Blogs

AUSCERT at 2019 FIRST Conference

AUSCERT at 2019 FIRST Conference I had the absolute pleasure of attending the 2019 FIRST Conference for the first time (no pun intended!) recently. FIRST is the Forum of Incident Response and Security Teams and it brings together a wide variety of security and incident response teams including especially product security teams from the government, commercial, and academic sectors. This year’s conference theme was “Defending the Castle” and there were approximately 1100 delegates, a very full program over 5 days and plenty of opportunities to meet other cyber security teams and share ideas across the board. One of the aspects I enjoyed thoroughly was my introduction to other CERTs from the Asia Pacific region and gaining a greater understanding of the role AUSCERT plays in this community.   (Photo credit: APCERT) I also wanted to take this opportunity to highlight a couple of my favourite speaker sessions here: “Waking up the Guards – Renewed Vigilance Needed to Regain Trust in Fundamental Building Blocks” by Merike Kaeo of Double Shot Security was my favourite keynote. Merike spoke about the days when trust was inherent and how we now see exploitation of fundamentals such as routing, DNS and certificates. She invoked the question of ‘How can we regain trust and control of where our data goes and by whom it is seen?’ and it really got me into thinking about the current cyber security landscape and how we can all do better in this space. The other speaker session I enjoyed was the talk presented by the Cisco Umbrella research team on the topic of “Detecting Covert Communication Channels via DNS”. I thought this was an absolutely fascinating subject and one that is worth further research within AUSCERT.  As the conference wrapped up at the end of last week, I walked away feeling very inspired about the fact that there is such a strong community spirit that fosters great collaboration within our industry. I am certain that AUSCERT and UQ can AND need to play an even more active role in the future! David Stockdale Director

Learn more

Blogs

AUSCERT2019: thatโ€™s a wrap!

AUSCERT2019: thatโ€™s a wrap! The annual AUSCERT Cyber Security Conference has wrapped up for another year. This industry-leading event was held across 4 days. More than 700 delegates heard from 50 speakers and attended an array of interactive workshops. They networked with industry professionals, learnt the latest and best practices in the cyber and information security industry, and some even got their hands on awesome prizes. Here’s a summary of conference highlights for those who couldn’t attend.   Sensational Keynotes AUSCERT2019 featured three legendary keynote speakers; Mikko Hypponen, Troy Hunt and Jessy Irwin. Each covered a different area within cyber security and shared their knowledge and expertise generously. Mikko is a globally-renowned tech security guru working as the CRO of F-Secure. He has written research for the New York Times, Wired and Scientific America also, frequently appearing on international TV. At the conference he spoke on ‘Computer Security: Yesterday, Today and Tomorrow’. A key takeaway from Mikko was on IoT devices. When observing data security, it is likely that in the future these devices will no longer tell you they are connecting to the internet, but will pass your data straight to the manufacturer. To view Mikko’s presentation, you can visit the AUSCERT YouTube channel here. Troy is an independent security trainer, speaker and Microsoft Regional Director. He’s most commonly recognised as the founder of the data breach monitoring and notification service ‘Have I Been Pwned’ (HIBP). Troy spoke on ‘The Data Breach Pipeline: How Our Data is Stolen, Distributed and Abused’. A key takeaway from his presentation was on password managers and how they can solve a lot of password-breach related issues. Changing your password regularly is no longer enough, you need more complex solutions. To find out more about Troy’s keynote, you can view his presentation here. Jessy is a security expert and Head of Security at Tendermint. Her role means she excels within translating complex cybersecurity problems into relatable terms and she also develops, maintains and delivers on comprehensive security strategy. Jessy spoke on ‘How Security Teams Can Evolve to Win Friends and Influence People’. Jessy’s intention was to challenge some standard ways of thinking within the cyber and information security industry and she certainly succeeded in doing so. To download a copy of Jessy’s presentation, please click here. Jessy’s presentation can be viewed here.   Networking Events The ‘Beers of the World’ session is the ceremonial welcome to all delegates attending AUSCERT2019. Attendees are encouraged to mingle with vendors, sponsors and other industry professionals while tasting an array of beers from around the globe. This is a great opportunity to connect with other industry professionals in a relaxing environment. On Thursday evening conference delegates were entertained at the venue’s poolside bar by the phenomenal crew from Jetpack Events who showcased their acrobatic prowess and delighted the audience with an amazing fireworks display. This year, the Gala Dinner theme ‘Legend of the Gala’ paid a subtle homage to our main conference theme and is derived from the ever popular Legend of Zelda video game franchise. We even saw a number of Zelda enthusiasts in full costume, kudos to them! Dinner guests were entertained by the talented speed painter Brad Blaze who wowed the audience with his Zelda inspired artworks.     Sponsors Booths Alongside the array of speakers were more than 50 sponsors and supporters of AUSCERT.. Each had their own designated booth space where they spoke to delegates and showcased their services. Some sponsors also engaged with delegates through interactive games and demos at their booth. There were hackathons, drone prizes and darts to name a few. A special shout-out to colleagues from Context Information Security who ran a PWNtoDrone CTF challenge which delegates enjoyed immensely. In between sessions, delegates were also able to engage in the annual lock-picking and lego building sessions. These interactive activities  provide a nice break for delegates to unleash their building and lock-picking skills; not to mention keeping the lego when you build it. Overall, AUSCERT2019 was huge success. We trust that all attendees enjoyed their time and ultimately learned new skills and strategies to keep their data and network safe in the new digital and mass-data era!

Learn more

Blogs

Malware threat indicators in AWS using MISP

Malware threat indicators in AWS using MISP Every zero-day vulnerability is an attack vector that has existed before the day it was announced. When this happens we must vigilantly patch all of our vulnerable services while also ensuring that nothing has been compromised. We share threat indicators to limit the potential impact of attackers; however, when a new malware indicator has been identified in the wild, updating your firewall isn’t always enough. AWS GuardDuty is a great solution for parsing VPC flow logs and Route53 query logs with public threat feeds. Attacks targeted against specific industries are often underrepresented in public feeds. There are also delays from when the attack is first seen until when the data is pulled into a threat feed. Amazon Athena is a valuable tool we can use when it comes to searching for threat data in AWS accounts. Athena allows you to query large amounts of data from S3 using a SQL syntax. AWS has helpful guides for how to set up VPC flow logs to be queryable from Athena here. Searching over large amounts of flow log data quickly is very useful; however, we will want automatic integration with MISP to identify malicious traffic. We can pull out malicious IP addresses from the MISP API. Below is a screenshot of the MISP query builder. This example shows a search for all of the malicious IP addresses (ip-dst) over the last seven days with the intrusion detection system (IDS) flag set. The IDS flag lets security analysts highlight which attributes of an event are strong indicators of compromise. For example, if a malware package sends a DNS request to the google nameserver 8.8.8.8 it may help identify the malware family, though this by itself does not represent a host is compromised. Pulling the list of malicious IP addresses can be performed in a scheduled Lambda task running the MISP python API. This example shows how attributes can be pulled and dumped out as a CSV file. #!/usr/bin/env pythonfrom pymisp import PyMISPimport jsonmisp = PyMISP('https://misp.localhost/', '<api-key>', True, 'json')ret = ""result = misp.search('attributes', type_attribute = 'ip-dst', to_ids = True)for attribute in result['response']['Attribute']: ret += attribute['id'] + "," ret += attribute['event_id'] + "," ret += attribute['value'] + "n"print (ret)   This file can then be used to set up a new Athena database table. The example here shows the syntax to create a basic table for malicious IP addresses while retaining the MISP event ID. CREATE EXTERNAL TABLE IF NOT EXISTS misp_dest_indicators ( attributeid int, eventid int, destinationaddress string)PARTITIONED BY (dt string)ROW FORMAT DELIMITEDFIELDS TERMINATED BY ' 'LOCATION 's3://your_log_bucket/vpcflowlogs/';  Now we have all of the data to parse over our VPC flow logs with our MISP threat indicators. Joining these Athena tables, we can see if any of our MISP indicators show up in our VPC flow logs. SELECT v.account,  v.interfaceid,  v.sourceaddress,  v.destinationaddress,  v.action,  m.attributeid,  m.eventidFROM vpc_flow_logs v,  Misp_dest_indicators mWHERE v.destinationaddress = m.destinationaddress; If we want this in a more automated process we can execute this Athena query directly from Lambda. We could then trigger an alert with SNS if we find any matches on our hosts. For example: import boto3 session = boto3.Session()client = session.client('athena', region_name='ap-southeast-2') response = client.start_query_execution(    QueryString='select * from vpc_flow_logs limit 100;',    QueryExecutionContext={        'Database': 'vpc_logs'    },    ResultConfiguration={        'OutputLocation': 's3://<bucket>'    }) This solution allows us to search over large amounts of data when a new threat emerges. We also want to make sure these security events don’t happen in the future. AWS has a threat detection service called GuardDuty which will passively search for threats in VPC flow logs and Route 53 query logs. GuardDuty can use custom threat lists from S3 which allows us to provide another dump of MISP threat indicators in a text file. This will then alert any future events where hosts will try to route to any of these hosts to your security team. This will then alert your security team to any future events where hosts try to route to any malicious addresses.

Learn more

Blogs

An experience of APNIC Foundation's 3rd Regional CERT/CSIRT workshop for the Pacific.

An experience of APNIC Foundation's 3rd Regional CERT/CSIRT workshop for the Pacific.   I feel incomplete when I hear only one voice, and this blog is, in its form just that, one voice about an event I had the honor of being part of.   My preferred option, to make a story whole, is to take the different voices and listen other people tell the story of what happened.  This way I get a better picture of the impact and significance of an event or perhaps glimpse a pattern of directed effort. The event was the APNIC Foundation’s 3rd Regional CERT/CSIRT workshop for the Pacific and the the glimpse of the effort was APNIC Foundation’s drive to impart skills, know-how, and cohesive trusted contacts, to as many Pacific nations as possible given APNIC Foundation’s engagement over the past few years.  These activities supports APNIC, in building human and community capacity for Internet development in the Asia-Pacific region. This workshop was organized by the APNIC Foundation with support from APNIC and Samoa’s Ministry of Communications and Information Technology, and funding from the Cyber Cooperation Program (Australia’s Department of Foreign Affairs and Trade – DFAT). Participants of APNIC Foundation’s 3rd CERT/CSIRT workshop for the Pacific My recollection of the APNIC Foundation’s 3rd Regional CERT/CSIRT workshop was from the perspective of a guest assistant speaker, bringing only a splinter of expertise from AUSCERT along with its perspective of cyber security as a non-profit member-based CERT. I have been fortunate to join APNIC’s Adli Wahid, a veteran of delivering these types of courses, in facilitating the workshop.    Participant at one of the sessions of the 3-day workshop And so in delivering some of the material over the three days, I did get the chance to hear the perspective of cyber security from different Pacific nations, but not just at the national constituency level, but also at the level of Financial Institutions Universities Ministries Law Enforcement and Utilities. Every person that attended brought their own skill sets and perspectives on cyber security given to them by their opportunity and work environment.  Every Pacific nation that sent a delegate to the workshop brought their skills and perspectives, to be honed from a barrage of tools and techniques that could be fit in the time three days can offer.  Let’s be clear, these delegate were not empty vessels that were filled up with skills in three days but already had a solid foundation of process and techniques. The three days just brought in new tools and shared perspective.   This was evident, with a little coaxing, from the effective interaction on the final day’s table top exercise.  The participants were split up into five distinct teams with economy wide responsibilities.  One of the first questions that I was asked was, “…is this a competitive drill?…”,  where one team needs to outdo another.  Perhaps it should have been, but the purpose of this table top exercise, as is the case in solving internet borne issues,  is apply a collaborative effort to efficiently and effectively address cyber security.  At the end of the exercise, all triggers to take down malicious infrastructure were called out by various player-teams and a sense of empowerment from each team came out from the fact that each contributed a meaningful task in cleaning up the exercise’s scenario.   Each team with their set of expertise and their vision into the scenario, realised that in solving of cyber security issues, each had a very important piece of work to do in addressing the problem as a whole, and were by the end of the day, working together as one.  What filtered out as the best lesson out of the three days of the workshop, is that it is paramount to make an effort that internet connectivity be molded and protected, as a tool to bring out the best opportunity for economic growth at every level of society that the internet touches.   It’s been great to have seen APNIC Foundation’s take that effort of uniting skills and collaboration across the Pacific for the third time, and it is hoped that they will be given the tools to continue this effort far into the future.  For, although I was honored to be a guest speaker for the 3rd Regional CERT/CSIRT workshop, I feel I too learned a lot from the delegates and that I’m bringing back to AUSCERT able and trusted contacts that, should we see cyber security issues in the Pacific, we can all collaborate with them on making a safe, clean and reliable internet.   Geoffroy ThononSenior Information Security AnalystAUSCERT

Learn more

Blogs

Don't be an April Fool – back up your files!

Don't be an April Fool – back up your files! This Sunday the 31st of March marks World Backup Day [1]. Why backup? Backups are crucial for ensuring the integrity of your files in any unexpected event.  If you aren’t already convinced on the utility of backups, or if they aren’t at the top of the priority list, here’s a handy list to change your mind (or to convince the boss it’s important!) – Disaster recovery: from flood and fire to dead hard drives and the accidental rm -rf– Forensics and auditing: to find out when something changed or when a machine is compromised– Ransomware recovery: so we don’t have to negotiate with scammers– Device theft or loss: hardware is replaceable, the data should be too– Minimising down time: in the event of data loss, you want the business back up and running as soon as possible Snapshots can help with some of these things, but snapshots aren’t backups, so having both is important. Storing your Backups Securing your backups is important to ensure the integrity and confidentiality of your data.  Keep your backups on servers you trust, and have at least one copy offsite, in the case of a natural disaster.  Duplicity or Duply [2] are powerful tools which can gpg-encrypt your backups to send to an Amazon S3 bucket or elsewhere.  Popular cloud services include Backblaze [3], or Time Machine for Mac [4].   Testing your Backups If you already have backups, which fingers crossed we all do, take this event as an opportunity to test them.  Try to include data recovery testing with your regular maintenance or patch cycle – just because they worked once, doesn’t mean they always will. The worst time to test your backups is when your data is gone, the best time is right now! Charelle   [1] http://www.worldbackupday.com/en/[2] https://duply.net/[3] https://www.backblaze.com/[4] https://support.apple.com/en-us/HT201250

Learn more

Blogs

Password Reuse and Data Breaches

Password Reuse and Data Breaches Everyone knows the story of registering for a website we only ever intend to use once, where we lazily re-used a password. Fast forward 15 years later, you find out that website’s password database was storing everything in plain text, someone bad got a hold of it and you never knew. It’s a surprisingly common story and there is a stigma of shame around talking about personal password hygiene. One thing we can all do is tell the people we are close to that it’s never too late to start improving, recommended password managers and good multi-factor solutions to get the ball rolling for them.  Password reuse is hard to get out in the open as it is a very private issue. Luckily, there is now a solution. Troy Hunt has teamed up with Cloudflare to provide a free API that allows passwords to be checked against known passwords that have been seen in reported breaches. Steer people in the direction of Troy Hunt’s Have I Been Pwned website and it may give them the wake up call they need, when a big scary red box flashes up on the screen letting them know that their data may not be safe.   What can we do then on an organisational level? The personal touch of reaching out to people directly doesn’t scale well and can often come across as intimidating when coming from “the security team”. The experience of setting a password is a very private one and the strong password guidelines need to make their way into this personal experience. We have been asking users to set things like reasonable password lengths and complexities through web frameworks for a long time now. The instant responsiveness of this has been training everyone that password length and complexity matter, but what about reuse? Troy teamed up with Cloudflare to deliver a free API endpoint to check if a password has shown up in reported data breaches last year. What this means for organisations is that on your password reset page or even login page you can query this API endpoint every time you type in a password so see if it has shown up in a breach before.   Doesn’t that mean Troy now has my new password? Nope! The API has been designed so that only the prefix of the hash of your password is sent to the API endpoint and you get back all hashes that match that prefix, you then check to see if your hash matches any of the returned results. Hashes are designed for obfuscation so sending through the first five characters of your hash doesn’t reveal your password. Passwords that will have the same first five characters will have no relevance to one another. For example the first five characters in the hash for “alexguo029” is “21bd1”, while the first five characters in the hash for “lauragpe” is also “21bd1”. Therefore if an attacker was able to capture the data sent to the API they will not be able to gather any sensitive information. Read more about the technical details in Troy’s blog.   Can I easily implement it on my infrastructure? Yes! We can query this API in client-side code without ripping apart any of our current systems. Client-side code works for this as it’s more of a user education exercise than another security layer. Check out some implementations on GitHub like passprotect-js to see just how easy it is. There is a great demo video and example code showing how the prefix of the password hash is generated and sent to the API and instantly gives the user feedback showing the tangible evidence that the password is not safe to use.  This is an easy win and with the recent password collection dumps it is more valuable then it has ever been. Run it in a development environment today as a proof of concept. To lead by example this is a demo I ran up on the AUSCERT website just this morning using passprotect-js.     What do I do about the latest breach? We can’t eliminate password reuse for our user-base. Password rotation policies feel like a natural solution to this however NIST warns of aggressive password rotation lowers the overall password strength due to user fatigue. Check out if your organisation shows up in a breach. Hopefully the passwords are not reused but you should still encourage resets where possible especially for users which could be high value targets.   Use MFA! Human brains will never be great at password based authentication, that is why we need to supplement it with another factor. This takes the urgency out of password breaches with respect to password reuse in your organisation because of the second line of defence. We use one time password based MFA on the AUSCERT website and hope to extend it to our other services in the future.

Learn more

Blogs

What do I need to know about the MSP hack?

What do I need to know about the MSP hack? What’s going on? On Thursday, the United States Justice Department made an indictment against two members of APT10, acting in association with the Chinese government [0]. APT10, an advanced persistent threat, has been targeting managed service providers (MSPs) around the world since 2014. Organisations from over fourteen countries were affected, including Australia. This indictment has spurred a flurry of new stories this morning, including a publication from the ACSC [1] and an interview with National Cyber Security Adviser, Alastair MacGibbon [2], who also attributes APT10 to the Chinese Government. The nation-state attack on MSPs was covered extensively in 2017, as well as earlier this year [3] [4], and is known as “Cloud Hopper” [5]. This attack attempts to compromise the MSP with remote access trojans (RATs) delivered by phishing. By compromising MSPs, attackers are able to then target the MSP’s clients. What is APT10? APT10 is also known as Stone Panda, MenuPass, and Red Apollo. An APT is skilled and persistent with more resources than other types of attackers, so they are usually sponsored by nation-states, or coordinated groups. When the APT10 MSP attacks were reported in 2017, there was only circumstantial evidence which pointed at Chinese timezone patterns. This indictment from the US Justice Department charges APT10 members Zhu Hua and Zhang Shilong, who acted in association with the Chinese Ministry of State Security’s Tianjin State Security Bureau since 2006. What should I tell my boss? This is not a new threat, and we have known about it since early 2017. The reason it is in the news is that the United States Justice Department has indicted two Chinese nationals. You can also point out which of the controls in this document you have implemented to mitigate the risks associated with engaging with an MSP: “How to manage your network security when engaging a Managed Service Provider” [6] What you should do At the time of writing, here are the Indicators of Compromise from our MISP event:https://wordpress-admin.auscert.org.au/publications/2018-12-21-apt10-msp-breach-iocs We recommend running these against your systems and logs. While a list of affected MSPs isn’t publicly known, the ACSC has contacted any MSPs they know to have been affected. If you have any concerns, we recommend you contact your MSP, as they will be able to provide more information about their situation. You can also take this opportunity to update your risk registers and incident plans for any information and services you have hosted with a third party provider. Perhaps you could make it a start or end of year routine?   With that said, have a relaxing holiday season – we hope you don’t have to play too much family tech support!   [0] https://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion[1] https://cyber.gov.au/msp-global-hack/[2] https://www.abc.net.au/radionational/programs/breakfast/australian-businesses-hit-by-audacious-global-hacking-campaign/10645274[3] https://www.arnnet.com.au/article/617425/aussie-msps-targeted-global-cyber-espionage-campaign/[4] https://www.securityweek.com/dhs-warns-attacks-managed-service-providers[5] https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf[6] https://cyber.gov.au/business/publications/msp-risk-for-clients/

Learn more

Blogs

Windows DNS Server Privilege Escalation vulnerability (CVE-2018-8626) leading to Remote Code execution alleged to have Proof of Concept exploit

Windows DNS Server Privilege Escalation vulnerability (CVE-2018-8626) leading to Remote Code execution alleged to have Proof of Concept exploit INTRODUCTION AUSCERT recently published an ASB addressing Microsoft’s security updates for the month of December.  Among the vulnerabilities addressed was a Critical vulnerability in the DNS Server implementation in the following Windows platforms: “Windows 10 Version 1607 for 32-bit SystemsWindows 10 Version 1607 for x64-based SystemsWindows 10 Version 1709 for 32-bit SystemsWindows 10 Version 1709 for 64-based SystemsWindows 10 Version 1709 for ARM64-based SystemsWindows 10 Version 1803 for 32-bit SystemsWindows 10 Version 1803 for ARM64-based SystemsWindows 10 Version 1803 for x64-based SystemsWindows 10 Version 1809 for 32-bit SystemsWindows 10 Version 1809 for ARM64-based SystemsWindows 10 Version 1809 for x64-based SystemsWindows Server 2012 R2Windows Server 2012 R2 (Server Core installation)Windows Server 2016Windows Server 2016 (Server Core installation)Windows Server 2019Windows Server 2019 (Server Core installation)Windows Server, version 1709 (Server Core Installation)Windows Server, version 1803 (Server Core Installation)” [1] Security updates fixing the vulnerability have been provided by Microsoft.   VULNERABILITY DESCRIPTION In their vulnerability description, Microsoft states: “A remote code execution vulnerability exists in Windows Domain Name System (DNS) servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability. To exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server.” [1] Failed exploitation attempts will lead to denial of service conditions.   NVD CVSS3 Vector:  AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C NVD CVSS3 Base Score: 9.8 (Critical)   PROOF OF CONCEPT EXPLOIT Although the NVD CVSS3 vector above indicates a proof of concept exploit exists for this vulnerability, AUSCERT has not been able to access it or find any threat indicators related to it. We will continue to update this blog as more information becomes available.   References 1. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8626

Learn more

Blogs

What Scotty Didn't Know – your guide to domain takeovers

What Scotty Didn't Know – your guide to domain takeovers Last night, a domain belonging to our PM lapsed, resulting in a cheeky citizen snapping it up [1]. If your business lost control of its domain, what would you do? Losing your domain can greatly impact business operations – email will stop working, customers won’t be able to access your website, soon calls and tweets start coming in. In a worst case scenario, someone with malicious intent can claim the domain, start receiving sensitive business emails, receive password reset emails for online services, and start sending emails as you. Not only does this look unprofessional, but can significantly impact service to your clients, your access to other services (via email password resets), and impact business revenue. Fortunately, prevention is as simple as not letting the renewal get lost in a sea of tasks: – See if your registrar allows automatic renewal, and make sure your payment details are kept up to date– Set an alert far enough in advance to get the expense approved and paid– Don’t ignore emails from your registrar, but also don’t click links in the email. It is always safer to go directly to their website– Related to the previous point, watch out for scam emails claiming to be from a registrar. They often use urgent wording to try get you to click ICANN is the Internet Corporation for Assigned Names and Numbers. They control generic top level domains (gTLD) such as .com, .net, .space. The number of gTLDs is expanding, but there are currently over 1900 that have been delegated. ICANN policy allows a 30 day redemption grace period where the registered name holder can renew a lapsed gTLD. The .au TLD is a country code top level domain (ccTLD). In Australia, the .au top level domain, which includes .com.au, .gov.au, .net.au, .edu.au, is controlled by auDA – .au Domain Administration Ltd [2]. auDA’s domain name renewal policy for lapsed domains is also 30 calendar days after expiry. Conveniently, for potential scammers, there is a public list of expired domain names, updated daily. [3] If someone has taken your .au domain and is trying to sell it back to you, this is called cybersquatting, and not allowed according to auDA’s policies:“A registrant may not register a domain name for the sole purpose of resale or transfer to another entity.” [4]In this scenario, you would be able to file a complaint with auDA.   Registering similar domains So you have awesomebusiness.com.au … but what if someone buys awesomebusiness.com? Or awesomebusiness.tk? Domains are fairly cheap, so it often doesn’t hurt to buy the more common ones, like .com or .net If you follow this route, try not to let them lapse as well! If someone does register a domain that infringes on your trademark, it may be possible to have it de-registered. We recommend speaking with your legal department for advice. AUSCERT is only able to issue takedowns for malicious domains that are used to distribute malware or phishing campaigns. Subdomain takeoversIt would be remiss to have a post about domains but not mention subdomain takeovers. This often occurs when CNAME records aren’t kept up to date. For example, say you have campaign.awesomebusiness.com.au which points to hosting.cloud.com. After the campaign ends you take down the site, but forget remove the CNAME record. This would allow someone else to establish a service on hosting.cloud.com, and set up a phishing site for your users at campaign.awesomebusiness.com.au. To prevent this, include updating DNS in your decommissioning process, and periodically check your DNS zone file. While domain threats are not often at the forefront of our minds, a little bit of housekeeping can go a long way to prevent an embarrassing incident in the future. Charelle. [1] https://web.archive.org/web/20181018222134/http://www.scottmorrison.com.au/[2] https://www.auda.org.au/[3] https://afilias.com.au/about-au/domain-drop-lists[4] https://www.auda.org.au/policies/index-of-published-policies/2012/2012-04/

Learn more

Blogs

Targeted blackmail campaign gains momentum

Targeted blackmail campaign gains momentum Since the dawn of email, spam has constantly pushed our ability to handle arbitrary, unsolicited input. Whether through gauntlets of long-forgotten regexes, or the most sophisticated of convolutional neural nets, detecting and blocking spam has been a Sisyphean battle which has consumed countless IT resources. Not so at AUSCERT. We have the dubious luxury of actively soliciting spam wherever it is to be found. Because of this we’re able to watch as campaigns wax and wane, see how they evolve over time, and get a feel for the objectives of the spammers. Some campaigns are evergreen – fake pharmaceuticals (usually of the male enhancement variety), various advance-fee scams (think Nigerian Prince), phishing for credentials – it’s rare a day goes by without examples of these coming across our inbox. Some campaigns are very flavour-of-the-month, for a few months everyone had their own ICO or crypto investment strategy to hawk to any mail socket willing to listen(). Other campaigns are more sporadic. It’s not unusual for us to see a short burst of activity on one particular topic or script which goes silent, only to re-emerge later. Sometimes this is to facilitate a transition to new infrastructure, or to replenish their supply of compromised accounts. Other times this can be to spend time reworking the script, or refining their technique – this blog deals with one such instance where the renewed campaign was so successful that we’ve seen a large uptick in its output. This particular campaign is a faux sextortion blackmail. The premise of the blackmail is that the spammer has recorded the recipient visiting a pornographic website, through some vulnerability on the website or the recipient’s own computer. Unless the victim pays a sum of cryptocurrency to the spammer, they threaten to release this non-existent video to the victim’s family, friends, or colleagues. The campaign itself is far from new, we have seen minor variations on the same script pop up repeatedly. Recently a new variation emerged, almost exactly the same, but with one small difference: it would present the recipient’s password to them. Given that these passwords were usually out of date, and data breaches and dumps are a great source of email address for spam campaigns, it stands to reason that the spammers were simply pulling passwords for a given email from old breaches and inserting them into the email template. In fact, in our case it would seem if they cannot find a matching password then it fills that portion of the template in with an empty string. We’re certainly not the first to have written about this campaign,[1] but we were spurred to write this post due to the increase in its prevalence that we’re witnessing. Unfortunately this only means one thing: it’s working. We’re also now seeing campaigns where the recipient’s name and phone number are being used in place of the password. It’s not hard to see how as an unsuspecting recipient you could easily be fooled into believing the claims made. Indeed, efforts to catalogue and track the transactions of the various wallet addresses used by the spammers prove that it’s having the desired effect.[2] Some things you can do to protect yourself against such scams: Treat all unsolicited email with a healthy dose of skepticism. If you receive any threatening email, take a sentence or two and search for them. This can help you detect if you’ve received a well-known script or variant. Report the email to your IT department if possible. Practice good password hygiene. If you know you’ve used a strong, unique password for each service then you reduce your exposure when one is breached. Consider a password manager. For reference, here is an example from this campaign that we have received: It appears that, (), is your password. May very well not know me and you are probably wondering why you're getting this e-mail, right? actually, I put in place a malware over the adult videos (adult porn) website and guess what happens, you visited this web site to have fun (you really know what What i'm saying is). When you were watching videos, your internet browser started off working like a RDP (Remote Desktop) which provided me accessibility to your screen and web camera. from then on, my software program obtained your complete contacts from your Messenger, Microsoft outlook, Facebook, as well as emails. What did I really do? I created a double-screen video clip. First part shows the recording you were seeing (you have a good taste haha . . .), and 2nd part shows the recording of your webcam. what exactly should you do? Well, in my opinion, $1200 is a fair price for your little secret. You will make the payment by Bitcoin (if you do not know this, search "how to buy bitcoin" in Google). Bitcoin Address: **ADDRESS** (It is case sensitive, so copy and paste it) Very important: You've got some days to make the payment. (I have a unique pixel in this e-mail, and at this moment I know that you've read through this email message). If I do not get the BitCoins, I will certainly send your videos to all of your contacts including relatives, co-workers, and so forth. Having said that, if I receive the payment, I'll destroy the recording immidiately. If you'd like evidence, reply with "Yes!" and I will definitely mail out your videos to your 6 contacts. It is a non-negotiable offer, that being said don't waste my personal time and yours by answering this message. [1] https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/[2] https://twitter.com/SecGuru_OTX/status/1022430328647024640

Learn more

Blogs

Location, location, location

Location, location, location This week we received an email from a person who was concerned about a picture they had uploaded to their profile within an organisation.  They noticed that the GPS coordinates of where the photo was taken was retained in the metadata of the uploaded image.  Curious, they started looking at other people’s profile images to discover coordinates stored in those as well, potentially revealing where these colleagues live. What is EXIF data? Apart from the image itself, an image file can store other information such as date, time, camera information and settings, geolocation, and copyright information. For a photographer, this information is very useful, and saves having to write it down for each photo.  What it also means though, is that when we take a photo with a camera phone, and upload this image to social media, that site now has access to where you are, and at what time you were there.  Not only that, but if the website doesn’t strip the metadata before republishing, others could also see this information and track your location and movements. What can I do? For users: Many social media websites already strip location and other EXIF data, including (at the time of writing) Facebook, Instagram, LinkedIn and Twitter. That said, many other large sites do not strip this metadata, and it can be difficult to know about smaller services or corporate systems, so as a user, it is safer to disable the saving of location information from your device. On Android, this will vary depending on your phone and version. In your camera application, look for ‘Settings‘, then ‘GPS location‘ or ‘Store Location‘, and turn this option off. You can also disable location services completely by going to ‘Settings‘, then under the ‘Personal‘ heading, select ‘Location‘ and turn it off. On an iPhone, in ‘Settings‘ go to ‘Privacy‘, then ‘Location Services‘ and turn this option off for the camera. These steps only disable location information. Time and date stamps, as well as device information will still be retained. For existing photos on your computer, you can use Imagemagick (https://www.imagemagick.org, cross platform) to batch strip EXIF data from your images: $ mogrify -strip * In Windows, you can right click an image, select ‘Properties‘, then the ‘Details‘ tab to see and remove the image’s metadata. Alternatively, there are many other image editing tools to choose from.   For administrators: Please look into stripping metadata when a user uploads an image to your web application, or re-process images so that data isn’t available to other users. Happy (and safe) snapping!Charelle.

Learn more