Blogs

Breach compilation notifications

Breach compilation notifications On Tuesday 19th, AUSCERT notified a large number of members whose credentials had been found online. This is a regular service AUSCERT provides, but in this case it is a special event based on a large credential compilation. It contains 1.4 billion credentials. Original source.   FAQ How do I open this file? Suppose the file you’ve received is named me@mydomain.com.zip.asc. This is an encrypted zip file. You will need PGP software to decrypt the file, e.g. GPG. GPG4Win GUI: Open the file in Kleopatra and enter the decryption passphrase. If Kleopatra tells you “error retrieving audit log: decryption failed”, instead open a command prompt and follow the below instructions. GPG command-line: gpg me@mydomain.zip.asc and enter the decryption passphrase. This will create me@mydomain.com.zip. (note no “asc”) Then unzip the file. It contains one or more text files with the credentials we’ve found.   Where do I get the decryption passphrase? Access AUSCERT: Symmetric key decryption details and log in with your member account.   We can’t log in to the member portal. If you know your AUSCERT privileged contact/s in your organisation, please contact them for access. Otherwise, please contact auscert@auscert.org.au to begin regaining access. If you have two-factor authentication set up, recall that this is through a One-Time Password app and not an SMS.   Why does Windows say they’re COM or audio files? Individual files are named by the domain they correspond to. Some files end with ‘.com’, which Windows interprets as a command file, or ‘.au’, which Windows interprets as an audio file. We’ll send files with the ‘.txt’ extension in future. Please open all files in a text editor, such as WordPad or Notepad++.   Where did you get this data? AUSCERT found these credentials in a large collection online, which aggregates other data breaches. It is likely that your users’ credentials were stolen in other breaches such as LinkedIn (for instance, Have I Been Pwned lists famous breaches). Original source.   Have we been breached? It’s hard to say. The majority of the data will have come from attacks on other companies’ databases in the past. Some may be from phishing attacks directly against your users. With a data set this large, individual small attacks can be compiled into what looks like one more substantial attack. It is unlikely, but possible, that your organisation’s database is the source of these credentials. If any of these credentials were reused on internal company systems, and are still active, then there is the potential for them to be abused.   What do we do now? AUSCERT recommends ensuring these credentials are no longer valid within your organisation. Consider contacting users to advise they should change their password anywhere it’s still in use.

Learn more

Week in review

AUSCERT Week in Review for 15th December 2017

AUSCERT Week in Review for 15th December 2017 Greetings, We’ve had a “big” week in a few ways: A huge credential dump aggregating previous dumps has hit the limelight. The defendants in the Mirai case, 2016’s largest botnet, have pleaded guilty. Also, a 19-year-old RSA vulnerability has returned as the ROBOT attack, affecting many notable networking vendors.    The AUSCERT Conference’s Call for Proposals is open. Important Dates for submission——————————13 Nov 2017 – (Monday) – Call for Presentations submissions open19 Jan 2018 – (Friday) – Call for Presentations submission deadline19 Feb 2018 – (Monday) – Notifications from Program Committee Conference Date—————29 May 2018 – 01 Jun 2018 | AUSCERT2018 Conference   As for more news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: How a Dorm Room Minecraft Scam Brought Down the Internethttps://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internetDate: December 13 2017Author: Garrett M. Graff Excerpt: Until then, a large DDoS attack was often considered to be 10 to 20 gigibits per second; vDOS had been overwhelming targets with attacks in the range of 50 Gbps. A follow-on Mirai attack against OVH hit around 901 Gbps. BrickerBot Author Retires Claiming to Have Bricked over 10 Million IoT Deviceshttps://www.bleepingcomputer.com/news/security/brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices/Date: December 11 2017Author: Catalin Cimpanu Excerpt: In an email sent today to Bleeping Computer, The Janit0r announced his sudden retirement and explained why he reached this decision. I believe that the project has been a technical success, but I am now starting to worry that it is also having a deleterious effect on the public’s perception of the overall IoT threat. Researchers keep issuing high profile warnings about genuinely dangerous new botnets, and a few weeks or even days later they are all but gone. Sooner or later people are going to start questioning the credibility of the research and the seriousness of the situation. Extended Validation is Brokenhttps://stripe.ian.shDate: December 12 2017Author: Ian Carroll Excerpt: One question may be how practical this attack is for a real attacker who desires to phish someone. First, from incorporation to issuance of the EV certificate, I spent less than an hour of my time and about $177. $100 of this was to incorporate the company, and $77 was for the certificate. It took about 48 hours from incorporation to the issuance of the certificate. Game-changing attack on critical infrastructure site causes outagehttps://arstechnica.com/information-technology/2017/12/game-changing-attack-on-critical-infrastructure-site-causes-outage/Date: December 15 2017Author: Dan Goodin Excerpt: The accidental outage was likely the result of the Triconex SIS, or “safety instrumented system.” The SIS shut down operations when it experienced an error that occurred as the hackers were performing reconnaissance on the facility. Although the hackers were likely seeking the ability to cause physical damage inside the facility, the November shutdown was likely not deliberate. Variation of 19-Year-Old Cryptographic Attack Affects Facebook, PayPal, Othershttps://www.bleepingcomputer.com/news/security/variation-of-19-year-old-cryptographic-attack-affects-facebook-paypal-others/Date: 12 December 2017Author: Catalin Cimpanu Excerpt: The ROBOT research team say that despite this being a variation for a 19-year-old attack, 27 of the Alexa Top 100 websites are vulnerable to the ROBOT attack. Vulnerable sites include Facebook and PayPal. The ROBOT attack scientific paper includes a case study how the research team decrypted Facebook traffic. 1.4 Billion Clear Text Credentials Discovered in a Single Databasehttps://medium.com/4iqdelvedeep/1-4-billion-clear-text-credentials-discovered-in-a-single-database-3131d0a1ae14Date: December 9 2017Author: Julio Casal Excerpt: The 41GB dump was found on 5th December 2017 in an underground community forum. The database was recently updated with the last set of data inserted on 11/29/2017. The total amount of credentials (usernames/clear text password pairs) is 1,400,553,869.   And lastly, here are this week’s most noteworthy security bulletins: 1. ASB-2017.0217 – Remote code execution patched in Palo Alto firewallshttps://portal.auscert.org.au/bulletins/56182 Through the exploitation of a combination of unrelated vulnerabilities, and via the management interface of the device, an attacker could remotely execute code on PAN-OS in the context of the highest privileged user. 2. ESB-2017.3160 – Thunderbird security updatehttps://portal.auscert.org.au/bulletins/55970 Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code or denial of service. 3. ESB-2017.3200 – Jenkins patches race conditions during setuphttps://portal.auscert.org.au/bulletins/56154 On Jenkins 2.81 and newer, including LTS 2.89.1, this could in rare cases (we estimate less than 20% of new instances) result in failure to initialize the setup wizard on the first startup. Affected instances need to be configured to restrict access. 4. ESB-2017.3182.2 – TLS vulnerability discovered in Cisco products (ROBOT)https://portal.auscert.org.au/bulletins/56082 An attacker could iteratively query a server running a vulnerable TLS stack implementation to perform cryptanalytic operations that may allow decryption of previously captured TLS sessions. [Note that Cisco does not intend to fix this in all affected products, e.g.the ACE 4710 and ACE30.]   Wishing you all the best from AUSCERT and see you next week,David

Learn more

Week in review

AUSCERT Week in Review for 8th December 2017

AUSCERT Week in Review for 8th December 2017 AUSCERT Week in Review08 December 2017 Greetings, Remember that the holiday season is the time we relax so don’t get caught by someone trying to take advantage of this. And the Call for Proposals for AUSCERT 2018 is now open.https://gems.eventsair.com/auscert2018-conference/presentation Important Dates for submission——————————13 Nov 2017 – (Monday) – Call for Presentations submissions open19 Jan 2018 – (Friday) – Call for Presentations submission deadline19 Feb 2018 – (Monday) – Notifications from Program Committee Conference Date—————29 May 2018 – 01 Jun 2018 | AUSCERT2018 Conference As for more news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: ——————————————————————————- Title: Banking Apps Found Vulnerable to MITM Attacks issueURL: https://threatpost.com/banking-apps-found-vulnerable-to-mitm-attacks/129105/Date: December 07, 2017Author: Tom Spring Excerpt: “Using a free tool called Spinner, researchers identified certificate pinning vulnerabilities in mobile banking apps that left customers vulnerable to man-in-the-middle attacks” ——————————————————————————- Title: Uber hacker is a 20 yr-old Florida manURL: https://www.itnews.com.au/news/uber-hacker-is-a-20-yr-old-florida-man-479365 Date: Decemeber 07, 2017Author: Joseph Menn and Dustin Volz Excerpt: “Paid to keep quiet in bug bounty. A 20-year-old Florida man was responsible for a massive data breach at Uber last year and was paid by Uber to destroy the data through a bug bounty program, three people familiar with the events have told Reuters.” ——————————————————————————- Title: Bitcoin Miner NiceHash Hacked, Possibly Losing $62 Million in BitcoinURL: https://www.darkreading.com/cloud/bitcoin-miner-nicehash-hacked-possibly-losing-$62-million-in-bitcoin/d/d-id/1330585 Date: Decemeber 07, 2017Author: Dark Reading Excerpt: “Slovenia-based bitcoin mining company NiceHash has temporarily halted its operations while it investigates a security breach and determines how many bitcoins were stolen, the company announced Wednesday.” ——————————————————————————- Title: The Cumulative Effect of Major Breaches: The Collective Risk ofYahoo & EquifaxURL:http://www.securityweek.com/cumulative-effect-major-breaches-collective-risk-yahoo-equifax Date: Decemeber 07, 2017Author: Markus Jakobsson Excerpt: “While there are no signs today of criminals consolidating and reselling data from different breaches, it is an obvious concern as the value-add of the packaging would be substantial.” ——————————————————————————- And lastly, here are this week’s most noteworthy security bulletins: 1. ASB-2017.0210 – [Win][UNIX/Linux] Firefox: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/55934  A buffer overflow occurs when drawing and validating elements using Direct 3D 9 with the ANGLE graphics library, used for WebGL content.This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash. 2. ASB-2017.0209 – [Win][UNIX/Linux] Tenable Nessus: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/55930  Nessus leverages third-party software to help provide underlying functionality. One of the third-party components (OpenSSL) was found tocontain vulnerabilities, and updated versions have been made available by the providers. 3. ESB-2017.3144 – [Win][UNIX/Linux][FreeBSD] OpenSSL: Access privileged data – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/55898  OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an “error state” mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. 4. ESB-2017.3117 – [SUSE] shibboleth-sp: Reduced security – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/55786 CVE-2017-16852: Fix critical security checks in the Dynamic MetadataProvider plugin in Shibboleth Service (bsc#1068689). Wishing all the best from AUSCERT and see you next week, Peter

Learn more

Week in review

AUSCERT Week in Review for 1st December 2017

AUSCERT Week in Review for 1st December 2017 AUSCERT Week in Review 01 December 2017   Greetings,   Headline news this week was the flaw in Apple High Sierra that allows login with the user root and a blank password. And the Call for Proposals for AUSCERT 2018 is now open. As for more news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:   ——————————————————————————-   Title:   Apple releases update to fix critical macOS High Sierra security issue URL: https://www.theverge.com/2017/11/29/16715246/apple-releases-high-sierra-root-security-patch Date:    November 29, 2017 Author:  Chris Welch  Excerpt: “Apple has just rolled out a security update for macOS High Sierra that fixes the major flaw that was publicly disclosed yesterday. A support page for the patch, Security Update 2017–001, confirms that it addresses the vulnerability that allowed admin access to a Mac computer without providing any password. The update breaks file sharing for some users, but Apple has released a fix for that as well.”   ——————————————————————————-   Title:   Cryptocurrency Mining Scripts Now Run Even After You Close Your Browser URL: https://thehackernews.com/2017/11/cryptocurrency-mining-javascript.html Date:    November 29, 2017 Author:  Swati Khandelwal   Excerpt: “Some websites have found using a simple yet effective technique to keep their cryptocurrency mining javascript secretly running in the background even when you close your web browser. Due to the recent surge in cryptocurrency prices, hackers and even legitimate website administrators are increasingly using JavaScript-based cryptocurrency miners to monetize by levying the CPU power of their visitor’s PC to mine Bitcoin or other cryptocurrencies.”   ——————————————————————————-   Title:   Cisco Patches Critical Playback Bugs In Webex Players URL: https://threatpost.com/cisco-patches-critical-playback-bugs-in-webex-players/129057/ Date:    November 30, 2017 Author:  Tom Spring Excerpt: “Cisco Systems issued a Critical alert on Wednesday warning of multiple vulnerabilities in its popular WebEx player. Six bugs were listed in the security advisory, each of them relating to holes in Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) and WebEx Recording Format (WRF) files.   “A remote attacker could exploit these vulnerabilities by providing a user with a malicious ARF or WRF file via email or URL and convincing the user to launch the file,” according to Cisco.”   ——————————————————————————-   Title:   Classified Pentagon data leaked on the public cloud URL: http://www.bbc.com/news/technology-42166004?intlink_from_url=http://www.bbc.com/news/topics/cz4pr2gd85qt/cyber-security&link_location=live-reporting-story Date:    November 29, 2017 Author:  Technology Excerpt: “Classified Pentagon data was mistakenly left exposed on an unsecured public cloud server, cyber-security researchers have discovered. The 100GB of data is from a failed joint intelligence-sharing programme run by the US Army and National Security Agency in 2013. The information was left on an unlisted but public Amazon Web Services storage server. It is likely to have been accessible to anyone on the internet for years.”   ——————————————————————————-   And lastly, here are this week’s most noteworthy security bulletins:   ASB-2017.0206 – [Win][UNIX/Linux] WordPress: Execute arbitrary code/commands – Existing account 30 November 2017 https://portal.auscert.org.au/bulletins/55550 WordPress versions 4.9 and earlier are affected by four security issues which could potentially be exploited as part of a multi-vector attack.     ASB-2017.0205 – ALERT [OSX] Apple High Sierra : Root compromise – Console/physical 29 November 2017 http://www.auscert.org.au/55378  Today, a security researcher twitted about a dangerous behaviour he found in the Apple High Sierra operating system: It is possible to get administrator rights (the “root” account on UNIX) by connecting without a password.    ASB-2017.0204 – [Win][UNIX/Linux] Thunderbird: Multiple vulnerabilities 27 November 2017 http://www.auscert.org.au/55322  Security vulnerabilities fixed in Thunderbird 52.5 A use-after-free vulnerability can occur when flushing and resizing layout because the PressShell object has been freed while still in use. This results in a potentially exploitable crash during these operations.     ESB-2017.3057 – [Cisco] Cisco WebEx Meeting Center: Unauthorised access – Remote with user interaction 30 November 2017 http://www.auscert.org.au/55538  A vulnerability in Cisco WebEx Meeting Center could allow an authenticated, remote attacker to initiate connections to arbitrary hosts.    Wishing all the best from AUSCERT and see you next week,   Cheers, Peter

Learn more

Week in review

AUSCERT Week in Review for 24th November 2017

AUSCERT Week in Review for 24th November 2017 AUSCERT Week in Review24 November 2017 Greetings, Headline news this week is that security researchers discover multiple serious vulnerabilities in Intel firmware.If your cubicle needs more decoration, OWASP have published an updated Top Ten cheatsheet.And the Call for Proposals for AUSCERT 2018 is now open. As for more news, here’s a summary (including excerpts) of some of themore interesting stories we’ve seen this week: ——————————————————————————- Title: Intel Chip Flaws Leave Millions of Devices ExposedURL: https://www.wired.com/story/intel-management-engine-vulnerabilities-pcs-servers-iot/Date: November 20, 2017Author: David Paul Morris Excerpt:“SECURITY RESEARCHERS HAVE raised the alarm for years about the Intel remote administration feature known as the Management Engine. The platform has a lot of useful features for IT managers, but it requires deep system access that offers a tempting target for attackers; compromising the Management Engine could lead to full control of a given computer. Now, after several research groups have uncovered ME bugs, Intel has confirmed that those worst-case fears may be possible.…[Intel] has also published a Detection Tool so Windows and Linux administrators can check their systems to see if they’re exposed.” ——————————————————————————- Title: Four Years Later, We Have a New OWASP Top 10URL: https://www.bleepingcomputer.com/news/security/four-years-later-we-have-a-new-owasp-top-10/Date: November 21, 2017Author: Catalin Cimpanu Excerpt:“The OWASP has seen several iterations over the years. Versions of the OWASP Top 10 have been released in 2004, 2007, 2010, 2013, and 2017, respectively. As in previous years, injection remained the top application security risk, but there has been some shuffling in the ranking, with the appearance of three newcomers — XML External Entities (XXE), Insecure Deserialization, and Insufficient Logging&Monitoring.” ——————————————————————————- Title: Uber Paid Hackers to Delete Stolen Data on 57 Million PeopleURL: https://www.bloomberg.com/news/articles/2017-11-21/uber-concealed-cyberattack-that-exposed-57-million-people-s-dataDate: November 22, 2017Author: Eric Newcomer Excerpt:“Hackers stole the personal data of 57 million customers and drivers from Uber Technologies Inc., a massive breach that the company concealed for more than a year. This week, the ride-hailing firm ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers.” ——————————————————————————- Title: IBM, Nonprofits Team Up in New Free DNS ServiceURL: https://www.darkreading.com/analytics/ibm-nonprofits-team-up-in-new-free-dns-service/d/d-id/1330454Date: November 17, 2017Author: Kelly Jackson Higgins Excerpt:“Setting up the Quad9 service entails reconfiguring the DNS setting on networked devices to 9.9.9.9. When a user types an URL into his or her browser, or clicks on a website, the service checks it against IBM X-Force’s threat intelligence database, as well as nearly 20 other threat intelligence feeds including Abuse.ch, the Anti-Phishing Working Group, F-Secure, Proofpoint, and RiskIQ.” ——————————————————————————- And lastly, here are this week’s most noteworthy security bulletins: 1. ASB-2017.0203 – Apple iOS and MacOS: Root compromise – Existing account 21 November 2017http://www.auscert.org.au/55210 A vulnerability was addressed in iOS 11.1.2 and MacOS 10.13.1 which may have enabled arbitrary code execution with system privileges. 2. ESB-2017.2994 – libspring-ldap-java: Unauthorised access – Remote/unauthenticated http://www.auscert.org.au/55278 The library would, under certain circumstances, allow authentication with a correct username but an arbitrary password. 3. ESB-2017.2967 – libxml-libxml-perl: Execute arbitrary code/commands – Remote/unauthenticated 20 November 2017http://www.auscert.org.au/55158 Arbitrary code execution from a crafted file. 4. ESB-2017.2965 – procmail: Execute arbitrary code/commands – Remote/unauthenticated 20 November 2017http://www.auscert.org.au/55150 Malformed mail messages could crash the formail tool, or potentially execute arbitrary code. Wishing all the best from AUSCERT and see you next week, Cheers,David  

Learn more

Blogs

APCERT 2017 AGM and Conference: A Window into the CERT community

APCERT 2017 AGM and Conference: A Window into the CERT community Introduction This year’s APCERT Annual General Meeting and conference has just concluded, being hosted by CERT-In in New Delhi, India. Each year AUSCERT sends a representative to the APCERT conference to collaborate and cooperate with the rest of the APCERT community. This year, I was lucky enough to be selected to attend. APCERT is a community of CERT and CSIRT organisations located in the Asia-Pacific area. Originally formed in 2003, its membership has now grown to 30 organisations representing 21 economies, as well as a number of supporting partner organisations. APCERT’s goals include information sharing and cooperation between its members and the public. Arriving in New Delhi This was my first visit to India, and although I had some knowledge of Indian culture and life, I was amazed to experience it first-hand. I arrived one day before the conference began, and spent the day shopping and taking in the local sights. The bustling streets, chaotic traffic, and the sheer scale of the country are a sight to see, and offer a sharp contrast to the quiet suburban life I am used to back in Brisbane. Delhi itself is a massive city, with a population that rivals that of all of Australia. The conference itself was hosted at the Ashok hotel, in Chanakyapuri, New Delhi. This five-star hotel is located in the heart of a diplomatic and government district, close to many foreign embassies, and as a result is very accommodating to foreign guests. The APCERT Community When the conference registration opened on Sunday morning, I began meeting delegates from other APCERT members. I noticed immediately that everyone was friendly, relaxed, and very welcoming. The APCERT community is small and close-knit, and for some long-time members, the conferences are just as much of a catch-up session as they are a business trip. Apparently some of AUSCERT’s staff are quite famous in the APCERT community, as I received quite a few queries regarding some of my colleagues! All of the APCERT members are working towards the same goal – to protect their economies or industry sectors from new and existing cyber threats. As we are largely government-funded or non-profit organisations, there is no pressure to create profits or sell products, and the focus is entirely on providing the best possible service to our jurisdictions. Some of the teams that participate in APCERT are quite small and do not have the resources to analyse all new threats, so collaboration amongst teams is extremely beneficial. In addition to the welcoming atmosphere among APCERT members, the hospitality and kindness shown by CERT-In was second-to-none. This year was the first time they had hosted the APCERT conference, but the experience was extremely smooth and well-thought out. During the afternoon of the first day, we were taken on a guided tour of local sights by the CERT-In staff, before being presented with a welcome dinner. Having helped run the AUSCERT conference in the past, I know how difficult and stressful it can be to run such an event, and I commend CERT-In on their performance. Conference Proceedings and Talks The conference began with updates from the various working groups within APCERT. This is a great way to share progress with other members, and some of the work presented by teams this year was extremely impressive. One such example is the TSUBAME project, which collects network traffic data from passive “sensors” situated in many networks across the Asia-Pacific region, and compiles that data into statistics that can be used to observe trends in network scans across the internet. Other talks focused on issues such as automated malware analysis, in particular the need for non-commercial options that can be used with potentially sensitive information. A talk given by Wen-Ling Lo from TWCERT/CC brought up an excellent point: many people use services such as VirusTotal or VirScan to check suspicious email attachments, but if the attachment is legitimate and contains confidential information, uploading it to a commercial company’s services could result in an information leak. TWCERT/CC are currently developing a tool that can be used by businesses and governments in Taiwan to examine files without fear that samples will be sent to external or commercial companies. AUSCERT is very impressed with their efforts and will be tracking their progress closely. Not all talks were technical, though, and an unexpectedly impactful presentation by Nurul Husna of MyCERT, the national CERT for Malaysia, described the governance and management workflows required to operate a CERT efficiently. As a technical person, it was refreshing to see a presentation on governance that made sense and showed real value. There is a real need for efficient management of resources at CERTs, due to the quick turnaround time required in order to serve our jurisdictions effectively. Additionally, some external speakers were invited to give talks at the conference. Some highlights included a talk by Akamai representative Amol Mathur on attacks that target API services directly, bypassing many of the protections that are built into front-end applications, and an overview on using machine learning to analyse malware samples by Rajesh Nikam of Quick Heal. As malware campaigns grow in both size and number, we need to move away from manual analysis in order to process as many samples as possible, making use of technologies such as machine learning to automate the process. On the final day of the conference, attendance was opened to external members of the IT industry, and the National Minister for IT & Electronics gave an address to the audience. During the conference I began to see just how large and important the IT industry in India is. With a population of over 1 billion people, internet-based solutions are essential to interacting with the government and businesses, and ensuring these interactions are protected and non-fraudulent is a problem at the forefront of the industry. The conference also served as a focus point for the local government to draw attention to emerging threats, especially as they begin to move towards more digital payment solutions. The full schedule for the APCERT Annual General Meeting and Conference may be found here: https://apcert2017.in/schedule.html The APCERT AGM Another important part of the conference is the Annual General Meeting, or AGM. At the AGM, proposals for changes and amendments to APCERT frameworks and guidelines are put forward and voted upon by members. Proposals for new working groups are also heard, and lastly, the membership of the steering committee and leadership positions are voted upon. This year, CERT-In was accepted as a new member of the steering committee, and after recognising the hard work of JPCERT/CC, MyCERT, and CERT Australia in their positions as Secretariat, Deputy Chair, and Chair respectively, the members of APCERT voted to re-appoint them to their previous positions. AUSCERT would like to thank the steering committee and leadership positions for their hard work in the past year, and congratulate them on their continued appointments. We also welcome CERT-In to the steering committee and look forward to their input in the future! Closing Remarks Attending the APCERT conference and AGM was an eye-opening experience. In the fast-moving world of Information Security, we are facing attacks in greater numbers and greater complexity. It can be difficult to sift through the vast amounts of information distributed throughout the internet, trying to find advice that is truthful, accurate, and relevant to your organisation. CERT and CSIRT organisations offer an increasingly important role in these times, distributing threat intelligence efficiently and with the goal of national/sectorial security in mind. As well, the challenges faced by each CERT are often similar, and there is great value in being able to speak freely with other organisations that share your goals. I would like to thank all of the members, partners, and guests at the conference, for welcoming me to the APCERT community. I’ve made many new friends over the last week, and hearing other analysts describe their experiences, challenges and achievements has re-invigorated my love for information security. I hope AUSCERT can continue to provide value to other APCERT members and look forward to some new collaborations in the future.I would also like to offer a special thank-you to the staff of CERT-In, for being such hospitable hosts. My first stay in India was a great experience, and I hope to return in the future.   Anthony Vaccaroanthony@auscert.org.au

Learn more

Week in review

AUSCERT Week in Review for 17th November 2017

AUSCERT Week in Review for 17th November 2017 AUSCERT Week in Review17 November 2017 Greetings, As Friday 17 November closes, Cisco have announced and addressed a bug with certain upgrade paths in their appliances which left a root user wide open. The world’s most mainstream security target, Apple’s latest iPhone, has been fooled by researchers with an affordable mask. JavaScript cryptocurrency miners have also hit the news, with implementations available for all sorts of currencies, becoming a new XSS favourite. As for more news, here’s a summary of some of the more interesting stories we’ve seen this week: Title:  Microsoft November Patch Tuesday Fixes 53 Security IssuesURL: https://www.bleepingcomputer.com/news/microsoft/microsoft-november-patch-tuesday-fixes-53-security-issues/Date:   14 November 2017Author: Catalin Cimpanu Excerpt:“No zero-days this monthDetails about four vulnerabilities were published online before today’spatches, but fortunately, none were exploited in real-world attacks.” ——– Title:    APCERT 2017 AGM and Conference: A Window into the CERT communityURL:    https://wordpress-admin.auscert.org.au/blog/2017-11-17-apcert-2017-agm-and-conference-window-c/Date:   17 November 2017Author: Anthony Vaccaro (of AUSCERT!) Excerpt:“Additionally, some external speakers were invited to give talks at the conference. Some highlights included a talk by Akamai representative Amol Mathur on attacks that target API services directly, bypassing many of the protections that are built into front-end applications, and an overview on using machine learning to analyse malware samples by Rajesh Nikam of Quick Heal. As malware campaigns grow in both size and number, we need to move away from manual analysis in order to process as many samples as possible, making use of technologies such as machine learning to automate the process.” ——– Title:    2,500+ Websites Are Now “Cryptojacking” To Use Your CPU Power And Mine CryptocurrencyURL:    https://fossbytes.com/2500-websites-are-now-cryptojacking-to-use-your-cpu-power-and-mine-cryptocurrency/Date:   10 November 2017Author: Adarsh Verma Excerpt:“Most of these websites are using a JavaScript-based miner from the website Coinhive. By simply pasting a code snippet on the website, any webmaster can start mining. They just need to share a small cut with Coinhive.”——– Title:    Researchers Fool iPhone X’s Face ID with $150 3D Printed FaceURL:    https://www.cso.com.au/article/629951/researchers-fool-iphone-x-face-id-150-3d-printed-face/Date:   14 November 2017Author: Liam Tung Excerpt:“The company hasn’t revealed exactly how it tricked Face ID but says it was possible because they understood how Apple’s Face ID artificial intelligence worked. Face ID requires the user look directly at the camera by directing the direction of the user’s gaze, and then uses neural networks for matching and anti-spoofing.” ——– And lastly, here are this week’s noteworthy security bulletins (in noparticular order): 1. ESB-2017.2953 – [Win][UNIX/Linux] OpenSAML2 metadata filter bypasshttps://portal.auscert.org.au/bulletins/55102 CVE-2017-16853: A filtering engine omits to run checks, leading to metadata exposure in a major SAML library. Expect to hear more on this. 2. ESB-2017.2931 – [Cisco] Known Root Credentials Enabled After Some Upgradeshttps://portal.auscert.org.au/bulletins/55010 The vulnerability occurs when a refresh upgrade or Prime Collaboration Deployment (PCD) migration is performed on an affected device. When a refresh upgrade or PCD migration is completed successfully, an engineering flag remains enabled and could allow root access to the device with a known password. Subsequent upgrades disable this flag. 3. ESB-2017.2913 – [Debian] mediawiki: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/54938 Cross-site scripting, revealing account existence and a set of HTML mangling attacks. 4.  ASB-2017.0194 – [Win] Microsoft Edge: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/54822 In seeking to speed up its Edge browser, Microsoft is producing and flattening RCEs. Wishing you the best from AUSCERT and hope to see you next week,David

Learn more

Week in review

AUSCERT Week in Review for 10th November 2017

AUSCERT Week in Review for 10th November 2017 AUSCERT Week in Review10 November 2017 Greetings, As Friday 10th of November closes, DDE, a twenty four (24) year old feature in the Office suite, has taken the limelight in the method of executing code on victim’s computers.  Although this method requires heavy user interaction, it was finally addressed for mitigation, published by the vendor and pushed out to members in an AUSCERT bulletin. So, applying the mitigation and applying an other round of user education notices may do well to protect your organisation.  Another set of people that may need to be educated on the dangers of opening up fresh and untrusted code on the internet could be script kiddies, this being the lead to our top new story this week. As for more news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title:  Script Kiddie Nightmare: IoT Attack Code Embedded with BackdoorURL:    https://blog.newskysecurity.com/script-kiddie-nightmare-iot-attack-code-embedded-with-backdoor-39ebcb92a4bbDate:   November 8, 2017 Author: NewSky Security     Excerpt:“The IoT threat landscape is proving to be the fastest to evolve, with attacks shifting from basic password guessing, to using a variety of exploits as seen recently in the IoTroop/Reaper botnet. Enter the script kiddie?—?amateurish hackers that copy/paste code for quick results. “ ——- Title:  Windows Movie Maker Scam spreads massively due to high Google rankingURL:    https://www.welivesecurity.com/2017/11/09/eset-detected-windows-movie-maker-scam-2017/Date:   November 9, 2017 Author: Peter Stancik     Excerpt:“Scammers have been surprisingly successful at distributing a modified version of Windows Movie Maker that aims to collect money from unaware users. The spread of the scam (which itself is far from new) has been boosted by search engine optimization of the crooks’ website, as well as continuing demand for Windows Movie Maker, Microsoft’s free video editing software, discontinued since January 2017.” ——- Title:  Google Adds New Features in Chrome to Fight MalvertisingURL:    https://www.bleepingcomputer.com/news/security/google-adds-new-features-in-chrome-to-fight-malvertising/Date:   November 9, 2017 Author: Catalin Cimpanu     Excerpt:“Google announced plans today for three new Chrome security features that will block websites from sneakily redirecting users to new URLs without the user or website owner’s consent. While all three additions are welcomed, one of these features has the potential to stop a few malvertising campaigns dead in their tracks, and could potentially disrupt the malware scene in the next few months.” ——- Title:  Chinese Keyboard Developer Spies on User Through Built-in KeyloggerURL:    https://www.hackread.com/chinese-keyboard-developer-spies-on-user-through-built-in-keylogger/Date:   November 8, 2017Author: Waqas      Excerpt:“A Chinese mechanical keyboard manufacturer MantisTek has been caught in the middle of a controversy in which it’s being blamed for spying on users through built-in keylogger in its GK2 model and sending the data to a server apparently hosted on Alibaba Cloud server.” ——- Title:  Locky Ransomware Used to Target Hospitals EvolvesURL:    http://www.zdnet.com/article/locky-ransomware-used-to-target-hospitals-evolves/Date:   November 7, 2017Author: Charlie Osborne     Excerpt:“According to new research released by Cylance, a relatively new Locky variant, dubbed Diablo6, includes a few tweaks which are making detection of the ransomware more difficult for traditional antivirus solutions as well as end users.In a blog post, the team said Diablo6 performs an attack in two stages. The first is a typical attack vector for ransomware — a spear phishing email which contains a .zip archive, but something new for the Locky variant.While masquerading as a legitimate email and attachment, the file actually contains a VBS file which, when decompressed and opened, attempts to connect to Locky’s command-and-control (C&C) server for instructions.” ——- And lastly, here are this week’s noteworthy security bulletins (in no particular order): 1.    ASB-2017.0192 – [Win] Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fieldshttps://portal.auscert.org.au/bulletins/54686 An attacker could leverage the DDE protocol by sending a specially crafted file to the user and then convincing the user to open the file, typically by way of an enticement in an email. 2.    ESB-2017.2807 – [SUSE] kernel: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/54466 CVE-2015-9004: kernel/events/core.c in the Linux kernel mishandled counter grouping, which allowed local users to gain privileges via a crafted application, related to the perf_pmu_register and perf_event_open functions 3.    ESB-2017.2867 – [Appliance] IBM Security SiteProtector System: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/54726 CVE-2017-10116: An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to take control of the system. 4.    ESB-2017.2865 – [Win] Schnedier Electric InduSoft Web Studio and Schneider Electric InTouch Machine Edition : Execute arbitrary code/commands – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/54718 CVE-2017-14024: The stack-based buffer overflow vulnerability has been identified, which may allow remote code execution with high privileges. 5.    ESB-2017.2855 – [BlackBerry] BlackBerry: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/54670 CVE-2017-0862: Elevation of Privilege in Kernel                              — Wishing you the best from AUSCERT and hope to see you next week,Geoffroy

Learn more

Week in review

AUSCERT Week in Review for 3rd November 2017

AUSCERT Week in Review for 3rd November 2017 AUSCERT Week in Review03 November 2017 Greetings, As Friday 3rd of November closes, a tally of the root compromises is more than I have seen this past year.  Let’s hope that the reason why we are indeed seeing an up tick in this type of vulnerability is only because security teams and their capabilities are indeed expanding. Well, at least this is the silver lining to be seen as this cloud of root compromise bulletins rolls over.  As for news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title:  If your websites use WordPress, put down that coffee and upgrade to 4.8.3. Thank us laterURL:    http://www.theregister.co.uk/2017/10/31/wordpress_security_fix_4_8_3/Date:   31st October 2017Author: Iain Thomson Excerpt:“The fix addresses a flaw that can be potentially exploited by hackers to hijack and take over WordPress-powered websites, by injecting malicious SQL database commands. The core installation of WordPress is not directly affected, we’re told, rather the bug is in a security function provided by the core to plugins and themes. In other words, a bug in the core leaves plugins and themes potentially at risk of being hacked, leading to whole sites being commandeered by miscreants.” ——- Title:  Just one day after its release, iOS 11.1 hacked by security researchersURL:    http://www.zdnet.com/article/ios-11-hacked-by-security-researchers-day-after-release/Date:   2nd November 2017Author: Zack Whittaker Excerpt:“A day after iOS 11.1 was released, security researchers have already broken the software. News of the exploits came from Trend Micro’s Mobile Pwn2Own contest in Tokyo, where security researchers found two vulnerabilities in Safari, the mobile operating system’s browser. “ ——- Title:  AI will not solve your security analytics issuesURL:    https://www.csoonline.com/article/3236025/artificial-intelligence/ai-will-not-solve-your-security-analytics-issues.htmlDate:   2nd November 2017Author: Alexander Poizner Excerpt:“Managing SOC is not pretty. Constant stress due to avalanche of tickets and vast amounts of data to analyze using often underpowered and sometimes outdated tools, combined with high turnover and low morale staff. It is understandable that in such environment everybody is looking for a miracle. Any new technology that has a capability to automate an analysis and detect anomalies gets attention of operations security. With an amount of hype surrounding AI, the temptation is great to jump into early adoption.” ——- Title:  Security Think Tank: Three areas of web security challengesURL:    http://www.computerweekly.com/opinion/Security-Think-Tank-Three-areas-of-web-security-challengesDate:   1st November 2017Author: Peter Wenham Excerpt:“Very few companies these days are without a website and those websites provide a portal from the internet that the bad people can exploit to attack a company’s infrastructure including the website itself. The security challenges posed by a web presence fall into the three broad categories of legal, technical and operational. On the legal side you need to have a privacy policy identifying what personal data is collected, how that data will be used and who that data might be shared with and why. The policy should be made compliant with the General Data Protection Regulation (GDPR) for which the compliance deadline is 25 May 2018, but this will require you to track GDPR guidance as it becomes available.” ——- Title:  Facebook pledges to double its 10,000-person safety and security staff by end of 2018URL:    https://www.cnbc.com/2017/10/31/facebook-senate-testimony-doubling-security-group-to-20000-in-2018.htmlDate:   31st October 2017Author: Anita Balakrishnan     Excerpt:“Facebook, under intensifying pressure from legislators and consumers to clean up its site, is pledging to double the number of people it has working on issues related to safety and security. Colin Stretch, a vice president and general counsel at Facebook, testified before senators on Tuesday alongside executives from Twitter and Google. He told them that Facebook’s staff focused on sensitive security and community issues will grow to 20,000 by the end of next year.” ——- And lastly, here are this week’s noteworthy security bulletins (in no particular order): 1.    ESB-2017.2778 – [OSX] Apple macOS: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/54342 An application may be able to execute arbitrary code with system privileges. 2.    ESB-2017.2766 – [Mobile] Apple Watch: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/54294 An application may be able to execute arbitrary code with kernel privileges. 3.    ESB-2017.2763 – [Ubuntu] kernel: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/54282 A local attacker could exploit this vulnerability to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. 4.    ESB-2017.2782 – [Cisco] Cisco Firepower 4100 Series Next-Generation Firewall (NGFW): Root compromise – Existing accounthttps://portal.auscert.org.au/bulletins/54358 An authenticated, remote attacker to inject arbitrary commands that could be executed with root privileges. 5.    ESB-2017.2790 – [Appliance] F5 Products: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/54390 An authenticated attacker may be able to cause an escalation of privileges through a crafted application that uses the fork or close system call. — Wishing you the best from AUSCERT and hope to see you next week,Geoffroy

Learn more

Week in review

AUSCERT Week in Review for 27th October 2017

AUSCERT Week in Review for 27th October 2017 AUSCERT Week in Review27 October 2017 Greetings, With another named vulnerability and a new chapter in the unfolding Kaspersky saga,it seems that we are back to business as usual in the world of Information Security.Even NSA employees are susceptible to malware lurking within illegally-acquired copies of software.As security moves forward, will you protect your organisation by providing them with Microsoft Office licenses? Here’s a summary (including excerpts) of some of the more interestingstories we’ve seen this week: Title: Is Bad Rabbit the new NotPetya?URL: https://www.itnews.com.au/news/is-bad-rabbit-the-new-notpetya-476121Date: 25th October, 2017Author: Juha SaarinenExcerpt: “A new strain of ransomware is working its way around the globedisguised as a fake Adobe Flash player update delivered as a drive-bydownload.” — Title: Worker who snuck NSA malware home had his PC backdoored, Kaspersky saysURL: https://arstechnica.com/information-technology/2017/10/worker-who-snuck-nsa-secrets-home-had-a-backdoor-on-his-pc-kaspersky-says/Date: 25th October, 2017Author: Dan GoodinExcerpt: “The NSA worker’s computer ran a home version of Kaspersky AV thathad enabled a voluntary service known as Kaspersky Security Network. Whenturned on, KSN automatically uploads new and previously unknown malware tocompany Kaspersky Lab servers. The setting eventually caused the previouslyundetected NSA malware to be uploaded to Kaspersky Lab servers, where itwas then reviewed by a company analyst.” — Title: Attack of the week: DUHKURL: https://blog.cryptographyengineering.com/2017/10/23/attack-of-the-week-duhk/Date: 23rd October, 2017Author: Matthew GreenExcerpt: “This work comes from Nadia Heninger, Shaanan Cohney and myself,and follows up on some work we’ve been doing to look into the securityof pseudorandom number generation in deployed cryptographic devices.” — Title: APNIC Whois Database Password Hashes Were Available for DownloadURL: https://www.bleepingcomputer.com/news/security/apnic-whois-database-password-hashes-were-available-for-download/Date: 24th October, 2017Author: Catalin CimpanuExcerpt: “The Asia-Pacific Network Information Centre (APNIC), theorganization that manages domain name information for the Asia-Pacificregion, fixed on Monday an error that exposed password hashes needed toaccess and edit domain ownership details. The incident came to light onOctober 12 this when eBay employee Chris Barcellos spotted password hashesinside downloadable Whois information. The researcher reached out to APNICwith the issue, and the company fixed the problem by the second day.” — Title: IoT_reaper: A Rappid Spreading New IoT BotnetURL: http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/Date: 20th October, 2017Author: yegenshenExcerpt: “On 2017-09-13 at 01:02:13, we caught a new malicious sampletargeting IoT devices. Starting from that time, this new IoT botnet familycontinued to update and began to harvest vulnerable iot devices in a rapidpace. The bot borrowed some code from the famous mirai botnet, but it doesnot do any password crack all. Instead, it purely focuses on exploitingIoT device vulnerabilities. So, we name it IoT_reaper.” — And lastly, here are this week’s noteworthy security bulletins (in noparticular order): ESB-2017.2679 – [Win][UNIX/Linux][Ubuntu] curl: Execute arbitrary code/commands – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/53934 Brian Carpenter discovered that curl incorrectly handled IMAP FETCHresponse lines. A remote attacker could use this issue to cause curl tocrash, resulting in a denial of service, or possibly execute arbitrarycode. — ESB-2017.2710 – [Appliance] Rockwell Automation Stratix 5100: Access privileged data – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/54058 A Man-in-the-middle attack on Rockwell Automation wireless bridges couldlead to takeover of industrial hardware. — ESB-2017.2670 – [Appliance] F5 products: Execute arbitrary code/commands – Remote with user interactionESB-2017.2671 – [Appliance] F5 BIG-IP products: Root compromise – Existing accountESB-2017.2672 – [Appliance] F5 products: Access privileged data – Existing accountESB-2017.2673 – [Appliance] F5 BIG-IP Products: Denial of service – Remote/unauthenticatedESB-2017.2674 – [Appliance] F5 BIG-IP PEM: Access privileged data – Remote with user interactionESB-2017.2675 – [Appliance] F5 BIG-IP products: Unauthorised access – Existing accountESB-2017.2687 – [Appliance] F5 products: Denial of service – Remote/unauthenticatedESB-2017.2703 – [Appliance] F5 products: Multiple vulnerabilitiesESB-2017.2707 – [Appliance] F5 products: Denial of service – Remote/unauthenticatedESB-2017.2715 – [Appliance] F5 BIG-IP products: Denial of service – Remote/unauthenticatedESB-2017.2716 – [Appliance][Virtual] F5 BIG-IP products: Denial of service – Remote/unauthenticatedESB-2017.2717 – [Appliance] F5 products: Denial of service – Remote/unauthenticatedESB-2017.2718 – [Appliance][Virtual] F5 BIG-IP AAM and PEM: Denial of service – Remote/unauthenticatedESB-2017.2719 – [Appliance][Virtual] F5 BIG-IP products: Execute arbitrary code/commands – Remote/unauthenticatedESB-2017.2722 – [Appliance][Virtual] F5 BIG-IP products: Denial of service – Remote/unauthenticated   https://portal.auscert.org.au/bulletins/53898https://portal.auscert.org.au/bulletins/53902https://portal.auscert.org.au/bulletins/53906https://portal.auscert.org.au/bulletins/53910https://portal.auscert.org.au/bulletins/53914https://portal.auscert.org.au/bulletins/53918https://portal.auscert.org.au/bulletins/53966https://portal.auscert.org.au/bulletins/54030https://portal.auscert.org.au/bulletins/54046https://portal.auscert.org.au/bulletins/54078https://portal.auscert.org.au/bulletins/54082https://portal.auscert.org.au/bulletins/54086https://portal.auscert.org.au/bulletins/54090https://portal.auscert.org.au/bulletins/54094https://portal.auscert.org.au/bulletins/54106 Several important F5 updates have been published this week. — Have a good weekend everyone. Firewalls up! Anthony

Learn more

Week in review

AUSCERT Week in Review for 20th October 2017

AUSCERT Week in Review for 20th October 2017 AUSCERT Week in Review20 October 2017Greetings,What a week for Information Security! With the new vulnerabilities revealedin WPA2 and the Infineon RSA algorithm, can we be certain that anythingis truly secure any more? All eyes are on vendors and their responses tothese potentially catastrophic security flaws. As we go forward, puttingmore of our trust and confidential data into computers, being able torespond to new vulnerabilities in a timely fashion is critical.Here’s a summary (including excerpts) of some of the more interestingstories we’ve seen this week:Title: Millions of high-security crypto keys crippled by newly discovered flawURL: https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/Date: 16th October, 2017Author: Dan GoodinExcerpt: “A crippling flaw in a widely used code library has fatallyundermined the security of millions of encryption keys used in some ofthe highest-stakes settings, including national identity cards, software-and application-signing, and trusted platform modules protecting governmentand corporate computers.”—Title: Necurs Botnet malspam pushes Locky using DDE attackURL: https://isc.sans.edu/forums/diary/Necurs+Botnet+malspam+pushes+Locky+using+DDE+attack/22946/Date: 19th October, 2017Author: Brad DuncanExcerpt: “I’ve seen Twitter traffic today about malspam from the NecursBotnet pushing Locky ransomware using Word documents as their attachments.These Word documents use the DDE attack technique, something I alreadywrote about in a previous diary covering Hancitor malspam on 2017-10-16.”—Title: Adobe rushes out fix for exploited Flash bugURL: https://www.itnews.com.au/news/adobe-rushes-out-fix-for-exploited-flash-bug-475535Date: 17th October, 2017Author: Staff WriterExcerpt: “The patch came after Kaspersky Lab said a group it was tracking,BlackOasis, used the previously unknown weakness on October 10 to plantFinSpy or FinFisher malware on computers before connecting them back toservers in Switzerland, Bulgaria and the Netherlands.”—Title: ACORN received almost 48k cyber-related reports in 2016-17URL: http://www.zdnet.com/article/acorn-received-almost-48k-cyber-related-reports-in-2016-17/Date: 20th October, 2017Author: Asha McLeanExcerpt: “As revealed in the Connect Discover Understand Respond 2016-17Annual Report from the Australian Criminal Intelligence Commission (ACIC),scams and online fraud were the highest reported incidents to ACORN,accounting for 51 percent of the 47,873 total.”—Title: Australian government details Govpass digital IDURL: http://www.zdnet.com/article/australian-government-details-govpass-digital-id/Date: 17th October, 2017Author: Asha McLeanExcerpt: “The federal government has detailed what its digital identificationsolution will look like, outlining how citizens can apply for an optionalGovpass in a video posted on YouTube.”And lastly, here are this week’s noteworthy security bulletins (in noparticular order):ESB-2017.2607 – ALERT [Appliance] Infineon RSA: Access privileged data – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/53570A flaw in the Infineon RSA algorithm could result in keys that arefactorisable in months instead of centuries.—ESB-2017.2602 – ALERT [Win][Linux][OSX] Adobe Flash Player: Execute arbitrary code/commands – Remote with user interactionhttps://portal.auscert.org.au/bulletins/53546A newly-disclosed vulnerability in Adobe Flash affects all versions ofthe software, and has already been seen in the wild.—ESB-2017.2599 – ALERT [Win][UNIX/Linux][Appliance][Mobile] Wi-Fi Protected Access II (WPA2) devices: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/53534A flaw discovered in the WPA protocol itself could affect billions ofpeople, as the encryption protocol is used ubiquitously around the globefor WiFi networks.   Wishing you the best from AUSCERT and hope to see you next week.Stay patched, stay safe.Anthony  

Learn more

Week in review

AUSCERT Week in Review for 13th October 2017

AUSCERT Week in Review for 13th October 2017 AUSCERT Week in Review13 October 2017 Greetings, As Friday 13th of October closes, all eyes are in Kaspersky and how itwill manage? The above reflection came out of one of the news articles that have cappedoff a solid week in bulletins, and we have included a few more articlesof interest that have grabbed our attention. Here’s a summary (includingexcerpts) of some of the more interesting stories we’ve seen this week: Title: Kaspersky Lab and the AV Security HoleURL:https://www.darkreading.com/attacks-breaches/kaspersky-lab-and-the-av-security-hole/d/d-id/1330116Date: 10 October 2017Author: Jai Vijayan Excerpt: “It’s unclear what happened in the reported theft of NSA data byRussian spies, but an attacker would need little help to steal if he orshe had privileged access to an AV vendor’s network, security experts say.” ——- Title: Microsoft Patches Office Bug Actively Being ExploitedURL:https://threatpost.com/microsoft-patches-office-bug-actively-being-exploited/128367/Date: 10 October 2017Author: Tom Spring Excerpt: “Security experts are urging network administrators to patch aMicrosoft Office vulnerability that has been exploited in the wild.” ——- Title: Dumb bug of the week: Outlook staples your encrypted emails to,er, plaintext copies when sending messagesURL: https://www.theregister.co.uk/2017/10/11/outlook_smime_bug/Date: 11 October 2017Author: Iain Thomson Excerpt: “Attention anyone using Microsoft Outlook to encryptemails. Researchers at security outfit SEC Consult have found a bug inRedmond’s software that causes encrypted messages to be sent out withtheir unencrypted versions attached.” ——- Title: Equifax Website Caught Serving Malicious Ads to VisitorsURL:https://www.forbes.com/sites/leemathews/2017/10/12/equifax-website-caught-serving-malicious-ads-to-visitors/Date: 12 October 2017Author: Lee Mathews Excerpt: “It’s been just over a month since Equifax went public withnews of a massive server breach that affected roughly half of the adultpopulation of the United States and thousands more consumers in Canada andthe U.K. Now, a security researcher has spotted an ad campaign spreadingmalware from the company’s website.” ——- Title: Accentuate the negative: Accenture exposes data related to itsenterprise cloud platformURL:https://www.scmagazine.com/accentuate-the-negative-accenture-exposes-data-related-to-its-enterprise-cloud-platform/article/699636/ Date: 11 October 2017Author: Bradley Barth Excerpt: “Yet another company has mistakenly exposed its sensitiveinternal information after storing data on misconfigured cloud-basedservers from Amazon Web Services. The culprit in this case – the $32.9billion consulting and professional services company Accenture – wasfound to be insecurely storing data that, ironically, has to do with itsown cloud-based enterprise solution, the Accenture Cloud Platform.” ——- Title: Office 365 Adoption Picks Up Pace Amid Security ConcernsURL:https://www.infosecurity-magazine.com/news/office-265-adoption-picks-up-pace/Date: 12 October 2017Author: Tara Seals Excerpt: “Adoption rates for Microsoft’s cloud-based, hosted productivitysuite, Office 365, have increased significantly in the past 12 months;however, security concerns remain a barrier to adoption.”   And lastly, here are this week’s noteworthy security bulletins (in noparticular order): 1. ASB-2017.0161 – ALERT [Win] Microsoft Windows: Multiplevulnerabilitieshttps://portal.auscert.org.au/bulletins/53282 Plenty to patch this Microsoft patch Tuesday. 2. ASB-2017.0159 – ALERT [Win] Microsoft Office: Multiplevulnerabilitieshttps://portal.auscert.org.au/bulletins/53274 MS Office and there is a exploit out now. 3. ESB-2017.2561 – [Debian] wordpress: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/53382 WordPress has vulnerabilities, that is a lot of websites. 4. ESB-2017.2562 – [RedHat] thunderbird: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/53386 Thunderbirds are go! 5. ESB-2017.2591 – [SUSE] git: Execute arbitrary code/commands –Existing accounthttps://portal.auscert.org.au/bulletins/53498 Should I git onto patching this? Wishing you the best from AUSCERT and hope to see you next week.Stay patched, stay safe.Peter  

Learn more