AUSCERT Week in Review for 8th February 2019 Greetings, This week Apple patched the high-profile FaceTime vulnerability that made the news from last week, and a researcher goes public with a Mac OS key-chain vulnerability that allows a user access to its plaintext credentials without restriction. One in, one out for news-worthy Apple vulnerabilities. To dramatically cap off this week, the Australian Parliament was subject to a cyber attack, the extent of which is still being investigated. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: China link possible in cyber attack on Australian Parliament computer system, ABC understands08 February 2019Author: Stephanie Borys Excerpt: “Australia’s security agencies are investigating a cyber breach of the Federal Parliament’s computer network that the ABC understands is likely the result of a foreign government attack. The agencies are looking into whether China is behind the incident. In a statement, Federal Parliament’s presiding officers said authorities were yet to detect any evidence data had been stolen in the breach.” —— Apple puts bullet through ‘Do Not Track’, FaceTime snooping bug and iOS vulnerabilities07 February 2019Author: Thomas Claburn Excerpt: “Today, Apple also emitted security fixes for iOS 12.1.4. This fixes the FaceTime eavesdropping bug (CVE-2019-6223) found by 14-year-old Grant Thompson of Catalina Foothills High School and Daven Morris of Arlington, Texas. We understand the teen and his family will get some compensation from Apple, which will also pay toward his education. The OS update also fixes two elevation-of-privilege holes (CVE-2019-7286 in Foundation, CVE-2019-7286 in IOKit), and a vague problem with Live Photos in FaceTime (CVE-2019-7288). Meanwhile, FaceTime has been fixed in macOS, too.” —— Researcher reveals huge Mac password flaw to protest Apple bug bounty06 February 2019Author: Jeremy Horwitz Excerpt: “Apple’s operating systems have recently had more than their fair share of serious security issues, and the latest problem will be enough to rattle millions of Mac users. Previously credible researcher Linuz Henze has revealed an exploit that in one button press can reveal the passwords in a Mac’s keychain. Keychain is where macOS stores most of the passwords used on the machine, ranging from iMessage private encryption keys to certificates, secured notes, Wi-Fi, and other Apple hardware passwords, app passwords, and web passwords. A pre-installed app called Keychain Access enables users to view the entire list of stored items, unlocking each one individually by repeatedly entering the system password, but Henze’s KeySteal exploit grabs everything with a single press of a “Show me your secrets” button.” —— Here are this week’s noteworthy security bulletins: 1) ESB-2019.0388 – [Apple iOS] iOS: Multiple vulnerabilities Apple has released its patch for the FaceTime group chat, alongside two elevation of privilege vulnerabilities. 2) ASB-2019.0046 – [Android] Android: Multiple vulnerabilities Android’s February update is out, with all the usual suspects getting fixes (RCE, EoP, DoS). 3) ESB-2019.0305 – [Win][UNIX/Linux][Debian] libreoffice: Execute arbitrary code/commands – Remote with user interaction Libreoffice documents would happily execute any Python script (and arguments!) in a document-supplied directory. Stay safe, stay patched and have a good weekend! Tim

AUSCERT Week in Review for 1st February 2019 Greetings, This week featured some very high-profile vulnerabilities, tech companies abusing each others’ trust, and a great upheaval in name-resolution – leaving unorthodox DNS servers out in the cold. A pass-the-hash vulnerability in Exchange was made public, which allows any user with a mailbox to elevate themselves to the Exchange user, which unsurprisingly, often runs with Domain Admin privileges. Microsoft have not released a patch, but mitigations are available. Apple was forced to suspend group chat functionality in FaceTime, after a teenager discovered its espionage potential. Calling a contact via FaceTime, and then adding yourself as an additional contact to the group would hot-mic the unsuspecting victim, before they had answered the call. Rather than let this capability fall into the hands of pranksters and nation states, Apple wisely disabled the function until a patch is ready. Apple was also forced to suspend Facebook and Google’s enterprise certificates, causing chaos internally as non-public applications (and development versions of their public app suites) would now refuse to run on iOS. This was a result of the companies using the intra-company certificate to bypass Apple’s privacy requirements on the app store, having created data-harvesting apps that lured users in with the promise of gift-cards. Apple has since worked to reinstate certificates for the companies, presumably satisfied that it had made its point. (On or around) February 1st is DNS Flag Day, and authoritative DNS servers that stray from the RFCs and fail to implement the EDNS extension will find themselves receiving the cold-shoulder from upstream servers. If you run such a non-compliant server after Flag Day, then your services had better have memorable IP addresses. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Cyber Alert: DNS Flag DayJanuary 30 2019Author: Center for Internet SecurityExcerpt: “On Friday, February 1, 2019, major Domain Name Systems (DNS) software and service providers will remove DNS workarounds that allow users to bypass the Extension Mechanisms Protocol for DNS (EDNS). EDNS is a set of extension mechanisms to expand the size of the DNS message as it goes through its query, which allows more information to be included in the communication between each host in the DNS resolution process. On Friday, several DNS resolver operators, including PowerDNS, Internet System Consortium, and Google, will release updates that implement stricter EDNS handling. This update will speed up the DNS process by forcing everyone to implement the EDNS protocol. Furthermore, the update will simplify the deployment of new features in the future. Consequently, if the update is not implemented on DNS servers, there will be no DNS response to any recursive servers’ request.” —— Severe vulnerability in Apple FaceTime found by Fortnite playerJanuary 30 2019Author: Charlie OsborneExcerpt: “Before the so-called Apple “Facepalm” bug hit the headlines, the mother of a 14-year-old boy from Arizona had been trying to warn the tech giant about the vulnerability for over a week. A FaceTime call made on 19 January by Michele Thompson’s son, as reported by sister site CNET, began the chain of events. The teenager added a friend to the group conversation and despite the fact that the friend had not yet picked up the phone, he was able to listen in to conversations taking place in the iPhone’s environment.” —— Furious Apple revokes Facebook’s enty app cert after Zuck’s crew abused it to slurp private dataJanuary 30 2019Author: Kieren McCarthyExcerpt: “The enterprise cert allows Facebook to sign iOS applications so they can be installed for internal use only, without having to go through the official App Store. It’s useful for intranet applications and in-house software development work. Facebook, though, used the certificate to sign a market research iPhone application that folks could install it on their devices. The app was previously kicked out of the official App Store for breaking Apple’s rules on privacy: Facebook had to use the cert to skirt Cupertino’s ban.” —— Microsoft Exchange vulnerable to ‘PrivExchange’ zero-dayJanuary 29 2019Author: Catalin CimpanuExcerpt: “Microsoft Exchange 2013 and newer are vulnerable to a zero-day named “PrivExchange” that allows a remote attacker with just the credentials of a single lowly Exchange mailbox user to gain Domain Controller admin privileges with the help of a simple Python tool. … According to the researcher, the zero-day isn’t one single flaw, but a combination of three (default) settings and mechanisms that an attacker can abuse to escalate his access from a hacked email account to the admin of the company’s internal domain controller (a server that handles security authentication requests within a Windows domain).” —— Here are this week’s noteworthy security bulletins: 1) ESB-2019.0285 – ALERT [Win] Microsoft Exchange Server: Increased privileges – Existing account Exchange pass-the-hash vulnerability, often leading to Domain Admin. 2) ASB-2019.0042 – [Win][UNIX/Linux] Mozilla Firefox: Multiple vulnerabilities Your usual suite of vulnerabilities for a browser update – RCE, DoS, increased privileges etc. 3) ASB-2019.0044 – [Win][UNIX/Linux] Google Chrome: Multiple vulnerabilities Not to be outdone, Chrome has also fixed your usual culprits in its latest release. Stay safe, stay patched and have a good weekend! Tim

AUSCERT Week in Review for 25th January 2019 AUSCERT Week in Review25 January 2019 Greetings, This week has been raining shells for all the lucky pentesters around the world. We’ve had Cisco, Debian and Apple release several patches to address a range of remote code execution vulnerabilities across their products. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: If you installed PEAR PHP in the last 6 months, you may be infectedDate Published: 1/24/2019URL: https://arstechnica.com/information-technology/2019/01/pear-php-site-breach-lets-hackers-slip-malware-into-official-download/Author: Dan Goodin Excerpt: “Officials with the widely used PHP Extension and Application Repository have temporarily shut down most of their website and are urging users to inspect their systems after discovering hackers replaced the main package manager with a malicious one.” “If you have downloaded this go-pear.phar [package manager] in the past six months, you should get a new copy of the same release version from GitHub (pear/pearweb_phars) and compare file hashes,” officials wrote on the site’s blog. “If different, you may have the infected file.”—– Title: DHS issues security alert about recent DNS hijacking attacksDate Published: January 22, 2019URL: https://www.zdnet.com/article/dhs-issues-security-alert-about-recent-dns-hijacking-attacks/Author: Catalin CimpanuExcerpt: “The US Department of Homeland Security (DHS) has published today an “emergency directive” that contains guidance in regards to a recent report detailing a wave of DNS hijacking incidents perpetrated out of Iran.More security news The emergency directive [1, 2] orders government agencies to audit DNS records for unauthorized edits, change passwords, and enable multi-factor authentication for all accounts through which DNS records can be managed. The DHS documents also urges government IT personnel to monitor Certificate Transparency (CT) logs for newly-issued TLS certificates that have been issued for government domains, but which have not been requested by government workers (a sign that a malicious actor has hijacked a government domain’s DNS records, and is now requesting TLS certificates in its).”—– Title: A vulnerability in Debian’s apt allows for easy lateral movement in data centersDate Published: January 23, 2019URL: https://www.guardicore.com/2019/01/a-vulnerability-in-debians-apt-allows-for-easy-lateral-movement-in-data-centersAuthor: Daniel GoldbergExcerpt: “A new vulnerability in Debian’s Advanced Package Tool (apt) is the latest big tool in the data center attacker’s arsenal. The vulnerability (CVE-2019-3462) is in Debian’s high-level package management system, which is used by system administrators to install, upgrade and remove software packages. The vulnerability can be exploited when administrators install or upgrade software package on vulnerable servers. The apt package management software is part of every Debian based Linux distribution, covering Debian, Ubuntu and a whole group of smaller distributions such as Kali, TailsOS and many others. Distrowatch lists over 100 active distributions (large and small) based on Debian. All of these are likely to be vulnerable.”—– Title: Internet experiment goes wrong, takes down a bunch of Linux routersDate Published: January 24, 2019URL: https://www.zdnet.com/article/internet-experiment-goes-wrong-takes-down-a-bunch-of-linux-routers/Author: Catalin CimpanuExcerpt: “Earlier this month, an academic experiment studying the impact of newly released security features for the Border Gateway Protocol (BGP) went horribly wrong and crashed a bunch of Linux-based internet routers. The experiment, organized by academics from all over the world, was first announced last year in mid-December and was described as “an experiment to evaluate alternatives for speeding up adoption of BGP route origin validation.” BGP Route Origin Validation, or ROV, is a newly released standard part of a three-pronged security pack for the BGP standard, together with BGP Resource Public Key Infrastructure (RPKI) and BGP Path Validation (also known as BGPsec).”—– Title: Targeted Attacks Abusing Google Cloud Platform Open RedirectionDate Published: Jan 24 2019URL: https://www.netskope.com/blog/targeted-attacks-abusing-google-cloud-platform-open-redirectionAuthor: Ashwin VamshiExcerpt: “Netskope Threat Research Labs detected several targeted themed attacks across 42 customer instances mostly in the banking and finance sector. The threat actors involved in these attacks used the App Engine Google Cloud computing platform (GCP) to deliver malware via PDF decoys. After further research, we confirmed evidence of these attacks targeting governments and financial firms worldwide. Several decoys were likely related to an infamous threat actor group named ‘Cobalt Strike’. The attacks were carried out by abusing the GCP URL redirection in PDF decoys and redirecting to the malicious URL hosting the malicious payload. This targeted attack is more convincing than the traditional attacks because the URL hosting the malware points the host URL to Google App Engine, thus making the victim believe the file is delivered from a trusted source like Google.”—– Here are this week’s noteworthy security bulletins: 1) ESB-2019.0182 – ALERT [UNIX/Linux][Debian] apt: Root compromise – Remote/unauthenticated https://portal.auscert.org.au/bulletins/74386Man in the middle vulnerability which allows an attacker to man in the middle traffic between APT and the mirror, then inject malicious content into the connection. 2) ESB-2019.0228 – [Win] iTunes: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/74574A maliciously crafted SQL query may lead to arbitrary code and an out-of-bounds read which leads to privilege escalation 3)ESB-2019.0210 – [Cisco] Texas Instruments Bluetooth Low Energy: Execute arbitrary code/commands – Remote/unauthenticated https://portal.auscert.org.au/bulletins/74498Broadcasting malformed BLE frames can cause memory corruption condition, which may result in remote code execution & denial of service. —– Stay safe, stay patched and have a great weekend, Rameez Agnew

AUSCERT Week in Review for 18th January 2019 Greetings, As another week comes to a close, we see a nice collection of data breaches. One leak containing 773 million email ID’s & 21.2 million unique, plain-text passwords with a total size of 87GB. There were numerous Oracle security vulnerabilities reported and fixes released, as always, here’s a summary of some of the more interesting stories we’ve seen this week.   Title: 773 million email IDs, 21 million passwords for anyone to see in massive data dump Date Published: 17 Jan 2019 Author: Tomáš Foltýn Excerpt: Nearly 773 million unique email addresses and more than 21.2 million unique, plain-text passwords were there for the taking recently in a massive data dump that’s been dubbed Collection #1. The news comes from security researcher Troy Hunt, who runs the Have I Been Pwned (HIBP) site that enables people to check and also receive alerts if any of their online accounts may have been the victim of a known breach. The stash of data was posted on file-sharing service MEGA and later also on an “unnamed popular hacking forum”, said Hunt. It comprises more than 12,000 files that weigh in at 87 gigabytes in total. —– Title: Employees sacked, CEO fined in SingHealth security breach Date Published: January 14, 2019 Author: Eileen Yu Excerpt: Two employees have been sacked and five senior management executives, including the CEO, were fined for their role in Singapore’s most serious security breach, which compromised personal data of 1.5 million SingHealth patients. Further enhancements will also be made to beef up the organisation’s cyber defence, so that it is in line with recommendations dished out by the committee following its review of the events leading up to the breach, according to Integrated Health Information Systems (IHIS). The IT agency responsible for the local healthcare sector that includes SingHealth, IHIS, said a lead in its Citrix team and a security incident response manager were found to be negligent and in non-compliance of orders. This had security implications and contributed to the “unprecedented” scale of the SingHealth security breach, the agency said in a statement Monday.  —– Title: Massive Oklahoma Government Data Leak Exposes 7 Years of FBI Investigations Date Published: Author: Thomas Brewster Excerpt: Another day, another huge leak of government information. Last December, a whopping 3 terabytes of unprotected data from the Oklahoma Securities Commission was uncovered by Greg Pollock, a researcher with cybersecurity firm UpGuard. It amounted to millions of files, many on sensitive FBI investigations, all of which were left wide open on a server with no password, accessible to anyone with an internet connection, Forbes can reveal. “It represents a compromise of the entire integrity of the Oklahoma department of securities’ network,” said Chris Vickery, head of research at UpGuard, which is revealing its technical findings on Wednesday. “It affects an entire state level agency. … It’s massively noteworthy.” —– Title: Hackers breach and steal data from South Korea’s Defense Ministry Date Published: Jan 16, 2019 Author: January 16, 2019 Excerpt: Hackers have breached the computer systems of a South Korean government agency that oversees weapons and munitions acquisitions for the country’s military forces. The hack took place in October 2018. Local press reported this week[1, 2, 3] that hackers breached 30 computers and stole internal documents from at least ten. The breached organization is South Korea’s Defense Acquisition Program Administration (DAPA), an agency part of the Ministry of National Defense. It is believed that the stolen documents contain information about arms procurement for the country’s next-generation fighter aircraft, according to a news outlet reporting on the cyber-attack. —– Title: Vulnerability Allowed Fortnite Account Takeover Without Credentials Date Published: January 16, 2019 Author: Kevin Townsend Excerpt: Hacking game accounts is a popular — and enriching — pastime. The rise of in-game marketplaces that can be used for buying and selling game commodities has attracted hackers who break into gamers’ accounts, steal their game commodities (and anything else they can find from personal data to parents’ bank card details) and sell them on for cash. The traditional route has always been to phish the gamers’ credentials — and obviously the bigger and more popular the game, the bigger the pool for phishing. Checkpoint recently discovered a vulnerability (now fixed) in the biggest game of all that allowed criminals to gain access to users’ accounts without requiring credentials. Here are this week’s noteworthy security bulletins —- 1) ESB-2019.0163 – [RedHat] Red Hat Enterprise Linux 6.7 EUS Final Retirement Notice Redhat issue their final retirement notice for Red Hat Enterprise Linux 6.7 EUS (Extended Update Support).   2) ASB-2019.0034 – [Win] Microsoft Team Foundation Server: Multiple vulnerabilities An information disclosure and cross-site scripting vulnerability has been found in Microsoft Team Foundation Server.   3) ASB-2019.0035 – [Win] Microsoft Skype for Business Server 2015 CU 8: Cross-site scripting – Remote with user interaction A cross-site scripting vulnerability has been discovered in Skype for Business 2015 server.   4) ESB-2019.0160 – [Ubuntu] irssi: Execute arbitrary code/commands – Remote with user interaction A denial of service and code execution vulnerability was discovered in Irssi due to the way Irssi incorrectly handles certain inputs. Stay safe, stay patched and have a great weekend, Rameez

AUSCERT Week in Review for 11th January 2019 Greetings, Judging by the traffic on the roads, most people have started working again! Welcome to 2019!We hope that this week has not been too difficult for you all! Fortunately, apart from some interesting vulnerabilities in Microsoft’s patch Tuesday, most vulnerabilities were quite “un-interesting”. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Hacker Uses Australian Early Warning Network to Send Spam AlertsDate Published: 7/1/2019Author: Lawrence AbramsExcerpt: “Over the weekend, a hacker gained unauthorized access to the Queensland EWN, or Early Warning Network, and used it to send a spam alert via SMS, landline, and email to the company’s subscribers. EWN is a service offered by Australian company Aeeris that allows Australian councils, or local governments, to send emergency alerts regarding extreme weather, fires, evacuation information, or incident responses. The unauthorized alerts stated that “EWN has been hacked. Your personal data is not safe.” They then went on to tell recipients to email support@ewn.com.au to unsubscribe from the service.”—– Title: Aussie electoral systems get 24×7 monitoring for 2019 electionDate Published: 8/1/2019Author: Justin HendryExcerpt: “Australia’s electoral systems will be actively monitored around the clock by a new security operations centre during the upcoming federal election. The Australian Electoral Commission has put out the call for vendors capable of providing “short-term, event based security monitoring” of its internal systems in a bid to protect against unauthorised interference.”—– Title: A YubiKey for iOS Will Soon Free Your iPhone From PasswordsDate Published: 8/1/2019Author: Brian BarrettExcerpt: “Over the last several years, Yubico has become close to ubiquitous in the field of hardware authentication. Its YubiKey token can act as a second layer of security for your online accounts and can even let you skip out on using passwords altogether. The only problem? It’s been largely unusable on the iPhone. That’s going to change soon.”—– Title: Samsung Phone Users Perturbed to Find They Can’t Delete FacebookDate Published: 8/1/2019Author: Sarah Frier Excerpt: “Nick Winke, a photographer in the Pacific northwest, was perusing internet forums when he came across a complaint that alarmed him: On certain Samsung Electronics Co. smartphones, users aren’t allowed to delete the Facebook app.”—– Title: New tool automates phishing attacks that bypass 2FADate Published: 9/1/2019Author: Catalin Cimpanu Excerpt: “A new penetration testing tool published at the start of the year by a security researcher can automate phishing attacks with an ease never seen before and can even blow through login operations for accounts protected by two-factor authentication (2FA). Named Modlishka –the English pronunciation of the Polish word for mantis– this new tool was created by Polish researcher Piotr Duszy?ski.”—– Title: SingHealth COI report made public: System vulnerabilities, staff lapses, skilled hackers led to cyberattackDate Published: 10/1/2019Author: Fann SimExcerpt: “A potent mix of pre-existing system vulnerabilities, staff lapses and extremely skilled hackers led to the cyberattack on SingHealth’s patient database last year, said a report from the Committee of Inquiry (COI) into the breach.”[…] ““To sum up, considerable initiative was shown by officers on the front line … It is a shame that such initiative was then smothered by a blanket of middle management mistakes,” the report said.”” Here are this week’s noteworthy security bulletins: 1) ESB-2019.0072 – [Win][Apple iOS][Android][Mac] Adobe Digital Editions: Access confidential data – Remote with user interaction An information disclosure vulnerability has been identified and resolved in Adobe Digital Editions. 2) ESB-2019.0073 – [Win][Linux] Adobe Connect: Access privileged data – Remote with user interaction A session token exposure vulnerability has been identified and resolved in Adobe Connect 3) ASB-2019.0003.3 – UPDATE [Win] Microsoft Windows: Multiple vulnerabilities 27 Vulnerabilities have been identified in Microsoft Windows OS. One of the more interesting ones is a memory corruption vulnerability in the Windows DHCP client where a specially crafted DHCP response could run arbitrary code on the client machine. Stay safe, stay patched and have a good weekend! Ananda

AUSCERT Week in Review for 4th January 2019 AUSCERT Week in Review4th January 2019 Greetings, Welcome back to work, and the start of a new year in infosec! We hope you had a relaxing break away from the office, and enough time to enjoy the “life” in your work/life balance. It’s been a quiet week in the news, but don’t let your guard down.Here’s a summary (including excerpts) of some of the more interestingstories we’ve seen this week: Title: Microsoft opens more security features to O365 E3 usersDate: 3 JanuaryURL: https://www.itnews.com.au/news/microsoft-opens-more-security-features-to-o365-e3-users-517461Author: Staff Writer “Microsoft is set to make available extra security and compliance services to users of its lowest enterprise tier for Office 365. The company said in a blog post that it would make available the two new offerings on February 1 this year. The first package of services, called ‘Identity & Threat Protection’, “brings together security value across Office 365, Windows 10, and EMS ‘enterprise mobility and security’ in a single offering” for US$12 a user a month. A second package of services, called ‘Information Protection & Compliance’, “combines Office 365 Advance Compliance and Azure Information Protection”, Microsoft said.” —— Title: Adobe Acrobat and Reader Security Updates Released for Critical BugsDate: 3 JanuaryURL: https://www.bleepingcomputer.com/news/security/adobe-acrobat-and-reader-security-updates-released-for-critical-bugs/Author: Lawrence Abrams “Today, Adobe released security bulletin APSB19-02 that describes two security updates for critical vulnerabilities in Adobe Acrobat and Reader. In these updates only two vulnerabilities were fixed, but they are classified as Critical because they allow privilege escalation and arbitrary code execution.” —— Title: Data breach sees Victorian Government employees’ details stolenDate: 1 JanuaryURL: https://www.abc.net.au/news/2019-01-01/victorian-government-employee-directory-data-breach/10676932Author: ABC News “The work details of 30,000 Victorian public servants have been stolen in a data breach, after part of the Victorian Government directory was downloaded by an unknown party. The list is available to government employees and contains work emails, job titles and work phone numbers. Employees affected by the breach were told in an email their mobile phone numbers may have also been accessed if they had been entered into the directory. The Premier’s Department said it had referred the breach to police, the Australian Cyber Security Centre and the Office of the Victorian Information Commissioner for investigation.” —— Here are this week’s noteworthy security bulletins: 1) ESB-2019.0056 – [Win][Mac] Adobe products: Multiple vulnerabilities Opening a malicious PDF document could lead to code execution and privilegeescalation. 2) ESB-2019.0005 – [UNIX/Linux][Debian] sqlite3: Execute arbitrary code/commands – Existing account An attacker with the ability to run custom SQL queries could achievearbitrary code execution in sqlite3. 3) ESB-2019.0041 – [Debian] tzdata: Reduced security – Unknown/unspecified A new year brings with it new timezone rules, and the possibility ofdate-time errors. —— Stay safe, stay patched, and make this year the best ever for yourorganisation’s security! Anthony

AUSCERT Week in Review for 21st December 2018 Greetings, That’s a wrap for this year! Reminder that some of AUSCERT’s services will be in hibernation mode from today until they resume on the 2nd of January. For any urgent needs the 24/7 hotlines will continue as always. In a dramatic end to the year, the US DoJ announced indictments against two Chinese nationals accused of being members of APT10. This was in relation to intellectual property theft, particularly as part of the Cloud Hopper campaign, targeting MSPs (managed service providers). In additional state-sponsored attack news, Twitter has reported that it was the victim of an attack targeting its support platform. It allowed a user’s phone number and country of origin to be uncovered, fueling speculation it was designed to unmask dissident accounts. Microsoft has also issued an out of band patch for Internet Explorer, so be sure to get your patching in before the holidays! Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: US charges Chinese citizens for espionage in major hacking campaign targeting navy, NASA, others21 DecemberAuthor: ABC NewsExcerpt: “US officials have charged two Chinese citizens they allege carried out an extensive hacking campaign to steal data from military service members, government agencies and private companies in the United States and nearly a dozen other countries. The US Justice Department said Zhu Hua and Zhang Jianguo, acting on behalf of Beijing’s main intelligence agency, were involved in computer hacking attacks on the US Navy, NASA and the Energy Department as well as companies in numerous sectors.” —— Twitter discloses suspected state-sponsored attack18 DecemberAuthor: Catalin CimpanuExcerpt: “Social networking site Twitter announced today another data leak that occurred on its platform, which the company said it is investigating as a suspected state-sponsored attack. In a support page published earlier today, Twitter said that it detected the attack on November 15 when it “observed a large number of inquiries coming from individual IP addresses located in China and Saudi Arabia.”” —— On the first day of Christmas, Microsoft gave to me… an emergency out-of-band security patch for IE19 DecemberAuthor: Chris WilliamsExcerpt: “Microsoft today emitted an emergency security patch for a flaw in Internet Explorer that hackers are exploiting in the wild to hijack computers. The vulnerability, CVE-2018-8653, is a remote-code execution hole in the browser’s scripting engine. Visiting a malicious website abusing this bug with a vulnerable version of IE is enough to be potentially infected by spyware, ransomware or some other software nasty. Thus, check Microsoft Update and install any available patches as soon as you can.” —— Save the Children Hit by $1m BEC Scam17 DecemberAuthor: Phil MuncasterExcerpt: “A leading children’s charity was conned into sending $1m to a fraudster’s bank account this year, in another example of the dangers of Business Email Compromise (BEC). Save the Children Federation, the US outpost of the world-famous British non-profit, revealed the incident in a recent filing with the IRS, according to the Boston Globe. The attacker managed to access an employee’s email account and from there sent fake invoices and other documents designed to trick the organization into sending the money.” —— Here are this week’s noteworthy security bulletins: 1) ASB-2018.0310 – ALERT [Win] Internet Explorer: Execute arbitrary code/commands – Remote with user interaction Vulnerability in the scripting engine allowed malicious pages to execute code when viewed in IE. 2) ESB-2018.3702.3 – UPDATE ALERT [Cisco] Cisco Prime License Manager: Execute arbitrary code/commands – Remote/unauthenticated Cisco has released an update that fixes a regression in the previous patch release. 3) ESB-2018.3880 – [Linux][SUSE] amanda: Root compromise – Existing account Root compromise in AMANDA, a networked backup service. Stay safe, stay patched and have a good break (if you’re so lucky)! We’ll see you in the new year! Tim

AUSCERT Week in Review for 14th December 2018 Greetings, Extortion spammers have stepped up their game, with reports coming in of fake bomb threats. Microsoft have caused some brouhaha with an unauthenticated administrator compromise in their DNS Server product. And ATO scam calls have increased in both prevalence and prominence, making the front page of ABC News today. The Super Micro story originally broken by Bloomberg has had minimal follow-up, with outright rejections from Apple and IBM. Now, an external security audit of Super Micro has found no evidence. AUSCERT will be closed over the Christmas break. However, for urgent queries and incident assistance, please call the member hotline, which is 24/7/365. The number is available once you’re logged in on the “Contact” page of auscert.org.au – consider including it in your incident response plan! Without further ado, the news: Quick-thinking retail worker saves Tasmanian woman from losing thousands in tax scamDate: 14 December 2018Author: ABC Newshttps://www.abc.net.au/news/2018-12-14/woman-avoids-scam-with-help-from-tasmanian-retail-worker/10614324A Tasmanian woman who narrowly escaped falling prey to a scammer pretending to be from the Australian Tax Office (ATO) has a quick-thinking retail employee to thank. What saved her from going through with the scammer’s demands was Alistair — a customer service employee who noticed she was buying a lot of gift cards, and pointed Ms Carey to a document from the ACCC warning of this very scam. The store refunded all the cards on the spot and she did not lose any money. Spammed Bomb Threat Hoax Demands BitcoinDate: 13 December 2018Author: Brian Krebshttps://krebsonsecurity.com/2018/12/spammed-bomb-threat-hoax-demands-bitcoin/A new email extortion scam is making the rounds, threatening that someone has planted bombs within the recipient’s building that will be detonated unless a hefty bitcoin ransom is paid by the end of the business day. I could see this spam campaign being extremely disruptive in the short run. There is little doubt that some businesses receiving this extortion email will treat it as a credible threat. This is exactly what happened today at one of the banks that forwarded me their copy of this email. Also, KrebsOnSecurity has received reports that numerous school districts across the country have closed schools early today in response to this hoax email threat. Windows DNS Server Privilege Escalation Vulnerability (CVE-2018-8626)Date: 14 December 2018Author: AUSCERTURL: https://wordpress-admin.auscert.org.au/blog/2018-12-14-windows-dns-server-privilege-escalation-vulnerability-cve-2018-8626-leading-remote-code-execution-has-publicly-available-poc-exploitExcerpt: Although the NVD CVSS3 vector above indicates a proof of concept exploit exists for this vulnerability, AUSCERT has not been able to access it or find any threat indicators related to it. We will continue to update this blog as more information becomes available. Super Micro says external security audit found no evidence of backdoor chipsDate: 11 December 2018Author: ZDNethttps://www.zdnet.com/article/super-micro-says-external-security-audit-found-no-evidence-of-backdoor-chips/Excerpt: In a letter sent out today to its customers, hardware vendor Super Micro Computer said that a security audit performed by a third-party investigations firm found no evidence that Supermicro server motherboards contained any type of backdoor chip. The company sent out this letter after earlier this year a Bloomberg report claimed that some Supermicro motherboards contained a malicious chip implant inserted on its Chinese assembly lines by Chinese spies. The US news outlet then claimed that some of these servers made it into the networks of government agencies and private companies, such as Apple and Amazon’s AWS. ASD chief insists new encryption laws won’t see Aussie tech shunned like HuaweiDate: 12 December 2018Author: iTnewshttps://www.itnews.com.au/news/asd-chief-insists-new-encryption-laws-wont-see-aussie-tech-shunned-like-huawei-516830Excerpt: The Australian Signals Directorate says the idea that Australian technology will be seen as untrustworthy in the wake of encryption-busting laws and therefore blocked from use “is absurd”. Director-general Mike Burgess published what he called seven “myths” of the controversial new laws, which the major parties passed in the last hours of parliament last week. In particular, Burgess targeted the significant doubt that has been swirling in the days since around how Australia’s technology sector will now be treated by foreign buyers. This week’s noteworthy bulletins: 1. ASB-2018.0303 – [Win] Microsoft Windows: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/72974 Remote-code-execution vulnerability in Microsoft DNS Server. 2. ASB-2018.0308 – [Win][UNIX/Linux] BIND: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/73110 Unrelated vulnerabilities in BIND. 3. ASB-2018.0304 – [Win][UNIX/Linux][BSD] Mozilla Firefox: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/72978 Firefox 64 has been released, with some significant security updates. 4. ESB-2018.3839 – [Win][UNIX/Linux] phpMyAdmin: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/72986 Security updates for current versions of phpMyAdmin including XSS and authenticated unauthorised file access. Stay safe, stay patched and have a great weekend, David

AUSCERT Week in Review for 7th December 2018 Greetings, The word on everybody’s lips today is #aabill. With the hasty passage yesterday of the Assistance & Access Act 2018, Australia has extended the reach of its law-enforcement groups. They will shortly be able to serve notices to access protected data. The extent of the powers is not yet fully understood, and terms such as “systemic weakness” will likely require judicial interpretation. What impact will this have on your business? We’ll just have to wait and see. After the jump, some news articles. Australia gets world-first encryption busting lawshttps://www.itnews.com.au/news/australia-gets-world-first-encryption-busting-laws-516601Author: iTnewsPublished: December 6 2018 Australia’s law enforcement agencies have a wide range of new encryption-busting powers after Labor dropped all opposition to a highly contentious bill and let it pass without extra changes it claimed all day were needed. The bill passed into law by 44 votes to 12 in the senate, having already cleared the lower house where just two MPs voted against it. Assistance and Access Bill 2018: Explanatory Documenthttps://www.homeaffairs.gov.au/how-to-engage-us-subsite/files/assistance-access-bill-2018/explanatory-document.pdfAuthor: Department of Home AffairsPublished: August 2018 This explanatory document accompanies the exposure draft of the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (the Bill). The Bill provides national security and law enforcement agencies with powers to respond to the challenges posed by the increasing use of encrypted communications and devices. The proposed changes are designed to help agencies access intelligible communications through a range of measures, including improved computer access warrants and enhanced obligations for industry to assist agencies in prescribed circumstances. This includes accessing communications at points where it is not encrypted. The safeguards and limitations in the Bill will ensure that communications providers cannot be compelled to build systemic weaknesses or vulnerabilities into their products that undermine the security of communications. Providers cannot be required to hand over telecommunications content and data. ‘Outlandish’ encryption laws leave Australian tech industry angry and confusedhttps://www.abc.net.au/news/science/2018-12-07/encryption-bill-australian-technology-industry-fuming-mad/10589962Author: ABC NewsPublished: December 7 2018 The situation has left Australian technology companies struggling to understand the potential impact on their global standing and bottom line. John Stanton, chief executive of the Communications Alliance, said the bill’s passing was a “magnificent triumph of politics over policy”. Partner at M8 Ventures Alan Jones argued the bill will have unintended consequence for the security reputation of Australian businesses — “crippling” attempts to export their technology. “It could be just enough to lose a deal to a competitor in Israel and the US,” he said. Adobe releases out-of-band security update for newly-discovered Flash zero-dayhttps://www.zdnet.com/article/adobe-releases-out-of-band-security-update-for-newly-discovered-flash-zero-day/Author: ZDNetPublished: December 5 2018 Adobe released patches today for a new zero-day vulnerability discovered in the company’s popular Flash Player app. The zero-day has been spotted embedded inside malicious Microsoft Office documents. These documents were discovered last month after they’ve been uploaded on VirusTotal, a web-based file scanning service, from a Ukrainian IP address. A Breach, or Just a Forced Password Reset?https://krebsonsecurity.com/2018/12/a-breach-or-just-a-forced-password-reset/Author: Brian KrebsPublished: December 4 2018 Software giant Citrix Systems recently forced a password reset for many users of its Sharefile content collaboration service, warning it would be doing this on a regular basis in response to password-guessing attacks that target people who re-use passwords across multiple Web sites. Many Sharefile users interpreted this as a breach at Citrix and/or Sharefile, but the company maintains that’s not the case. Warning about tax scamshttps://www.scamwatch.gov.au/news/warning-about-tax-scamsAuthor: ACCC ScamwatchPublished: December 4 2018 Tax scams seem to be everywhere at the moment and Scamwatch is warning people not to engage with phone calls or emails they receive threatening arrest or jail over unpaid tax debts. Reports of these scams have jumped significantly during the past month. The scam is timed to coincide with the cut-off date for people needing to have their tax returns submitted to the Australian Tax Office. Most of these scams occur over the phone. People get a call from an aggressive scammer directly or receive a robotic-sounding voice message informing them they need to contact a phone number in relation to an outstanding tax debt, or face imminent arrest and jail time. Buying a new devicehttps://www.cert.govt.nz/businesses-and-individuals/guides/stepping-up-your-cyber-security/buying-a-new-deviceAuthor: CERT-NZ Get our tips to help you stay secure when you’re thinking of buying a new device. Here are this week’s noteworthy security bulletins: 1. ESB-2018.3747 – ALERT [RedHat] Red Hat OpenShift Container Platform & Kubernetes: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/72578 Nasty privilege escalation/hijacking vulnerability in Kubernetes with a CVSSv3 score of 9.8 out of 10. 2. ESB-2018.3766 – [Apple iOS] iOS: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/72658 Apple’s monthly patches include multiple vulnerabilities in WebKit (used widely) and some significant vulnerabilities in iOS. 3. ASB-2018.0296 – [Win][UNIX/Linux] Google Chrome: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/72650 The release of Chrome 71 includes some fixes for significant vulnerabilities, including RCE from a web page. 4. ESB-2018.3702 – ALERT [Cisco] Cisco Prime License Manager: Execute arbitrary code/commands – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/72390 Cisco cleaning up SQL injection in another product. Stay safe, stay patched, and may you not be served with a technical capability notice, David and the team at AUSCERT

AUSCERT Week in Review for 30th November 2018 AUSCERT Week in Review30 November 2018 Greetings, Happy computer security day! Established in 1988, computer security day is celebrated on Nov 30th each year to raise awareness for computer security issues. Here are some ways you can celebrate too: – Make sure everything is patched and up to date– Help a friend set up a password manager and change their email password– Encourage a relative to enable 2FA on their email or online banking– Test your backups!– Ensure your home WiFi has a nice long and unique password Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: ATO may get direct telco metadata and bank data accessDate Published: 26 Nov 2018https://www.itnews.com.au/news/ato-may-get-direct-telco-metadata-and-bank-data-access-516050Author: Ry CrozierExcerpt:“The Australian Taxation Office (ATO) could be allowed to directly access telecommunications metadata and other records such as those held by banks under a proposal aired by Treasury late last week.” —– LinkedIn violated data protection by using 18M email addresses of non-members to buy targeted ads on FacebookDate Published: 26 Nov 2018https://techcrunch.com/2018/11/24/linkedin-ireland-data-protection/Author: Ingrid LundenExcerpt:“The DPC found that LinkedIn in the US had obtained emails for 18 million people who were not already members of the social network, and then used these in a hashed form for targeted advertisements on the Facebook platform, “with the absence of instruction from the data controller” — that is, LinkedIn Ireland — “as is required.” “—– Check your repos… Crypto-coin-stealing code sneaks into fairly popular NPM lib (2m downloads per week)Date Published: 26 Nov 2018https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/Author: Thomas ClaburnExcerpt:“A widely used Node.js code library listed in NPM’s warehouse of repositories was altered to include crypto-coin-stealing malware. The lib in question, event-stream, is downloaded roughly two million times a week by application programmers. This vandalism is a stark reminder of the dangers of relying on deep and complex webs of dependencies in software: unless precautions are taken throughout the whole chain, any one component can be modified to break an app’s security. “—– Half of all Phishing Sites Now Have the PadlockDate Published: 26 Nov 2018https://krebsonsecurity.com/2018/11/half-of-all-phishing-sites-now-have-the-padlock/Author: Brian KrebsExcerpt:“Recent data from anti-phishing company PhishLabs shows that 49 percent of all phishing sites in the third quarter of 2018 bore the padlock security icon next to the phishing site domain name as displayed in a browser address bar. That’s up from 25 percent just one year ago, and from 35 percent in the second quarter of 2018. This alarming shift is notable because a majority of Internet users have taken the age-old “look for the lock” advice to heart, and still associate the lock icon with legitimate sites. A PhishLabs survey conducted last year found more than 80% of respondents believed the green lock indicated a website was either legitimate and/or safe.”—– Potentially disastrous Rowhammer bitflips can bypass ECC protections Date Published: 22 Nov 2018https://arstechnica.com/information-technology/2018/11/potentially-disastrous-rowhammer-bitflips-can-bypass-ecc-protections/Author: Dan GoodinExcerpt:“In early 2015, researchers unveiled Rowhammer, a cutting-edge hack that exploits unfixable physical weaknesses in the silicon of certain types of memory chips to transform data they stored. In the 42 months that have passed since then, an enhancement known as error-correcting code (or ECC) available in higher-end chips was believed to be an absolute defense against potentially disastrous bitflips that changed 0s to 1s and vice versa. Research published Wednesday has now shattered that assumption.” —– Here are this week’s noteworthy security bulletins: ESB-2018.3699 – [Win] Sennheiser HeadSetup and HeadSetup Pro: Provide misleading information – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/72378 Two inadvertently disclosed digital certificates could be used to spoof content and to provide an update to the Certificate Trust List (CTL) to remove user-mode trust for the certificates. ESB-2018.3702 – ALERT [Cisco] Cisco Prime License Manager: Execute arbitrary code/commands – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/72390 A vulnerability in the web framework code of Cisco Prime License Manager(PLM) could allow an unauthenticated, remote attacker to execute arbitrarySQL queries. ESB-2018.3688 – [Win][UNIX/Linux][Debian] ghostscript: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/72334 Several vulnerabilities were discovered in Ghostscript, the GPLPostScript/PDF interpreter, which may result in denial of service or theexecution of arbitrary code if a malformed Postscript file is processed. ESB-2018.3652 – [Win][UNIX/Linux][Debian] gnuplot5: Execute arbitrary code/commands – Existing account https://portal.auscert.org.au/bulletins/72190 gnuplot5, a command-line driven interactive plotting program, has been examined with fuzzing by Tim Blazytko, Cornelius Aschermann, Sergej Schumilo and Nils Bars.They found various overflow cases which might lead to the execution of arbitrary code. ESB-2018.3650 – [UNIX/Linux][Debian] roundcube: Cross-site scripting – Remote with user interactionhttps://portal.auscert.org.au/bulletins/72182 Roundcube, a skinnable AJAX based webmail solution for IMAP servers, is prone to a cross-site scripting vulnerability in handling invalid style tag content. Stay safe, stay patched and have a good weekend! Charelle  

AUSCERT Week in Review for 23rd November 2018 Greetings, This week, back to basics. We’ve selected some articles about the fundamentals of cybersecurity, for wins you can get without going to a vendor and buying more SIEMs to cram into your network. Patching! Security updates are important, but if you don’t install them, they’re worthless. In fact, if everyone else is patched and you’re not, it just makes you a bigger target. Users! User behaviour is key, and encouraging secure practices will close a lot of holes. Finally, it’s the season for Cyber Monday sales. Some password managers are offering discounts – if your loved ones aren’t already using a password manager, it might be worth having a browse…! Into the articles: Active XSS Attacks Targeting AMP for WP WordPress PluginDate: 20 November 2018Author: BleepingComputerhttps://www.bleepingcomputer.com/news/security/active-xss-attacks-targeting-amp-for-wp-wordpress-plugin/ Vulnerabilities were recently discovered in the popular AMP for WP plugin that allows any registered user to perform administrative actions on a WordPress site. It has now been discovered that an active XSS attack is underway that targets these same vulnerabilities to install backdoors and create rogue admin accounts on a vulnerable WordPress site. Unfortunately, as many users may not know about the security vulnerabilities or have not updated their software, this still remains a good vector for attacks. Hackers use Drupalgeddon 2 and Dirty COW exploits to take over web serversDate: 19 November 2018Author: ZDNethttps://www.zdnet.com/article/hackers-use-drupalgeddon-2-and-dirty-cow-exploits-to-take-over-web-servers/ Through these recent attacks, hackers aim to gain a foothold on servers, elevate their access to a root account, and then install a legitimate SSH client so they can log into the hijacked servers at later dates. Taking into account that this attack relies on exploiting two very well-known vulnerabilities for which patches have been made available a long time ago, website and server owners can easily make sure they’re immune to such attacks by updating Drupal and their Linux servers. Employees’ cybersecurity habits worsen, survey findsDate: 15 November 2018Author: We Live Securityhttps://www.welivesecurity.com/2018/11/15/employees-cybersecurity-habits-worsen/ The prevalence of cybersecurity incidents and the concomitant growing concerns about any organization’s cybersecurity posture haven’t done much to discourage many employees from engaging in poor security habits, a survey has found. In some respects, employees’ cyber-hygiene is actually getting worse, according to the 2018 Market Pulse Survey by identity governance provider SailPoint, which gathered opinions from 1,600 employees at organizations with at least 1,000 employees in Australia, France, Germany, Italy, Spain, the United Kingdom, and the United States. Three in every four respondents admitted to reusing passwords across accounts. In the survey’s 2014 edition, the same was true for “only” 56% of the employees. Beyond Passwords: 2FA, U2F and Google Advanced ProtectionDate: 15 November 2018Author: Troy Hunthttps://www.troyhunt.com/beyond-passwords-2fa-u2f-and-google-advanced-protection/ Last week I wrote a couple of different pieces on passwords, firstly about why we’re going to be stuck with them for a long time yet and then secondly, about how we all bear some responsibility for making good password choices. A few people took some of the points I made in those posts as being contentious, although on reflection I suspect it was more a case of lamenting that we shouldn’t be in a position where we’re still dependent on passwords and people needing to understand good password management practices in order for them to work properly. This week, I wanted to focus on going beyond passwords and talk about 2FA. Per the title, not just any old 2FA but U2F and in particular, Google’s Advanced Protection Program. This post will be partly about 2FA in general, but also specifically about Google’s program because of the masses of people dependent on them for Gmail. Your email address is the skeleton key to your life (not just “online” life) so protecting that is absolutely paramount. Adobe issues fix for Flash bug allowing remote code executionDate: 21 November 2018Author: CyberScoophttps://www.cyberscoop.com/adobe-flash-patch-bug-remote-code-execution/ Adobe has issued a patch for its Flash Player software, fixing a critical bug that would have allowed attackers to remotely execute malicious code. The company labels it as a “type confusion” vulnerability. That means that Flash Player could run a piece of code without verifying what type it is. If an unpatched version of Flash is running, an attacker could trick users into visiting a website hosting malicious code that could then run on the user’s Flash Player, as explained in a security advisory issued by Microso Here are this week’s noteworthy security bulletins: ESB-2018.3611 – ALERT [Win][UNIX/Linux] Flash Player: Execute arbitrary code/commands – Remote with user interactionhttps://portal.auscert.org.au/bulletins/72014 Adobe has released security updates for Adobe Flash Player for Windows, macOS,Linux and Chrome OS. These updates address a critical vulnerability in AdobeFlash Player 31.0.0.148 and earlier versions. Successful exploitation couldlead to arbitrary code execution in the context of the current user. ASB-2018.0241.3 – UPDATE Palo Alto PAN-OS: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/69798 Palo Alto Networks has addressed vulnerabilities from OpenSSL. ESB-2018.3609 – [Win][Linux] moodle: Cross-site request forgery – Remote with user interactionhttps://portal.auscert.org.au/bulletins/72006 A cross-site-request-forgery vulnerability in a login form. ESB-2018.3627 – [Win][UNIX/Linux] GitLab: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/72078 Versions 11.5.0-rc12, 11.4.6, and 11.3.10 for GitLab Community Edition (CE) and Enterprise Edition (EE) have been released. ASB-2018.0292 – [Win][UNIX/Linux] Google Chrome: Execute arbitrary code/commands – Remote with user interactionhttps://portal.auscert.org.au/bulletins/72086 The Chrome team has released an update which includes a security fix for CVE-2018-17479, a high-severity issue causing a use-after-free in GPU code. Stay safe, stay patched, and have a good weekend!David, Charelle and the team at AUSCERT

AUSCERT Week in Review for 16th November 2018 Greetings, This week the steady flow of speculative execution attacks continues, with researchers releasing 7 additions to the vulnerability family (thankfully some are covered by previous mitigations). In good news for the international community, Mozilla’s Firefox Monitor, which checks your email addresses against Troy Hunt’s Have I Been Pwned platform, is now multilingual! Firefox Quantum will also begin displaying alerts on pages which have suffered a data breach in the last 12 months. This should go a long way to increasing user-visibility of such events, especially for those sites which have to be dragged kicking and screaming to proper user notification. In further good news, Ubuntu is putting the L in LTS, as 18.04 will be receiving 10 years of support. Recognising that IoT, scientific, and industrial devices traditionally have service lives far greater than the OSes that power them, Ubuntu is doing its best to keep our increasingly networked ecosystem from becoming an unsecurable mess (moreso than it already is). Lastly, we were once again reminded that BGP is not a secure routing protocol, in the form of a Nigerian ISP rerouting Google (and other) traffic through itself via Russia and China, seemingly by accident. The advertised routes were not prepared to handle the volume of traffic, resulting in a DoS to Google services for over an hour. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Spectre, Meltdown researchers unveil 7 more speculative execution attacksDate: 14 Novemberhttps://arstechnica.com/gadgets/2018/11/spectre-meltdown-researchers-unveil-7-more-speculative-execution-attacks/ Author: Peter BrightExcerpt: “A research team—including many of the original researchers behind Meltdown, Spectre, and the related Foreshadow and BranchScope attacks—has published a new paper disclosing yet more attacks in the Spectre and Meltdown families. The result? Seven new possible attacks. Some are mitigated by known mitigation techniques, but others are not. That means further work is required to safeguard vulnerable systems.” —— Microsoft closes actively exploited Windows zero-dayDate: 14 Novemberhttps://www.itnews.com.au/news/microsoft-closes-actively-exploited-windows-zero-day-515531 Author: Juha SaarinenExcerpt: “Admins and Windows users have been urged to apply the November 2018 round of security patches urgently, to close off vulnerabilities, one of which is under active exploitation currently. This is the Kaspersky Labs-reported CVE-2018-8589 vulnerability in the win32k.sys kernel, a privilege elevation bug that allows attackers to run arbitrary code in the local system security context, Microsoft warned.” —— Firefox Monitor Launches in 26 Languages and Adds New Desktop Browser FeatureDate: 14 Novemberhttps://blog.mozilla.org/blog/2018/11/14/firefox-monitor-launches-in-26-languages-and-adds-new-desktop-browser-feature/ Author: Nick NguyenExcerpt: “Introducing Firefox Monitor Notifications Along with making Monitor available in multiple languages, today we’re also releasing a new feature exclusively for Firefox users. Specifically, we are adding a notification to our Firefox Quantum browser that alerts desktop users when they visit a site that has had a recently reported data breach. We’re bringing this functionality to Firefox users in recognition of the growing interest in these types of privacy- and security-centric features. This new functionality will gradually roll out to Firefox users over the coming weeks.” —— Cloudflare launches Android and iOS apps for its 1.1.1.1 serviceDate: 11 Novemberhttps://www.zdnet.com/article/cloudflare-launches-android-and-ios-apps-for-its-1-1-1-1-service/ Author: Catalin CimpanuExcerpt: “Cloudflare launched today official mobile apps for its 1.1.1.1 privacy-first DNS resolver service. Mobile apps for Android and iOS are now available on their respective app stores. The company first launched the 1.1.1.1 service to great fanfare on April 1, earlier this year. The service is a basic DNS server, but one for which Cloudflare has guaranteed user privacy and improved look-up speed.” —— How a Nigerian ISP Accidentally Knocked Google OfflineDate: 15 Novemberhttps://blog.cloudflare.com/how-a-nigerian-isp-knocked-google-offline/ Author: Tom PasekaExcerpt: “Last Monday evening – 12 November 2018 – Google and a number of other services experienced a 74 minute outage. It’s not the first time this has happened; and while there might be a temptation to assume that bad actors are at work, incidents like this only serve to demonstrate just how much frailty is involved in how packets get from one point on the Internet to another.” —— Mark Shuttleworth reveals Ubuntu 18.04 will get a 10-year support lifespanDate: 15 Novemberhttps://www.zdnet.com/article/mark-shuttleworth-reveals-ubuntu-18-04-will-get-a-10-year-support-lifespan/Author: Steven J. Vaughan-NicholsExcerpt: “‘I’m delighted to announce that Ubuntu 18.04 will be supported for a full 10 years,’ said Shuttleworth, ‘In part because of the very long time horizons in some of industries like financial services and telecommunications but also from IoT where manufacturing lines for example are being deployed that will be in production for at least a decade.'” —— Here are this week’s noteworthy security bulletins: ASB-2018.0288 – [Win] Microsoft Windows: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/71754 Patch Tuesday brings with it the usual slew of vulnerability fixes. ESB-2018.3542 – [Win][Linux][Ubuntu] gettext: Execute arbitrary code/commands – Remote with user interactionhttps://portal.auscert.org.au/bulletins/71698 Maliciously formatted messages could cause RCE in GNU internationalisation package gettext. ESB-2018.3535 – [Virtual] VMware ESXi, Workstation and Fusion: Execute arbitrary code/commands – Existing accounthttps://portal.auscert.org.au/bulletins/71670 VMWare has fixed a couple of vulnerabilities, including a guest-to-host RCE. Stay safe, stay patched and have a good weekend! Tim