/docview.wss?uid=swg21995049
IBM Security Bulletin: IBM Sterling Order Management is affected by a vulnerability (CVE-2016-5953)
http://www-01.ibm.com/support/docview.wss?uid=swg21994521
IBM Security Bulletin: Multiple Security Vulnerabilities have been addressed in LMS 6.0 on Cloud
http://www.ibm.com/support/docview.wss?uid=swg21992072