"Websecurity - Jahresrückblick 2014" - Link- und Literaturverzeichnis
Dipl.-Inform. Carsten Eilers
"Websecurity - Jahresrückblick 2014" - Link- und Literaturverzeichnis
Kapitel 1: Kapitel 1: Angriffe auf OpenSSL und SSL/TLS
- [1] Is The Internet On Fire?
- [2] Carsten Eilers: "Quo vadis, SSL?"; Entwickler Magazin 4.2012
- [3] OpenSSL Security Advisory [07 Apr 2014]
- [4] CVE-2014-0160
- [5] Heartbleed Bug
- [6] Bruce Schneier; Schneier on Security: "Heartbleed"
- [7] RFC 6520 - Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension
- [8] Tomas Rzepka, @1njected auf Twitter: "We can extract the private key successfully on FreeBSD ..."
- [9] Robert Graham; Errata Security: "What the heartbleed bug looks like on the wire"
- [10] Dan Goodin; Ars Technica: "Critical crypto bug exposes Yahoo Mail, other passwords Russian roulette-style"
- [11] Carsten Eilers: "Neues zum Heartbleed Bug in OpenSSL"
- [12] Sean Gallagher; Arc Technica: "Heartbleed vulnerability may have been exploited months before patch [Updated]"
- [13] Peter Eckersley; Electronic Frontier Foundation: "Wild at Heart: Were Intelligence Agencies Using Heartbleed in November 2013?"
- [14] Carsten Eilers: "Nutzt die NSA den Heartbleed Bug seit 2 Jahren?"
- [15] Christopher Glyer, Chris DiGiamo; M-unition: "Attackers Exploit the Heartbleed OpenSSL Vulnerability to Circumvent Multi-factor Authentication on VPNs"
- [16] Mumsnet: "The Heartbleed security breed - and what to do"
- [17] Leo Kelion; BBC: "Heartbleed hacks hit Mumsnet and Canada's tax agency"
- [18] Canada Revenue Agency: "Notice - Heartbleed bug vulnerability"
- [19] Royal Canadian Mounted Police: "RCMP Statement regarding Heartbleed"
- [20] Royal Canadian Mounted Police: "Heartbleed Bug Hacker Charged by RCMP"
- [21] Bundesamt für Sicherheit in der Informationstechnik: ""Heartbleed Bug": BSI sieht weiteren Handlungsbedarf"
- [22] Uli Ries, Ronald Eikenberg; Heise Security: "Zugriff auf SMS-Nachrichten und Tor-Traffic dank Heartbleed"
- [23] United States Securities and Exchange Commission: "FORM 8-K: Community Health Systems, Inc"
- [24] TrustedSec: "CHS Hacked via Heartbleed Vulnerability"
- [25] Carsten Eilers: "Heartbleed: Problematische Zertifikats-Rückrufe"
- [26] Carsten Eilers: "Das große Problem mit den Patches und Updates"
- [27] Bodo Möller; Google Online Security Blog: "This POODLE bites: exploiting the SSL 3.0 fallback"
- [28] Bodo Möller, Thai Duong, Krzysztof Kotowicz: "This POODLE Bites: Exploiting The SSL 3.0 Fallback" (PDF)
- [29] CVE-2014-3566
- [30] RFC 6101: The Secure Sockets Layer (SSL) Protocol Version 3.0
- [31] Carsten Eilers: "BEAST - Ein neuer Angriff auf SSL und TLS 1.0"
- [32] Carsten Eilers: "About Security #117: Mobile Security — WLAN-Hotspots"
- [33] Bode Möller, Adam Langley; IETF Draft: "TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks"
- [34] OpenSSL Security Advisory [15 Oct 2014]
- [35] Microsoft Security Advisory 3009008: "Vulnerability in SSL 3.0 Could Allow Information Disclosure"
- [36] Apple: "About Security Update 2014-005"
- [37] Apple: "About the security content of OS X Yosemite v10.10"
- [38] Qualys SSL Labs: SSL Server Test
- [39] ISC: SSLv3 Poodle Attack Check
- [40] Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering, Jacob Schuldt: "On the Security of RC4 in TLS and WPA"
- [41] Matthew Green; A Few Thoughts on Cryptographic Engineering: "Attack of the week: RC4 is kind of broken in TLS"
- [42] Jacob Appelbau, @ioerror auf Twitter: "@matthew_d_green @JoeBeOne @ln4711 RC4 is broken in real time by the #NSA - stop using it."
- [43] William Peteroy; Security Research & Defense Blog: "Security Advisory 2868725: Recommendation to disable RC4"
- [44] Microsoft Security Advisory 2868725: Update for Disabling RC4
- [45] Triple Handshakes Considered Harmful - Breaking and Fixing Authentication over TLS
- [46] Carsten Eilers: "Neuer Angriff auf TLS beim Einsatz von Client-Zertifikaten"
- [47] Carsten Eilers: "Der Triple Handshake Angriff auf TLS im Web"
- [48] Apple: "About the security content of iOS 6.1.6"
- [49] Apple: "About the security content of iOS 7.0.6"
- [50] Apple: "About the security content of Apple TV 6.0.2"
- [51] CVE-2014-1266
- [52] Apple: "About the security content of OS X Mavericks v10.9.2 and Security Update 2014-001"
- [53] Apple: sslKeyExchange.c
- [54] pencilo; Hacker News: "Take a look at http://opensource.apple.com/source/Security/Security-55471/l..."
- [55] Adam Langley; ImperialViolet: "Apple's SSL/TLS bug (22 Feb 2014)"
- [56] Steven M. Bellovin; SMBlog: "Goto Fail"
- [57] Steven M. Bellovin; SMBlog: "Speculation About Goto Fail"
- [58] CVE-2014-1568
- [59] Daniel Veditz; Mozilla Security Blog: "RSA Signature Forgery in NSS"
- [60] Mike Fey; McAfee Blog: "What you need to know about ”BERserk” and Mozilla"
- [61] Mozilla Foundation Security Advisory 2014-73: RSA Signature Forgery in NSS
- [62] Mozilla Bug 1064636 - (CVE-2014-1568) RSA PKCS#1 signature verification forgery is possible due to too-permissive SignatureAlgorithm parameter parsing
- [63] Intel Security - Advanced Threat Research: "BERserk"
- [64] Intel Security - Advanced Threat Research: BERserk Vulnerability - Part 1: RSA signature forgery attack due to incorrect parsing of ASN.1 encoded DigestInfo in PKCS#1 v1.5 (PDF)
- [65] Intel Security - Advanced Threat Research: BERserk Vulnerability - Part 2: Certificate Forgery in Mozilla NSS (PDF)
- [66] Carsten Eilers: "About Security #102: Hashfunktionen - Einführung"
- [67] Carsten Eilers: "About Security #103: Hashfunktionen - MD4 und Verwandte"
- [68] Carsten Eilers: "About Security #104: Hashfunktionen - Sicherheit"
- [69] Carsten Eilers: "Wer braucht SHA-3?"
- [70] Carsten Eilers: "2013 - Die Zukunft hat schon begonnen!"
- [71] NIST Special Publication 800-131A: "Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths" (PDF)
- [72] Bundesnetzagentur für Elektrizität, Gas, Telekommunikation, Post und Eisenbahnen: "Bekanntmachung zur elektronischen Signatur nach dem Signaturgesetz und der Signaturverordnung (Übersicht über geeignete Algorithmen)"
- [73] Bundesamt für Sicherheit in der Informationstechnik (BSI): Technische Richtlinie BSI TR-02102-1: Kryptographische Verfahren: Empfehlungen und Schlüssellängen
- [74] Microsoft Security Advisory 2880823: "Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program"
- [75] William Peteroy; Security Research & Defense Blog: "Security Advisory 2880823: Recommendation to discontinue use of SHA-1"
- [76] Adam Langley; ImperialViolet: "SHA-256 certificates are coming (14 May 2014)"
- [77] Ryan Sleevi; blink-dev Mailing List: "Intent to Deprecate: SHA-1 certificates"
- [78] Mozilla Security Engineering Team; Mozilla Security Blog: "Phasing Out Certificates with SHA-1 based Signature Algorithms"
- [79] Paul Mutton; Netcraft: "SHA-2: Very cryptographic. So secure. Such growth. Wow."
- [80] Carsten Eilers: "Heute aufgezeichnet – morgen entschlüsselt?"; PHP Magazin 5.2014
Kapitel 2: Shellshock, BadUSB und Co.
- [1] Is The Internet On Fire?
- [2] Heartbleed Bug
- [3] CVE-2014-6271
- [4] Florian Weimer; oss-sec Mailing List: "Re: CVE-2014-6271: remote code execution through bash"
- [5] Hanno Böck; oss-sec Mailing List: "Re: CVE-2014-6271: remote code execution through bash"
- [6] CVE-2014-7169
- [7] Huzaifa Sidhpurwala; oss-sec Mailing List: "Fwd: Non-upstream patches for bash"
- [8] CVE-2014-7186
- [9] CVE-2014-7187
- [10] Michal Zalewski; lcamtuf's blog: "Bash bug: apply Florian's patch now (CVE-2014-6277 and CVE-2014-6278)"
- [11] CVE-2014-6277
- [12] CVE-2014-6278
- [13] Michal Zalewski; Full Disclosure Mailing List: "[FD] the other bash RCEs (CVE-2014-6277 and CVE-2014-6278)"
- [14] Michal Zalewski; lcamtuf's blog: "Bash bug: the other two RCEs, or how we chipped away at the original fix (CVE-2014-6277 and '78)"
- [15] Carsten Eilers: "ShellShock - Die Schwachstellen und Angriffsvektoren"
- [16] Rob Fuller (mubix); GitHub: shellshocker-pocs
- [17] Carsten Eilers: "ShellShock - Die Angriffe"
- [18] Yinette, @yinettesys auf Twitter: "gist.github.com/anonymous/929d622f3b36b00c0be1 … Shit is real now. First in-wild attack to hit my sensors CVE-2014-6271..."
- [19] GitHub Gist: "Ok, shits real. Its in the wild... src:162.253.66.76"
- [20] KernelMode.info Thread: "Linux/Bash0day alias Shellshock alias Bashdoor"
- [21] Michael Bulat (mbulat); GitHub: "jur"
- [22] VirusTotal-Scan von "jur"
- [23] Daniel Cid; Sucuri Blog: "Bash – ShellShocker – Attacks Increase in the Wild – Day 1"
- [24] Juha Saarinen; ITnews.com.au: "First Shellshock botnet attacks Akamai, US DoD networks"
- [25] Trend Micro: "Shellshock Updates: BASHLITE C&Cs Seen, Shellshock Exploit Attempts in Brazil"
- [26] James T. Bennett, David Bianco, Michael Lin; FireEye Blog: "Shellshock in the Wild"
- [27] James T. Bennett, J. Gomez; FireEye Blog: "The Shellshock Aftershock for NAS Administrators"
- [28] Kevin Liston; InfoSec Handlers Diary Blog: "Shellshock via SMTP"
- [29] David Kennedy; Binary Defense Systems: "Active Shellshock SMTP Botnet Campaign"
- [30] Johannes Ullrich; InfoSec Handlers Diary Blog: "Worm Backdoors and Secures QNAP Network Storage Devices"
- [31] QNAP: "QNAP Releases New QTS for Turbo NAS with Official GNU Bash Patch Update"
- [32] Brian Smith; Mailinglist der TLS Working Group der IETF: "[TLS] POODLE applicability to TLS 1.0+ (was Re: Working Group Last Call for draft-ietf-tls-downgrade-scsv-00)"
- [33] Brian Smith; Mailinglist der TLS Working Group der IETF: "Re: [TLS] POODLE applicability to TLS 1.0+ (was Re: Working Group Last Call for draft-ietf-tls-downgrade-scsv-00)"
- [34] Adam Langley; ImperialViolet: "The POODLE bites again (08 Dec 2014)"
- [35] F5 Security Advisory: "SOL15882: TLS1.x padding vulnerability CVE-2014-8730"
- [36] A10 Rapid Response: "SECURITY ADVISORY #CVE-2014-8730 published on December 8th, 2014" (PDF)
- [37] IBM Security Bulletin: "TLS padding vulnerability affects IBM HTTP Server (CVE-2014-8730)"
- [38] IBM Security Bulletin: "TLS padding vulnerability affects Tivoli Access Manager for e-business and IBM Security Access Manager for Web (CVE-2014-8730)"
- [39] Cisco Security Notice: "SSL-TLS Implementations Cipher Block Chaining Padding Information Disclosure Vulnerability"
- [40] CVE-2014-8730
- [41] Ivan Ristic; Qualys Security Labs Blog: "Poodle Bites TLS"
- [42] Qualys SSL Labs: SSL Server Test
- [43] Drupal: SA-CORE-2014-005 - Drupal core - SQL injection
- [44] CVE-2014-3704
- [45] Sektion Eins: Advisory 01/2014: Drupal - pre Auth SQL Injection Vulnerability
- [46] Stefan Horst; Sektion Eins Blog: "Drupal 7.31 pre Auth SQL Injection Vulnerability"
- [47] Pastebin: [Python] Drupal 7.x SQL Injection SA-CORE-2014-005
- [48] Reddit - netsec: SA-CORE-2014-005 - Drupal core - SQL injection
- [49] Tamer Zoubi: "Drupageddon - SA-CORE-2014-005 - Drupal 7 SQL injection exploit demo"
- [50] Steven Adair; Volexity Blog: "Drupal Vulnerability: Mass Scans & Targeted Exploitation"
- [51] Rapid7: "CVE-2014-3704 Drupal HTTP Parameter Key/Value SQL Injection"
- [52] Drupal: Drupal Core - Highly Critical - Public Service announcement - PSA-2014-003
- [53] Stefan Horst; Sektion Eins Blog: "Drupal 7.32 two weeks later - PoC"
- [54] Daniel Cid; Sucuri Blog: "Slider Revolution Plugin Critical Vulnerability Being Exploited"
- [55] Tony Perez; Sucuri Blog: "SoakSoak Malware Compromises 100,000+ WordPress Websites"
- [56] Carsten Eilers: "BadBIOS - Ein neuer Superschädling?"
- [57] Security Research Labs: "”BadUSB — On accessories that turn evil” at Black Hat, Las Vegas, Aug 6-7 2014"
- [58] Karsten Nohl, Jakob Lell; Black Hat USA 2014: "BadUSB - On Accessories that Turn Evil"
- [59] Security Research Labs: "Turning USB peripherals into BadUSB"
- [60] PacSec 2014: Speakers and Slides
- [61] Karsten Nohl, Sascha Krißler, Jakob Lell; PacSec 2014: "BadUSB — On accessories that turn evil" (PDF)
- [62] SRLabs Open Source Projects: Wiki BadUSB Exposure
- [63] Adam Caudill: "Making BadUSB Work for You – DerbyCon"
- [64] Adam Caudill (adamcaudill); GitHub: Psychson
- [65] Carsten Eilers: "Unsicherer Serial Bus"; Entwickler Magazin 3.2013 (auch online als "Sicherheitsrisiko USB: Angriffe über den Serial Bus")
- [66] Adam Caudill: "On the Ethics of BadUSB"
- [67] Jrockilla; Reddit: "The boss has malware, again... (self.talesfromtechsupport)"
- [68] Carsten Eilers: "Angriffe über Geräte, die angeblich nur etwas Strom über USB möchten"
- [69] Ralph Whitbeck; jQuery: "Was jquery.com Compromised?"
- [70] Ralph Whitbeck; jQuery: "Update on jQuery.com Compromises"
- [71] AToro; Websense Security Labs Blog: "Official Website of Popular Science Compromised"
- [72] Lisa Vaas; Sophos Naked Security: "HealthCare.gov breached, injected with malware"
- [73] Lisa Vaas; Sophos Naked Security: "Dropbox passwords leaked, third-party services blamed"
- [74] Lee Munson; Sophos Naked Security: "97,000 Bugzilla email addresses and passwords exposed in another Mozilla leak"
- [75] Lee Munson; Sophos Naked Security: "Mozilla database leaks 76,000 email addresses, 4,000 passwords"
- [76] Jessica Silver-Greenberg, Matthew Goldstein, Nicole Perlroth; The New York Times: "JPMorgan Chase Hacking Affects 76 Million Households"
- [77] Carsten Eilers: "Millionenfacher Identitätsdiebstahl führt zu blinden Aktionismus"
- [78] Carsten Eilers: "Die 0-Day-Exploits 2014 im Überblick"
- [79] Carsten Eilers: "Microsoft patcht außer der Reihe kritische 0-Day-Schwachstelle in Kerberos"
- [80] Sylvain Monné (bidord); GitHub: "pykek (Python Kerberos Exploitation Kit)"
- [81] Carsten Eilers: "Die 0-Day-Exploits 2013 im Überblick"
- [82] Carsten Eilers: "Nutzt die NSA den Heartbleed Bug seit 2 Jahren?"
- [83] David A. Wheeler: "Shellshock" / "3. Timeline"
Zurück