Week in review

AUSCERT Week in Review for 17th November 2017

AUSCERT Week in Review for 17th November 2017 AUSCERT Week in Review17 November 2017 Greetings, As Friday 17 November closes, Cisco have announced and addressed a bug with certain upgrade paths in their appliances which left a root user wide open. The world’s most mainstream security target, Apple’s latest iPhone, has been fooled by researchers with an affordable mask. JavaScript cryptocurrency miners have also hit the news, with implementations available for all sorts of currencies, becoming a new XSS favourite. As for more news, here’s a summary of some of the more interesting stories we’ve seen this week: Title:  Microsoft November Patch Tuesday Fixes 53 Security IssuesURL: https://www.bleepingcomputer.com/news/microsoft/microsoft-november-patch-tuesday-fixes-53-security-issues/Date:   14 November 2017Author: Catalin Cimpanu Excerpt:“No zero-days this monthDetails about four vulnerabilities were published online before today’spatches, but fortunately, none were exploited in real-world attacks.” ——– Title:    APCERT 2017 AGM and Conference: A Window into the CERT communityURL:    https://wordpress-admin.auscert.org.au/blog/2017-11-17-apcert-2017-agm-and-conference-window-c/Date:   17 November 2017Author: Anthony Vaccaro (of AUSCERT!) Excerpt:“Additionally, some external speakers were invited to give talks at the conference. Some highlights included a talk by Akamai representative Amol Mathur on attacks that target API services directly, bypassing many of the protections that are built into front-end applications, and an overview on using machine learning to analyse malware samples by Rajesh Nikam of Quick Heal. As malware campaigns grow in both size and number, we need to move away from manual analysis in order to process as many samples as possible, making use of technologies such as machine learning to automate the process.” ——– Title:    2,500+ Websites Are Now “Cryptojacking” To Use Your CPU Power And Mine CryptocurrencyURL:    https://fossbytes.com/2500-websites-are-now-cryptojacking-to-use-your-cpu-power-and-mine-cryptocurrency/Date:   10 November 2017Author: Adarsh Verma Excerpt:“Most of these websites are using a JavaScript-based miner from the website Coinhive. By simply pasting a code snippet on the website, any webmaster can start mining. They just need to share a small cut with Coinhive.”——– Title:    Researchers Fool iPhone X’s Face ID with $150 3D Printed FaceURL:    https://www.cso.com.au/article/629951/researchers-fool-iphone-x-face-id-150-3d-printed-face/Date:   14 November 2017Author: Liam Tung Excerpt:“The company hasn’t revealed exactly how it tricked Face ID but says it was possible because they understood how Apple’s Face ID artificial intelligence worked. Face ID requires the user look directly at the camera by directing the direction of the user’s gaze, and then uses neural networks for matching and anti-spoofing.” ——– And lastly, here are this week’s noteworthy security bulletins (in noparticular order): 1. ESB-2017.2953 – [Win][UNIX/Linux] OpenSAML2 metadata filter bypasshttps://portal.auscert.org.au/bulletins/55102 CVE-2017-16853: A filtering engine omits to run checks, leading to metadata exposure in a major SAML library. Expect to hear more on this. 2. ESB-2017.2931 – [Cisco] Known Root Credentials Enabled After Some Upgradeshttps://portal.auscert.org.au/bulletins/55010 The vulnerability occurs when a refresh upgrade or Prime Collaboration Deployment (PCD) migration is performed on an affected device. When a refresh upgrade or PCD migration is completed successfully, an engineering flag remains enabled and could allow root access to the device with a known password. Subsequent upgrades disable this flag. 3. ESB-2017.2913 – [Debian] mediawiki: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/54938 Cross-site scripting, revealing account existence and a set of HTML mangling attacks. 4.  ASB-2017.0194 – [Win] Microsoft Edge: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/54822 In seeking to speed up its Edge browser, Microsoft is producing and flattening RCEs. Wishing you the best from AUSCERT and hope to see you next week,David

Learn more

Week in review

AUSCERT Week in Review for 10th November 2017

AUSCERT Week in Review for 10th November 2017 AUSCERT Week in Review10 November 2017 Greetings, As Friday 10th of November closes, DDE, a twenty four (24) year old feature in the Office suite, has taken the limelight in the method of executing code on victim’s computers.  Although this method requires heavy user interaction, it was finally addressed for mitigation, published by the vendor and pushed out to members in an AUSCERT bulletin. So, applying the mitigation and applying an other round of user education notices may do well to protect your organisation.  Another set of people that may need to be educated on the dangers of opening up fresh and untrusted code on the internet could be script kiddies, this being the lead to our top new story this week. As for more news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title:  Script Kiddie Nightmare: IoT Attack Code Embedded with BackdoorURL:    https://blog.newskysecurity.com/script-kiddie-nightmare-iot-attack-code-embedded-with-backdoor-39ebcb92a4bbDate:   November 8, 2017 Author: NewSky Security     Excerpt:“The IoT threat landscape is proving to be the fastest to evolve, with attacks shifting from basic password guessing, to using a variety of exploits as seen recently in the IoTroop/Reaper botnet. Enter the script kiddie?—?amateurish hackers that copy/paste code for quick results. “ ——- Title:  Windows Movie Maker Scam spreads massively due to high Google rankingURL:    https://www.welivesecurity.com/2017/11/09/eset-detected-windows-movie-maker-scam-2017/Date:   November 9, 2017 Author: Peter Stancik     Excerpt:“Scammers have been surprisingly successful at distributing a modified version of Windows Movie Maker that aims to collect money from unaware users. The spread of the scam (which itself is far from new) has been boosted by search engine optimization of the crooks’ website, as well as continuing demand for Windows Movie Maker, Microsoft’s free video editing software, discontinued since January 2017.” ——- Title:  Google Adds New Features in Chrome to Fight MalvertisingURL:    https://www.bleepingcomputer.com/news/security/google-adds-new-features-in-chrome-to-fight-malvertising/Date:   November 9, 2017 Author: Catalin Cimpanu     Excerpt:“Google announced plans today for three new Chrome security features that will block websites from sneakily redirecting users to new URLs without the user or website owner’s consent. While all three additions are welcomed, one of these features has the potential to stop a few malvertising campaigns dead in their tracks, and could potentially disrupt the malware scene in the next few months.” ——- Title:  Chinese Keyboard Developer Spies on User Through Built-in KeyloggerURL:    https://www.hackread.com/chinese-keyboard-developer-spies-on-user-through-built-in-keylogger/Date:   November 8, 2017Author: Waqas      Excerpt:“A Chinese mechanical keyboard manufacturer MantisTek has been caught in the middle of a controversy in which it’s being blamed for spying on users through built-in keylogger in its GK2 model and sending the data to a server apparently hosted on Alibaba Cloud server.” ——- Title:  Locky Ransomware Used to Target Hospitals EvolvesURL:    http://www.zdnet.com/article/locky-ransomware-used-to-target-hospitals-evolves/Date:   November 7, 2017Author: Charlie Osborne     Excerpt:“According to new research released by Cylance, a relatively new Locky variant, dubbed Diablo6, includes a few tweaks which are making detection of the ransomware more difficult for traditional antivirus solutions as well as end users.In a blog post, the team said Diablo6 performs an attack in two stages. The first is a typical attack vector for ransomware — a spear phishing email which contains a .zip archive, but something new for the Locky variant.While masquerading as a legitimate email and attachment, the file actually contains a VBS file which, when decompressed and opened, attempts to connect to Locky’s command-and-control (C&C) server for instructions.” ——- And lastly, here are this week’s noteworthy security bulletins (in no particular order): 1.    ASB-2017.0192 – [Win] Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fieldshttps://portal.auscert.org.au/bulletins/54686 An attacker could leverage the DDE protocol by sending a specially crafted file to the user and then convincing the user to open the file, typically by way of an enticement in an email. 2.    ESB-2017.2807 – [SUSE] kernel: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/54466 CVE-2015-9004: kernel/events/core.c in the Linux kernel mishandled counter grouping, which allowed local users to gain privileges via a crafted application, related to the perf_pmu_register and perf_event_open functions 3.    ESB-2017.2867 – [Appliance] IBM Security SiteProtector System: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/54726 CVE-2017-10116: An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to take control of the system. 4.    ESB-2017.2865 – [Win] Schnedier Electric InduSoft Web Studio and Schneider Electric InTouch Machine Edition : Execute arbitrary code/commands – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/54718 CVE-2017-14024: The stack-based buffer overflow vulnerability has been identified, which may allow remote code execution with high privileges. 5.    ESB-2017.2855 – [BlackBerry] BlackBerry: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/54670 CVE-2017-0862: Elevation of Privilege in Kernel                              — Wishing you the best from AUSCERT and hope to see you next week,Geoffroy

Learn more

Week in review

AUSCERT Week in Review for 3rd November 2017

AUSCERT Week in Review for 3rd November 2017 AUSCERT Week in Review03 November 2017 Greetings, As Friday 3rd of November closes, a tally of the root compromises is more than I have seen this past year.  Let’s hope that the reason why we are indeed seeing an up tick in this type of vulnerability is only because security teams and their capabilities are indeed expanding. Well, at least this is the silver lining to be seen as this cloud of root compromise bulletins rolls over.  As for news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title:  If your websites use WordPress, put down that coffee and upgrade to 4.8.3. Thank us laterURL:    http://www.theregister.co.uk/2017/10/31/wordpress_security_fix_4_8_3/Date:   31st October 2017Author: Iain Thomson Excerpt:“The fix addresses a flaw that can be potentially exploited by hackers to hijack and take over WordPress-powered websites, by injecting malicious SQL database commands. The core installation of WordPress is not directly affected, we’re told, rather the bug is in a security function provided by the core to plugins and themes. In other words, a bug in the core leaves plugins and themes potentially at risk of being hacked, leading to whole sites being commandeered by miscreants.” ——- Title:  Just one day after its release, iOS 11.1 hacked by security researchersURL:    http://www.zdnet.com/article/ios-11-hacked-by-security-researchers-day-after-release/Date:   2nd November 2017Author: Zack Whittaker Excerpt:“A day after iOS 11.1 was released, security researchers have already broken the software. News of the exploits came from Trend Micro’s Mobile Pwn2Own contest in Tokyo, where security researchers found two vulnerabilities in Safari, the mobile operating system’s browser. “ ——- Title:  AI will not solve your security analytics issuesURL:    https://www.csoonline.com/article/3236025/artificial-intelligence/ai-will-not-solve-your-security-analytics-issues.htmlDate:   2nd November 2017Author: Alexander Poizner Excerpt:“Managing SOC is not pretty. Constant stress due to avalanche of tickets and vast amounts of data to analyze using often underpowered and sometimes outdated tools, combined with high turnover and low morale staff. It is understandable that in such environment everybody is looking for a miracle. Any new technology that has a capability to automate an analysis and detect anomalies gets attention of operations security. With an amount of hype surrounding AI, the temptation is great to jump into early adoption.” ——- Title:  Security Think Tank: Three areas of web security challengesURL:    http://www.computerweekly.com/opinion/Security-Think-Tank-Three-areas-of-web-security-challengesDate:   1st November 2017Author: Peter Wenham Excerpt:“Very few companies these days are without a website and those websites provide a portal from the internet that the bad people can exploit to attack a company’s infrastructure including the website itself. The security challenges posed by a web presence fall into the three broad categories of legal, technical and operational. On the legal side you need to have a privacy policy identifying what personal data is collected, how that data will be used and who that data might be shared with and why. The policy should be made compliant with the General Data Protection Regulation (GDPR) for which the compliance deadline is 25 May 2018, but this will require you to track GDPR guidance as it becomes available.” ——- Title:  Facebook pledges to double its 10,000-person safety and security staff by end of 2018URL:    https://www.cnbc.com/2017/10/31/facebook-senate-testimony-doubling-security-group-to-20000-in-2018.htmlDate:   31st October 2017Author: Anita Balakrishnan     Excerpt:“Facebook, under intensifying pressure from legislators and consumers to clean up its site, is pledging to double the number of people it has working on issues related to safety and security. Colin Stretch, a vice president and general counsel at Facebook, testified before senators on Tuesday alongside executives from Twitter and Google. He told them that Facebook’s staff focused on sensitive security and community issues will grow to 20,000 by the end of next year.” ——- And lastly, here are this week’s noteworthy security bulletins (in no particular order): 1.    ESB-2017.2778 – [OSX] Apple macOS: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/54342 An application may be able to execute arbitrary code with system privileges. 2.    ESB-2017.2766 – [Mobile] Apple Watch: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/54294 An application may be able to execute arbitrary code with kernel privileges. 3.    ESB-2017.2763 – [Ubuntu] kernel: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/54282 A local attacker could exploit this vulnerability to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. 4.    ESB-2017.2782 – [Cisco] Cisco Firepower 4100 Series Next-Generation Firewall (NGFW): Root compromise – Existing accounthttps://portal.auscert.org.au/bulletins/54358 An authenticated, remote attacker to inject arbitrary commands that could be executed with root privileges. 5.    ESB-2017.2790 – [Appliance] F5 Products: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/54390 An authenticated attacker may be able to cause an escalation of privileges through a crafted application that uses the fork or close system call. — Wishing you the best from AUSCERT and hope to see you next week,Geoffroy

Learn more

Week in review

AUSCERT Week in Review for 27th October 2017

AUSCERT Week in Review for 27th October 2017 AUSCERT Week in Review27 October 2017 Greetings, With another named vulnerability and a new chapter in the unfolding Kaspersky saga,it seems that we are back to business as usual in the world of Information Security.Even NSA employees are susceptible to malware lurking within illegally-acquired copies of software.As security moves forward, will you protect your organisation by providing them with Microsoft Office licenses? Here’s a summary (including excerpts) of some of the more interestingstories we’ve seen this week: Title: Is Bad Rabbit the new NotPetya?URL: https://www.itnews.com.au/news/is-bad-rabbit-the-new-notpetya-476121Date: 25th October, 2017Author: Juha SaarinenExcerpt: “A new strain of ransomware is working its way around the globedisguised as a fake Adobe Flash player update delivered as a drive-bydownload.” — Title: Worker who snuck NSA malware home had his PC backdoored, Kaspersky saysURL: https://arstechnica.com/information-technology/2017/10/worker-who-snuck-nsa-secrets-home-had-a-backdoor-on-his-pc-kaspersky-says/Date: 25th October, 2017Author: Dan GoodinExcerpt: “The NSA worker’s computer ran a home version of Kaspersky AV thathad enabled a voluntary service known as Kaspersky Security Network. Whenturned on, KSN automatically uploads new and previously unknown malware tocompany Kaspersky Lab servers. The setting eventually caused the previouslyundetected NSA malware to be uploaded to Kaspersky Lab servers, where itwas then reviewed by a company analyst.” — Title: Attack of the week: DUHKURL: https://blog.cryptographyengineering.com/2017/10/23/attack-of-the-week-duhk/Date: 23rd October, 2017Author: Matthew GreenExcerpt: “This work comes from Nadia Heninger, Shaanan Cohney and myself,and follows up on some work we’ve been doing to look into the securityof pseudorandom number generation in deployed cryptographic devices.” — Title: APNIC Whois Database Password Hashes Were Available for DownloadURL: https://www.bleepingcomputer.com/news/security/apnic-whois-database-password-hashes-were-available-for-download/Date: 24th October, 2017Author: Catalin CimpanuExcerpt: “The Asia-Pacific Network Information Centre (APNIC), theorganization that manages domain name information for the Asia-Pacificregion, fixed on Monday an error that exposed password hashes needed toaccess and edit domain ownership details. The incident came to light onOctober 12 this when eBay employee Chris Barcellos spotted password hashesinside downloadable Whois information. The researcher reached out to APNICwith the issue, and the company fixed the problem by the second day.” — Title: IoT_reaper: A Rappid Spreading New IoT BotnetURL: http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/Date: 20th October, 2017Author: yegenshenExcerpt: “On 2017-09-13 at 01:02:13, we caught a new malicious sampletargeting IoT devices. Starting from that time, this new IoT botnet familycontinued to update and began to harvest vulnerable iot devices in a rapidpace. The bot borrowed some code from the famous mirai botnet, but it doesnot do any password crack all. Instead, it purely focuses on exploitingIoT device vulnerabilities. So, we name it IoT_reaper.” — And lastly, here are this week’s noteworthy security bulletins (in noparticular order): ESB-2017.2679 – [Win][UNIX/Linux][Ubuntu] curl: Execute arbitrary code/commands – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/53934 Brian Carpenter discovered that curl incorrectly handled IMAP FETCHresponse lines. A remote attacker could use this issue to cause curl tocrash, resulting in a denial of service, or possibly execute arbitrarycode. — ESB-2017.2710 – [Appliance] Rockwell Automation Stratix 5100: Access privileged data – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/54058 A Man-in-the-middle attack on Rockwell Automation wireless bridges couldlead to takeover of industrial hardware. — ESB-2017.2670 – [Appliance] F5 products: Execute arbitrary code/commands – Remote with user interactionESB-2017.2671 – [Appliance] F5 BIG-IP products: Root compromise – Existing accountESB-2017.2672 – [Appliance] F5 products: Access privileged data – Existing accountESB-2017.2673 – [Appliance] F5 BIG-IP Products: Denial of service – Remote/unauthenticatedESB-2017.2674 – [Appliance] F5 BIG-IP PEM: Access privileged data – Remote with user interactionESB-2017.2675 – [Appliance] F5 BIG-IP products: Unauthorised access – Existing accountESB-2017.2687 – [Appliance] F5 products: Denial of service – Remote/unauthenticatedESB-2017.2703 – [Appliance] F5 products: Multiple vulnerabilitiesESB-2017.2707 – [Appliance] F5 products: Denial of service – Remote/unauthenticatedESB-2017.2715 – [Appliance] F5 BIG-IP products: Denial of service – Remote/unauthenticatedESB-2017.2716 – [Appliance][Virtual] F5 BIG-IP products: Denial of service – Remote/unauthenticatedESB-2017.2717 – [Appliance] F5 products: Denial of service – Remote/unauthenticatedESB-2017.2718 – [Appliance][Virtual] F5 BIG-IP AAM and PEM: Denial of service – Remote/unauthenticatedESB-2017.2719 – [Appliance][Virtual] F5 BIG-IP products: Execute arbitrary code/commands – Remote/unauthenticatedESB-2017.2722 – [Appliance][Virtual] F5 BIG-IP products: Denial of service – Remote/unauthenticated   https://portal.auscert.org.au/bulletins/53898https://portal.auscert.org.au/bulletins/53902https://portal.auscert.org.au/bulletins/53906https://portal.auscert.org.au/bulletins/53910https://portal.auscert.org.au/bulletins/53914https://portal.auscert.org.au/bulletins/53918https://portal.auscert.org.au/bulletins/53966https://portal.auscert.org.au/bulletins/54030https://portal.auscert.org.au/bulletins/54046https://portal.auscert.org.au/bulletins/54078https://portal.auscert.org.au/bulletins/54082https://portal.auscert.org.au/bulletins/54086https://portal.auscert.org.au/bulletins/54090https://portal.auscert.org.au/bulletins/54094https://portal.auscert.org.au/bulletins/54106 Several important F5 updates have been published this week. — Have a good weekend everyone. Firewalls up! Anthony

Learn more

Week in review

AUSCERT Week in Review for 20th October 2017

AUSCERT Week in Review for 20th October 2017 AUSCERT Week in Review20 October 2017Greetings,What a week for Information Security! With the new vulnerabilities revealedin WPA2 and the Infineon RSA algorithm, can we be certain that anythingis truly secure any more? All eyes are on vendors and their responses tothese potentially catastrophic security flaws. As we go forward, puttingmore of our trust and confidential data into computers, being able torespond to new vulnerabilities in a timely fashion is critical.Here’s a summary (including excerpts) of some of the more interestingstories we’ve seen this week:Title: Millions of high-security crypto keys crippled by newly discovered flawURL: https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/Date: 16th October, 2017Author: Dan GoodinExcerpt: “A crippling flaw in a widely used code library has fatallyundermined the security of millions of encryption keys used in some ofthe highest-stakes settings, including national identity cards, software-and application-signing, and trusted platform modules protecting governmentand corporate computers.”—Title: Necurs Botnet malspam pushes Locky using DDE attackURL: https://isc.sans.edu/forums/diary/Necurs+Botnet+malspam+pushes+Locky+using+DDE+attack/22946/Date: 19th October, 2017Author: Brad DuncanExcerpt: “I’ve seen Twitter traffic today about malspam from the NecursBotnet pushing Locky ransomware using Word documents as their attachments.These Word documents use the DDE attack technique, something I alreadywrote about in a previous diary covering Hancitor malspam on 2017-10-16.”—Title: Adobe rushes out fix for exploited Flash bugURL: https://www.itnews.com.au/news/adobe-rushes-out-fix-for-exploited-flash-bug-475535Date: 17th October, 2017Author: Staff WriterExcerpt: “The patch came after Kaspersky Lab said a group it was tracking,BlackOasis, used the previously unknown weakness on October 10 to plantFinSpy or FinFisher malware on computers before connecting them back toservers in Switzerland, Bulgaria and the Netherlands.”—Title: ACORN received almost 48k cyber-related reports in 2016-17URL: http://www.zdnet.com/article/acorn-received-almost-48k-cyber-related-reports-in-2016-17/Date: 20th October, 2017Author: Asha McLeanExcerpt: “As revealed in the Connect Discover Understand Respond 2016-17Annual Report from the Australian Criminal Intelligence Commission (ACIC),scams and online fraud were the highest reported incidents to ACORN,accounting for 51 percent of the 47,873 total.”—Title: Australian government details Govpass digital IDURL: http://www.zdnet.com/article/australian-government-details-govpass-digital-id/Date: 17th October, 2017Author: Asha McLeanExcerpt: “The federal government has detailed what its digital identificationsolution will look like, outlining how citizens can apply for an optionalGovpass in a video posted on YouTube.”And lastly, here are this week’s noteworthy security bulletins (in noparticular order):ESB-2017.2607 – ALERT [Appliance] Infineon RSA: Access privileged data – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/53570A flaw in the Infineon RSA algorithm could result in keys that arefactorisable in months instead of centuries.—ESB-2017.2602 – ALERT [Win][Linux][OSX] Adobe Flash Player: Execute arbitrary code/commands – Remote with user interactionhttps://portal.auscert.org.au/bulletins/53546A newly-disclosed vulnerability in Adobe Flash affects all versions ofthe software, and has already been seen in the wild.—ESB-2017.2599 – ALERT [Win][UNIX/Linux][Appliance][Mobile] Wi-Fi Protected Access II (WPA2) devices: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/53534A flaw discovered in the WPA protocol itself could affect billions ofpeople, as the encryption protocol is used ubiquitously around the globefor WiFi networks.   Wishing you the best from AUSCERT and hope to see you next week.Stay patched, stay safe.Anthony  

Learn more

Week in review

AUSCERT Week in Review for 13th October 2017

AUSCERT Week in Review for 13th October 2017 AUSCERT Week in Review13 October 2017 Greetings, As Friday 13th of October closes, all eyes are in Kaspersky and how itwill manage? The above reflection came out of one of the news articles that have cappedoff a solid week in bulletins, and we have included a few more articlesof interest that have grabbed our attention. Here’s a summary (includingexcerpts) of some of the more interesting stories we’ve seen this week: Title: Kaspersky Lab and the AV Security HoleURL:https://www.darkreading.com/attacks-breaches/kaspersky-lab-and-the-av-security-hole/d/d-id/1330116Date: 10 October 2017Author: Jai Vijayan Excerpt: “It’s unclear what happened in the reported theft of NSA data byRussian spies, but an attacker would need little help to steal if he orshe had privileged access to an AV vendor’s network, security experts say.” ——- Title: Microsoft Patches Office Bug Actively Being ExploitedURL:https://threatpost.com/microsoft-patches-office-bug-actively-being-exploited/128367/Date: 10 October 2017Author: Tom Spring Excerpt: “Security experts are urging network administrators to patch aMicrosoft Office vulnerability that has been exploited in the wild.” ——- Title: Dumb bug of the week: Outlook staples your encrypted emails to,er, plaintext copies when sending messagesURL: https://www.theregister.co.uk/2017/10/11/outlook_smime_bug/Date: 11 October 2017Author: Iain Thomson Excerpt: “Attention anyone using Microsoft Outlook to encryptemails. Researchers at security outfit SEC Consult have found a bug inRedmond’s software that causes encrypted messages to be sent out withtheir unencrypted versions attached.” ——- Title: Equifax Website Caught Serving Malicious Ads to VisitorsURL:https://www.forbes.com/sites/leemathews/2017/10/12/equifax-website-caught-serving-malicious-ads-to-visitors/Date: 12 October 2017Author: Lee Mathews Excerpt: “It’s been just over a month since Equifax went public withnews of a massive server breach that affected roughly half of the adultpopulation of the United States and thousands more consumers in Canada andthe U.K. Now, a security researcher has spotted an ad campaign spreadingmalware from the company’s website.” ——- Title: Accentuate the negative: Accenture exposes data related to itsenterprise cloud platformURL:https://www.scmagazine.com/accentuate-the-negative-accenture-exposes-data-related-to-its-enterprise-cloud-platform/article/699636/ Date: 11 October 2017Author: Bradley Barth Excerpt: “Yet another company has mistakenly exposed its sensitiveinternal information after storing data on misconfigured cloud-basedservers from Amazon Web Services. The culprit in this case – the $32.9billion consulting and professional services company Accenture – wasfound to be insecurely storing data that, ironically, has to do with itsown cloud-based enterprise solution, the Accenture Cloud Platform.” ——- Title: Office 365 Adoption Picks Up Pace Amid Security ConcernsURL:https://www.infosecurity-magazine.com/news/office-265-adoption-picks-up-pace/Date: 12 October 2017Author: Tara Seals Excerpt: “Adoption rates for Microsoft’s cloud-based, hosted productivitysuite, Office 365, have increased significantly in the past 12 months;however, security concerns remain a barrier to adoption.”   And lastly, here are this week’s noteworthy security bulletins (in noparticular order): 1. ASB-2017.0161 – ALERT [Win] Microsoft Windows: Multiplevulnerabilitieshttps://portal.auscert.org.au/bulletins/53282 Plenty to patch this Microsoft patch Tuesday. 2. ASB-2017.0159 – ALERT [Win] Microsoft Office: Multiplevulnerabilitieshttps://portal.auscert.org.au/bulletins/53274 MS Office and there is a exploit out now. 3. ESB-2017.2561 – [Debian] wordpress: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/53382 WordPress has vulnerabilities, that is a lot of websites. 4. ESB-2017.2562 – [RedHat] thunderbird: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/53386 Thunderbirds are go! 5. ESB-2017.2591 – [SUSE] git: Execute arbitrary code/commands –Existing accounthttps://portal.auscert.org.au/bulletins/53498 Should I git onto patching this? Wishing you the best from AUSCERT and hope to see you next week.Stay patched, stay safe.Peter  

Learn more

Week in review

AUSCERT Week in Review for 6th October 2017

AUSCERT Week in Review for 6th October 2017 AUSCERT Week in Review06 October 2017 Greetings, As Friday 6th of October closes, the Equifax event highlights the need to have a patch management program in your organization.  In that patch management program it is important to ensure that the risks of not patching gets transferred as high up as possible and as soon as possible. So, should you not have a patch management program in place at this moment, next Monday may be a good time to set one up.  It may be better to point the finger at best practices and frameworks for patch management now, then have the finger pointed at your staff later. The above reflection came out of one of the news articles that have capped off a solid week in bulletins, and we have included a few more articles of interest that have grabbed our attention. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title:  Sole Equifax security worker at fault for failed patch, says former CEOURL:    http://www.theregister.co.uk/2017/10/04/sole_security_worker_at_fault_for_equifax_fail_says_former_ceo/Date:   October 4, 2017Author: Simon Sharwood Excerpt:“Recently-and-forcibly-retired Equifax CEO Rick Smith has laid the blame for his credit-check biz’s IT security breach on a single member of the company’s security team.” ——- Title:  Equifax failed to patch security vulnerability in March — testimonyURL:    https://www.reuters.com/article/equifax-breach/equifax-failed-to-patch-security-vulnerability-in-march-testimony-idUSL2N1MD0UQDate:   October 3, 2017Author: David Shepardson Excerpt:“Equifax Inc failed to patch a software security vulnerability after being alerted in March by the U.S. Homeland Security Department to the issue that led to hackers obtaining personal information from over 140 million Americans, the company’s former chief executive will tell Congress in written testimony made public Monday. “ ——- Title:  Hey, IoT vendors. When a paediatric nurse tells you to fix security, you definitely screwed upURL:    https://www.theregister.co.uk/2017/10/05/nurse_iot/Date:   October 5, 2017Author: John Leyden Excerpt:“…Jelena Milosevic, who developed an interest in cybersecurity over the last three years, told attendees that the healthcare sector needs to work with infosec experts and manufacturers to sort out the emerging problem of the security risk posed by internet-connected medical kit.” ——- Title:  So, Uh, That Billion-Account Yahoo Breach Was Actually 3 BillionURL:   https://www.wired.com/story/yahoo-breach-three-billion-accounts/Date:   October 3, 2017    Author: Lily Hay Newman Excerpt:“When Yahoo disclosed in December that a billion (yes, billion) of its users’ accounts had been compromised in an August 2013 breach, it came as a staggering revelation. Now, 10 months later, the company would like to make a correction: That incident actually exposed three billion accounts—every Yahoo account that existed at the time.” ——- Title:  Google’s October Android patches have landed: There’s a big fix for dnsmasq bugURL:    http://www.zdnet.com/article/googles-october-android-patches-have-landed-theres-a-big-fix-for-dnsmasq-bug/Date:   October 3, 2017Author: Liam Tung Excerpt:“Google has published its October Android security bulletin and is rolling out the OTA update to Nexus and Pixel devices. It’s also introduced a new way of handling its security bulletins. As usual it’s publishing a monthly Android security bulletin with details about a partial patch level and complete patch level, But it’s now introduced a new ‘Pixel/Nexus bulletin’ that documents additional bugs fixed in these devices.” ——- Title:  Apple issues update to patch password vulnerabilities in High Sierra operating softwareURL:    https://siliconangle.com/blog/2017/10/05/apple-releases-high-sierra-security-update-patch-password-vulnerabilities/Date:   October 5, 2017Author: Duncan Riley Excerpt:“Apple Inc. has issued a security update for macOS High Sierra that patches a severe vulnerability identified in September that allows unsigned apps to capture plain-text passwords from the Mac keychain. The High Sierra 10.13 Supplemental Update actually fixes two security issues, the previously discovered security issue in the Mac keychain as well as a newly identified vulnerability that allows passwords to be accessed via the Apple File System, also known as APFS.” And lastly, here are this week’s noteworthy security bulletins (in no particular order): 1.    ASB-2017.0156 – [Android] Google Nexus devices: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/53034 Google Nexus devices were patched for remote code execution, elevation of privileges and accessing information from phones. 2.    ESB-2017.2518 – [Appliance] Siemens 7KT PAC1200 Data Manager: Administrator compromise – Remote/unauthenticated https://portal.auscert.org.au/bulletins/53186Successful exploitation of this vulnerability could allow an attacker to bypass authentication mechanisms and perform administrative functions. 3.    ESB-2017.2523 – [Appliance] IBM Netezza Analytics: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/53206 OpenSSL and zlib were patched in the IBM Netezza Analytics product. 4.    ESB-2017.2521 – [Mac] Apple StorageKit and Apple Security: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/53198A method existed for applications to bypass the keychain access prompt with a synthetic click as well as, if a hint was set in Disk Utility when creating an APFSencrypted volume, the password was stored as the hint. 5.    ESB-2017.2520 – [Ubuntu] ruby: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/53194 ruby allowed remote unauthenticated attackers to execute arbitrary code, denial of service, overwrite arbitrary Files as well as access confidential data. Wishing you the best from AUSCERT and hope to see you next week. Stay patched, stay safe.Geoffroy

Learn more

Week in review

AUSCERT Week in Review for 27th September 2017

AUSCERT Week in Review for 27th September 2017 AUSCERT Week in Review29th September 2017 Greetings, As Friday 29th of September comes to a close, the big news is AUSCERT is hiring https://www.seek.com.au/job/34448215 Here is our summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Dark Web Drug Suspect Cuffed On Way to Beard ContestURL: https://www.infosecurity-magazine.com/news/dark-web-drug-suspect-cuffed-beard/Date: 28 September 2017 Author: Phil MuncasterExcerpt: “A suspected dark web drug kingpin has been arrested in the US on the way to a beard-growing contest, it has emerged. Gal Vallerius, 38, was cuffed in Atlanta International Airport at the end of August en route from his home in France to the competition in Austin, Texas. Searching his laptop, border officials apparently found hundreds of thousands of dollars in Bitcoin, a Tor browser, and PGP keys linked to an “OxyMonster”. That name is used by an administrator and senior moderator on Dream Market: a typical darknet drugs marketplace.” ——- Title: Mac High Sierra hijinks continue: Nasty apps can pull your passwordsURL: http://www.theregister.co.uk/2017/09/28/high_sierra_hijinks_continue_nasty_apps_can_pull_your_passwords/Date: 28 September 2017 Author: Shaun NicholsExcerpt: “Apple still hasn’t been able to seal up keychain access hole for unsigned applications.A security shortcoming in earlier versions of OS X has made its way into macOS High Sierra despite an expert’s best efforts to highlight the flaw. Patrick Wardle, of infosec biz Synack, found that unsigned, and therefore untrustworthy, applications running on High Sierra, aka macOS 10.13, were able to quietly access sensitive information – including stored passwords and keys – without any notification to the user. Normally, apps, even signed trusted ones, trigger a prompt to appear on screen when touching the operating system’s Keychain database of saved passphrases and other secrets.” ——- Title: Android unlock patterns are too easy to guess, stop using themURL: https://nakedsecurity.sophos.com/2017/09/28/android-unlock-patterns-are-too-easy-to-guess-stop-using-them/Date: 28 September 2017 Author: Lisa VaasExcerpt: “Let’s start with some things we knew already: people are really bad at creating and remembering secure passwords and PINs. We’re also bad at choosing and answering password recovery questions. Most of us can’t even cook up an unlock pattern for our Androids that’s not crazy easy to predict, be it by shoulder-surfing or the tell-tale streaks we leave with our greasy fingers. Now, a new report (PDF) from security researchers at the US Naval Academy and the University of Maryland Baltimore County has quantified just how absurdly easy it is to do an over-the-shoulder glance that accurately susses out an Android unlock pattern.” ——- Title: Deloitte Hit by Cyber-Attack Revealing Clients’ Secret EmailsURL: https://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-revealing-clients-secret-emailsDate: 25 September 2017 Author: Nick HopkinsExcerpt: “Deloitte, which is registered in London and has its global headquarters in New York, was the victim of a cybersecurity attack that went unnoticed for months. Deloitte provides auditing, tax consultancy and high-end cybersecurity advice to some of the world’s biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies. The Guardian understands Deloitte clients across all of these sectors had material in the company email system that was breached. The companies include household names as well as US government departments.” ——- Title: US Plans to Collect Social Media Info From Permanent Residents, Naturalized CitizensURL: https://www.bleepingcomputer.com/news/government/us-plans-to-collect-social-media-info-from-permanent-residents-naturalized-citizens/Date: 26 September 2017Author: Catalin CimpanuExcerpt:“The US Department of Homeland Security (DHS) published documents on Monday that detail a plan for collecting extra information on all US immigrants, including not only permanent residents but also previously naturalized citizens. According to a notice of modification to the 1974 Privacy Act System of Records, the DHS wants to collect extra information such as “social media handles, aliases, associated identifiable information, and search results.” The data will be used to expand the DHS’ database on US immigrants with new information that would allow for easier tracking of immigrants, but also Americans who obtained official citizenship years or decades before.” ——- And lastly, here are this week’s noteworthy security bulletins (in no particular order): 1. ESB-2017.2425 – [OSX] macOS: Multiple vulnerabilities It’s time to patch your Mac! The most severe vulnerability addressed could allow a malicious application to execute arbitrary code withsystem privileges. 2. ESB-2017.2436 – ALERT [Linux][RedHat] kernel: Root compromise – Existing account This Linux PIE/stack corruption (CVE-2017-1000253) was an existing two-year-old bug in the Linux kernel. Qualys published a detailed analysis including demonstration of a proof-of-concept to exploit the vulnerability – https://www.qualys.com/2017/09/26/cve-2017-1000253/cve-2017-1000253.txt 3. ESB-2017.2444 – ALERT [Cisco] Cisco IOS and IOS XE: Multiple vulnerabilities Make plans to patch your Cisco network appliances. Many subsystems of IOS are impacted, of particular note is CVE-2017-12240. 4. ASB-2017.0155 – [Win][UNIX/Linux] Mozilla Firefox: Multiple vulnerabilities Mozilla has rated the security vulnerabilities fixed in Firefox 56 as critical. Wishing you the best from AUSCERT and stay safe, Danny

Learn more

Week in review

AUSCERT Week in Review for 22nd September 2017

AUSCERT Week in Review for 22nd September 2017 AUSCERT Week in Review22 September 2017 Greetings, As Friday 22nd of September comes to a close, the big news is: AUSCERT is hiring! Apply here: https://www.seek.com.au/job/34448215 Here is our weekly summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: CCleaner malware spread via supply chain attackURL: http://searchsecurity.techtarget.com/news/450426573/CCleaner-malware-spread-via-supply-chain-attackDate: 19 September 2017 Author: Michael HellerExcerpt: “CCleaner malware was spread to users via an infected software update for close to one month, highlighting the dangers of supply chain attacks and the need for code signing. The CCleaner malware gathered information about systems and transmitted it to a command and control (C&C) server; it was reportedly downloaded by users for close to one month from Aug. 15 to Sept. 12, according to Morphisec. However, Avast noted that the CCleaner malware was limited to running on 32-bit systems and would only run if the affected user profile had administrator privileges.” ——- Title: Apache “Optionsbleed” vulnerability – what you need to knowURL: https://nakedsecurity.sophos.com/2017/09/19/apache-optionsbleed-vulnerability-what-you-need-to-know/Date: 19 September 2017Author: Paul DucklinExcerpt: “Remember Heartbleed? … Well, something similar has happened again. This time, the bug isn’t in OpenSSL, but in a program called httpd, probably better known as the Apache Web Server, and officially called the Apache HTTP Server Project. The vulnerability has been dubbed OptionsBleed, because the bug is triggered by making HTTP OPTIONS requests.” ——- Title: Here’s What Your Identity Sells For on the Dark WebURL: https://www.bloomberg.com/news/articles/2017-09-15/equifax-hack-your-social-security-and-identity-are-for-saleDate: 15 September 2017Author: Suzanne WoolleyExcerpt:“How much is your personal data worth to you? A lot. (Thanks, Equifax.) And how much is it worth to an identity thief? You may be surprised, or insulted, or enraged, to find out.” ——- Title: Internet Providers Possibly Involved in FinFisher Surveillance Operations: ReportURL: http://www.securityweek.com/internet-providers-possibly-involved-finfisher-surveillance-operations-reportDate: 21 September 2017Author: Ionut ArghireExcerpt:“New campaigns featuring the infamous FinFisher spyware are using a previously unseen infection vector, strongly suggesting that Internet service providers (ISPs) might be involved in the distribution process, ESET security researchers warn. Also known as FinSpy, the malware has been around for over half a decade and is being sold exclusively to governments and their agencies worldwide for surveillance purposes. The use of this lawful interception solution has increased, and researchers observed it earlier this month abusing a .NET framework zero-day tracked as CVE-2017-8759 for distribution. “ ——- Title: Government promises $50 million boost to security researchURL: https://www.computerworld.com.au/article/627667/government-promises-50-million-boost-to-security-research/Date: 22 September 2017Author: Rohan Pearce Excerpt:“The government will invest $50 million over seven years to help establish an industry-led Cyber Security Cooperative Research Centre (CRC). The government said that cash and in-kind contributions of more than $89 million towards the CRC had been pledged by 25 industry, research and government partners.” ——- And lastly, here are this week’s noteworthy security bulletins (in no particular order):   1. ESB-2017.2369 – ALERT [Win][UNIX/Linux][Ubuntu] apache2-bin: Access privileged data – Remote/unauthenticated “..the Apache HTTP Server incorrectly handled Limit directives in .htaccess files. In certain configurations, a remote attacker could possibly use this issue to read arbitrary server memory, including sensitive information. This issue is known as Optionsbleed.”   2. ASB-2017.0151 – [Win][UNIX/Linux] WordPress: Multiple vulnerabilities Two of the big three CMS released major patch updates this week – Joomla! and WordPress. WordPress vulnerabilities include multiple Cross-site scripting, path traversal, open redirect and a potential SQL injection via plugins and themes.   3. ASB-2017.0152.2 – UPDATE [Win][UNIX/Linux] Joomla!: Access privileged data – Remote/unauthenticated AUSCERT recommends members avoid using Joomla! because of its history of serious vulnerabilities including this latest round.   4. ESB-2017.2398 – ALERT [UNIX/Linux][Ubuntu] samba: Multiple vulnerabilities Vendors and Linux distributions were quick to release patches for the latest samba vulnerabilities. A man-in-the-middle attack can potentially read and alter documents transferred via a client connection.Also, a client with write access to a share can cause the server memory contents to be written to a file or printer.   5. ASB-2017.0154 – [Win][Linux][OSX] Google Chrome: Multiple vulnerabilities Update your Google and Apple Safari browsers before you surf the web this weekend. Both Google Chrome and Apple Safari have addressed vulnerabilities in their latest updates.   Wishing you the best from AUSCERT and stay safe, Danny

Learn more

Week in review

AUSCERT Week in Review for 15th September 2017

AUSCERT Week in Review for 15th September 2017 AUSCERT Week in Review15th September 2017 Greetings, As Friday 15th of September comes to a close, we are looking forward to having as many people answering the 2017 Cyber Security Survey – Last chance to submit! Public awareness of cyber-crime has never been higher, but is that translating to business readiness? For the second consecutive year, AUSCERT and BDO are delivering the Cyber Security Survey. By taking part you will gain direct access to our survey report in November. This contains valuable data allowing you to compare your business’ current cyber security efforts with trends in your industry sector. Time is running out! Complete the survey and go in the draw to win one of three Apple Watches.* The survey closes at midnight on Friday, 15 September 2017. The survey is anonymous and takes 15 minutes to complete. https://www.bdo.com.au/en-au/insights/cyber-security/surveys/2017-cyber-security-survey?utm_medium=Email&utm_source=AUSCERT * Refer to the website for competition terms and conditions.https://www.bdo.com.au/en-au/insights/cyber-security/surveys/2017-cyber-security-survey/terms This is all topped off with numerous security related news items this week. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: US govt bans Kaspersky productsURL: https://www.itnews.com.au/news/us-govt-bans-kaspersky-products-473254Date: 14 Sep 2017Author: Dustin Volz Excerpt: ” Orders purge amid concern about Kremlin influence. The Trump administration has told United States government agencies to remove Kaspersky Lab products from their IT systems, saying it was concerned the Moscow-based cyber security firm is vulnerable to Kremlin influence.” ——-Title: BlueBorne: Bluetooth bug could expose billions of devices to attack,cyber experts warnURL: http://www.abc.net.au/news/2017-09-13/bluetooth-bug-could-expose-billions-of-devices-to-attack/8942378Date: 14 Sep 2017Author: George Roberts Excerpt: “Internet security experts are urging people to update their software to protect against a serious vulnerability, which if exploited could spread uncontrollably via the common wireless technology bluetooth.” ——-Title: Microsoft patches zero-day used to install police spywareURL: https://www.itnews.com.au/news/microsoft-patches-zero-day-used-to-install-police-spyware-473176Date: 13 Sep 2017Author: Juha Saarinen Excerpt: “.NET framework flaw exploited. Microsoft’s regular Patch Wednesday round of security updates for Windows has closed a bug that left computers open to malware installed by law enforcement agencies.” ——-Title: Zerodium offering $1M for TOR browser zero DaysURL: https://threatpost.com/zerodium-offering-1m-for-tor-browser-zero-days/127959/Date: 13 Sep 2017Author: Chris Brook Excerpt:”The exploit acquisition vendor Zerodium is doubling down again. Weeks after the company said it would pay $500,000 for zero days in private messaging apps such as Signal and WhatsApp, Zerodium said Wednesday it will pay twice that for a zero day in Tor Browser.” ——-Title: Equifax’s Mega-Breach Was Made Possible by a Website Flaw ItCould Have FixedURL: http://fortune.com/2017/09/14/equifax-data-breach-security-apache-struts/Date: 14 Sep 2017Author: David Meyer Excerpt:”Good website security is tough, but the consequences of bad website security can be far tougher. That appears to be one of the big lessons coming out the debacle surrounding Equifax’s mega-breach, which has “humbled” the credit-reporting giant.” ——-Title: Edward Snowden offers mixed review on Apple’s Face IDURL: https://www.cnet.com/news/edward-snowden-offers-mixed-review-on-apples-face-id/Date: 12 Sep 2017Author: Steven Musil Excerpt:”The new facial recognition system sports a “robust” design but may normalize technology that is ripe for abuse, the NSA leaker tweets.” ——- And lastly, here are this week’s noteworthy security bulletins (in no particular order): 1. ESB-2017.2298 – [Linux][RedHat] kernel: Execute arbitrary code/commands – Remote/unauthenticatedBluetooth not designed with security in mind. 2. ASB-2017.0148 – [Win] Microsoft .NET Framework: Execute arbitrary code/commands – Remote with user interactionWas this the vulnerability that was allegedly used by law enforcement? 3. ESB-2017.2296 – [RedHat] chromium-browser: Multiple vulnerabilityThe browser, a window to a world. 4. ESB-2017.2331 – [Ubuntu] tcpdump: Multiple vulnerabilitiesA reminder to keep your tools up to date as well as OS. Wishing you the best from AUSCERT and stay safe,Peter

Learn more

Historical articles

Collecting Electronic Evidence After a System Compromise

Collecting Electronic Evidence After a System Compromise [Historical article: first published on August 2nd, 2001] Author: Matthew Braid, AUSCERT, 2001 Collecting forensic evidence for the purposes of investigation and/or prosecution is difficult at the best of times, but when that evidence is electronic an investigator faces extra complexities. Generally, electronic evidence has none of the permanence that conventional evidence has, and is more difficult to present in a way that can be readily understood. The purpose of this paper is to highlight these difficulties and to suggest strategies to overcome them. Note that no legal advice is given here – different regions have different legislation. This paper will not address everything you need to know for your particular circumstances – it is a guide only. Always seek further information, including legal advice, for your specific circumstances. Obstacles Electronic crime is difficult to investigate and prosecute – often investigators have to build their case purely on any records left after the transactions have been completed. Add to this the fact that electronic records are extremely (and sometimes transparently) malleable and that electronic transactions currently have fewer limitations than their paper-based counterparts and you get a collection nightmare. Computer transactions are fast – they can be conducted from anywhere, through anywhere, to anywhere; they can be encrypted or anonymous and generally have no intrinsic identifying features such as handwriting and signatures to identify those responsible. Any `paper trail’ of computer records they may leave can be easily modified or destroyed or may exist only temporarily. Worse still, auditing programs may automatically destroy the records left when they are finished with them. Because of this, even if the details of the transactions can be retained or restored it is very difficult to tie the transaction to a person. Identifying information such as passwords, PIN numbers, or any other electronic identifier will not prove who did it – it merely shows that the attacker knew or was able to defeat those identifiers. Currently there is nothing that can be considered a true electronic signature for the purpose of criminal law in the same way that DNA or fingerprints do for other criminal investigations. Even though technology is constantly evolving, investigating electronic crimes will always be more difficult due to the ability to alter data easily and because transactions may occur anonymously or deceptively. The best you can do is follow the rules of evidence collection as assiduously as possible. Why Collect Electronic Evidence? Given these obstacles, why bother collecting the evidence in the first place? There are two main reasons – future prevention and responsibility. Future Prevention Collecting electronic evidence involves investigating how the attack occurred. Without knowing what happened an organisation remains vulnerable to this type of attack and has little hope of stopping further attacks (including from the original attacker). It would be analogous to being defrauded for a large sum of money and not bothering to determine how the fraud was perpetrated. Even though the cost of collection can be high, the cost of repeatedly recovering from compromises is much higher, both in monetary and corporate image terms. Responsibility There are two responsible parties after an attack – the attacker and the victim. The attacker is responsible for the damage done and the only way to bring them to justice, to seek recompense and to deter further attacks is to convict them with adequate evidence to prove their actions. Victims also have an ethical, if not legal, responsibility to the community. Sites that have been compromised and used to launch attacks against third parties may find that they – not the attacker – are sued for liability for the attack. The grounds for such a lawsuit might be that by failing to comply with the accepted minimum standards in network security they acted negligently. Public companies have a particular responsibility to their shareholders to ensure that business continuity and data confidentiality and integrity are not compromised. Victims may also have a legal obligation to perform an analysis of evidence collected, for instance if the attack on their system was part of a larger attack. For ethical reasons, some victims may see merit in sharing information gathered after a compromise with others to prevent further attacks. Collection Options Once a compromise has been detected you have two options – pull the system off the network and begin collecting evidence or leave it online and attempt to monitor the intruder. Both have their advantages and disadvantages. Monitoring may accidentally alert the intruder and cause them to wipe their tracks, destroying evidence as they go. If you disconnect the system from the network you may later find that you have insufficient evidence or, worse that the attacker left a `dead man switch’ that destroys any evidence once the system detects that it is offline. How you respond should be based on the situation. The “Collection and Archiving” section below contains information on what to do in each case. Types of Evidence Before you start collecting evidence it is important to know the different types of evidence categories. Without taking these into consideration you may find that the evidence you’ve spent several weeks and quite a bit of money collecting is useless. Real Evidence Real evidence is any evidence that speaks for itself without relying on anything else. In electronic terms, this can be a log produced by an audit function, provided that the log can be shown to be free from contamination. Testimonial Evidence Testimonial evidence is any evidence supplied by a witness. This type of evidence is subject to the perceived reliability of the witness, but as long as a witness is considered reliable, testimonial evidence can be useful and almost as powerful as real evidence. Written statements by a witness can be considered testimonial as long as the author is willing to state that they wrote it. Hearsay Hearsay is any evidence presented by a person who was not a direct witness. Written statements by someone without direct knowledge of the incident are hearsay. Hearsay is generally inadmissible in court and should be avoided. The Five Rules of Evidence In order for evidence to be considered useful, it must have the following properties: 1. Admissible This is the most basic rule – the evidence must be able to be used in court or elsewhere. Failure to comply with this rule is equivalent to not collecting the evidence in the first place, except the cost is higher. 2. Authentic If you can’t tie the evidence positively to the incident, you can’t use it to prove anything. You must be able to show that the evidence relates to the incident in a relevant way. 3. Complete It’s not enough to collect evidence that just shows one perspective of the incident. Not only should you collect evidence that can help prove the attacker’s actions but for completeness it is also necessary to consider and evaluate all evidence available to the investigators and retain that which may contradict or otherwise diminish the reliability of other potentially incriminating evidence held about the suspect. Similarly, it is vital to collect evidence that eliminates alternative suspects. For instance, if you can show the attacker was logged in at the time of the incident, you also need to show who else was logged in and demonstrate why you think they didn’t do it. This is called Exculpatory Evidence and is an important part of proving a case. 4. Reliable Your evidence collection and analysis procedures must not cast doubt on the evidence’s authenticity and veracity. 5. Believable The evidence you present should be clear, easy to understand and believable by a jury. There’s no point presenting a binary dump of process memory if the jury has no idea what it all means. Similarly, if you present them with a formatted version that can be readily understood by a jury, you must be able to show the relationship to the original binary, otherwise there’s no way for the jury to know whether you’ve faked it. Using these five rules, we can derive some basic dos and don’ts. 1. Minimise Handling/Corruption of Original Data Once you’ve created a master copy of the original data, don’t touch it or the original itself – always handle secondary copies. Any changes made to the originals will affect the outcomes of any analysis later done to copies. You should make sure you don’t run any programs that modify the access times of all files (such as tar and xcopy), remove any external avenues for change and in general analyse the evidence after it’s been collected. 2. Account for Any Changes and Keep Detailed Logs of Your Actions Sometimes evidence alteration is unavoidable. In these cases it is absolutely essential that the nature, extent and reasons for the changes be documented. Any changes at all should be accounted for – not just data alteration, but physical alteration of the originals (for instance the removal of hardware components) as well. 3. Comply with the Five Rules of Evidence The five rules are there for a reason. If you don’t follow them you are probably wasting your time and money. Following these rules is essential to guarantee successful evidence collection. 4. Do Not Exceed Your Knowledge If you don’t fully understand what you are doing, then it will be more difficult to account for any changes you make and you may not be able to describe what exactly you did. If you find yourself out of your depth and if time is available learn more before continuing otherwise find someone who knows the territory. Never soldier on regardless – you will just damage your case. 5. Follow Your Local Security Policy and Obtain Written Permission During the course of your investigation you may be required to access and copy sensitive data or obtain statements from system users in which case there will be staff management issues to consider. Before commencing your investigation, it is important to ensure you have obtained written and signed permission to proceed and have clear instructions as to the scope of your investigation. Without clear authority to proceed, your actions may be, or be perceived to be, in breach of your company’s security policy and you may find yourself personally accountable as a result. If in doubt, talk to those that know, including obtaining the necessary legal advice. It is also recommended that your organisation develop appropriate policies and procedures for collecting electronic evidence so that they are in place prior to an incident occurring. This will significantly stream line the process and save valuable time before evidence is lost. 6. Capture as Accurate an Image of the System as Possible This is related to point 1 – differences between the original system and the master copy count as a change to the data. You must be able to account for the differences. 7. Be Prepared to Testify If you’re not willing to testify about the evidence you have collected, you might as well stop before you start. Without the collector of the evidence being there to validate the documents created during the evidence collection process it becomes hearsay and inadmissible. Remember that you may need to testify at a later time. 8. Ensure Your Actions are Repeatable No one is going to believe you if they can’t replicate your actions and reach the same results. This also means that your plan of action shouldn’t be based on trial-and-error. 9. Work Fast The faster you work, the less likely the data is going to change. Volatile evidence (see below) may vanish entirely if you don’t collect it in time. This is not to say you should rush – you must still collect accurate data and keep a record of your actions as you go. If multiple systems are involved, work on them in parallel (a team of investigators would be handy here), but each single system should still be worked on methodically. Automation of certain tasks makes collection proceed even faster. 10. Proceed From Volatile to Persistent Evidence Some electronic evidence is more volatile than others. Because of this, you should always try to collect the most volatile evidence first. 11. Don’t Shutdown Before Collecting Evidence You should never shutdown a system before you collect the evidence. Not only will you lose volatile evidence but the attacker may have trojaned the startup and shutdown scripts, Plug-and-Play devices may alter the system configuration and temporary file systems may be wiped. Rebooting is even worse because it may result in further loss of evidence and should be avoided at all costs. As a general rule, until the compromised disk is finished with and restored it should never be used as a boot disk. 12. Don’t Run Any Programs on the Affected System Since the attacker may have left trojaned programs and libraries on the system, you may inadvertently trigger something that could change or destroy the evidence you’re looking for. Any programs you use should be on read-only media (such as a CD-ROM or a write-protected floppy disk), and should be statically linked. Volatile Evidence Not all the evidence on a system will last for extended periods of time. Some evidence resides in storage (i.e. volatile memory) only while there is a consistent power supply; other evidence stored is continuously changing. When collecting evidence, always try to proceed from most volatile to least volatile and from most critical to least critical machines/systems. For example, don’t waste time extracting information from an unimportant machine’s main memory when an important machine’s secondary memory hasn’t been examined. To determine what evidence to collect first, draw up an Order of Volatility – a list of evidence sources ordered by relative volatility. An example Order of Volatility would be:  1. Registers and Cache  6. Main Memory  2. Routing Tables  7. Temporary File Systems  3. Arp Cache  8. Secondary Memory  4. Process Table  9. Router Configuration  5. Kernel Statistics and Modules 10. Network Topology Once you have collected the raw data from volatile sources you may be able to shutdown the system. General Procedure When collecting and analysing evidence there is a four-step procedure you should follow. Note that this is a very generic outline – it may be necessary to customise the procedures to suit your situation. Identification of Evidence You must be able to distinguish between evidence and junk data. For this purpose you should know what the data is, where it is and how it is stored. Once this is done you will be able to determine the best way to retrieve and store any evidence found. Preservation of Evidence The evidence found must be preserved as close as possible to its original state. Any changes made during this phase must be documented and justified. Analysis of Evidence The stored evidence must then be analysed to extract the relevant information and to recreate the chain of events. Always be sure that the people who are analysing the evidence are fully qualified to do so. Presentation of Evidence Communicating the meaning of your evidence is vitally important – otherwise you can’t do anything with it. It should be technically correct, credible and easily understood by persons with a non-technical background. A good presenter can help in this respect. Collection and Archiving Once you’ve developed a plan of attack and identified the evidence that needs to be collected, it’s time to start capturing the data. Storage of that data is also important as it can affect how the data is perceived. Logs and Logging You should be running some kind of system logging function. It is important to keep these logs secure and to back them up periodically. Since logs are usually automatically timestamped a simple copy should suffice, although you should digitally sign and encrypt logs that are important to protect them from contamination. Remember that if the logs are kept locally on the compromised machine they are susceptible to alteration or deletion by an attacker. Having a remote syslog server and storing logs in a `sticky’ directory can reduce this risk, although it is still possible for an attacker to add decoy or junk entries into the logs. Regular auditing and accounting of your system is useful not only for detecting intruders but also as a form of evidence. Messages and logs from programs such as Tripwire can be used to show what an attacker did. Of course, you need a clean snapshot for these to work, so there’s no use trying it after the compromise. Monitoring Monitoring network traffic can be useful for many reasons – you can gather statistics, watch for irregular activity (and possibly stop an intrusion before it happens) and trace where an attacker enters and what they do. Monitoring logs as they are created may show important information that might subsequently be deleted by the attacker. This doesn’t mean that reviewing the logs later is not worthwhile – it may be what’s missing from the logs that is suspicious. Information gathered while monitoring network traffic can be compiled into statistics to define normal behaviour for your system. These statistics can be used as an early warning of an attacker’s presence and actions. You can also monitor the actions of your users. This can, once again, act as an early warning system – unusual activity (such as unsuccessful attempts to su to root) or the sudden appearance of unknown users warrants closer inspection. No matter the type of monitoring done, you should be very careful – there are plenty of laws you could inadvertently break. In general you should limit your monitoring to traffic or user information and leave the content unmonitored unless the situation necessitates it. You should also display a disclaimer stating what monitoring is done when users log on. The content of this should be worked out in conjunction with your lawyer. Methods of Collection There are two basic forms of collection – `freezing the scene’ and ‘honeypotting’. The two aren’t mutually exclusive – you can collect frozen information after or during any honeypotting. Freezing the scene involves taking a snapshot of the system in its compromised state. The necessary authorities should be notified (for instance the police and your incident response and legal teams) but you shouldn’t go out and tell the world just yet. You should then start to collect whatever data is important onto removable non-volatile media in a standard format and make sure that the programs and utilities used to collect the data is also collected onto the same media as the data. All data collected should have a cryptographic message digest created and those digests should be compared to the original for verification. Honeypotting is the process of creating a replica system and luring the attacker into it for further monitoring. A related method – sandboxing – involves limiting what the attacker can do while still on the compromised system so they can be monitored without much further damage. The placement of misleading information and the attacker’s response to it is a good method for determining the attacker’s motives. You must make sure that any data on the system that refers to the attacker’s detection and actions should be either removed or encrypted; otherwise they can cover their tracks by destroying it. Honeypotting and sandboxing are extremely resource intensive, so may be infeasible to perform. There are also some legal issues to consider, most importantly entrapment. As before – obtain legal advice. Artefacts Whenever a system is compromised, there is almost always something left behind by the attacker – be it code fragments, trojaned programs, running processes or sniffer log files. These are known as artefacts. They are one of the important things you should be collecting, but you must be careful. You should never attempt to analyse an artefact on the compromised system. They could do anything and you want to make sure their effects are controlled. Artefacts may be difficult to find. Trojaned programs may be identical in all obvious ways to the originals (file size, MAC times etc). Use of cryptographic checksums may be necessary to determine whether files have been modified, so you may need to know the original file’s checksum. If you are performing regular File Integrity Assessments, this shouldn’t be a problem. Analysis of artefacts can be useful in finding other systems the attacker (or their tools) has broken into. Collection Steps We now have enough information to build a step-by-step guide for the collection of the evidence. Once again this is only a guide – you should customise it to your specific situation. 1. Find the Evidence Determine where the evidence you are looking for is stored. Use a checklist – not only does it help you to collect it, but it can be used to double-check that everything you are looking for is there. 2. Find the Relevant Data Once you’ve found the evidence, you must identify what is relevant to the case. In general you should err on the side of over-collection, but you must remember that you have to work fast. 3. Create an Order of Volatility Now that you know exactly what to gather, work out the best order to gather it. Following the Order of Volatility for your system ensures that you minimise loss of uncorrupted evidence. 4. Remove External Avenues of Change It is essential that you avoid alterations to the original data. Preventing tampering with the evidence helps you to create as exact an image as possible, although you have to be careful, if you disconnect the system from the network, the attacker may have left a dead man switch. In the end you should try and do as much as possible. 5. Collect the Evidence You can now start to collect the evidence using the appropriate tools for the job. As you go, re-evaluate the evidence you’ve already collected. You may find that you missed something important. Now is the time to make sure you get it. 6. Document Everything Your collection procedures may be questioned later, so it is important that you document everything that you do. Timestamps, digital signatures and signed statements are all important – don’t leave anything out! Controlling Contamination – The Chain of Custody Once the data has been collected it must be protected from contamination. Originals should never be used in forensic examination – verified duplicates should be used. This not only ensures that the original data remains clean, but also enables examiners to try more `dangerous’, potentially data-corrupting tests. Of course, any tests done should be done on a clean, isolated host machine – you don’t want to make the problem worse by letting the attacker’s programs get access to a network. A good way of ensuring data remains uncorrupted is to keep a Chain of Custody. This is a detailed list of what was done with the original copies once they were collected. Remember that this will be questioned later on, so document everything. Record who found the data, when and where it was transported (and how), who had access to it and what they did with it. You may find that your documentation ends up greater than the data you collected, but it is necessary to prove your case. Analysis Once the data has been successfully collected it must be analysed to extract the evidence you wish to present and to rebuild what actually happened. As for other procedures, make sure you fully document everything you do – your work will be questioned and you must be able to show that your results are consistently obtainable from the procedures you performed. Time To reconstruct the events that led to your system being corrupted you must be able to create a timeline. This can be particularly difficult when it comes to computers – clock drift, delayed reporting and differing time zones can create confusion in abundance. One thing to remember is to never change the clock on an affected system. Record any clock drift and the time zone in use as you will need this later, but changing the clock just adds an extra level of complexity that is best avoided. Log files usually use timestamps to indicate when an entry was added and these must be synchronised to make sense. You should also use timestamps – you’re not just reconstructing events, you are contributing to the chain of events that must be accounted for as well. It’s best to use the GMT (UTC) time zone when creating your timestamps – the incident may involve time zones other than your own, so using a common reference point will make things much easier. Forensic Analysis of Back-Ups When analysing backups, it is best to have a dedicated host for the job. This examination host should be secure, clean (a fresh, hardened install of the operating system is a good idea), and isolated from any network – you don’t want it tampered with while you work and you don’t want to accidentally contaminate others. Once this system is available, you can commence analysis of the backups. Making mistakes at this point shouldn’t be a problem – simply restore the backups again if required. Remember the mantra – document everything you do. Ensure that what you do is not only repeatable, but that you always get the same results. Reconstructing the Attack Now that you have collected the data, you can attempt to reconstruct the chain of events leading to and following the attacker’s break-in. You must correlate all the evidence gathered (which is why accurate timestamps are critical) – so it’s probably best to use some graphical tools, diagrams and spreadsheets. Include all of the evidence you’ve found when reconstructing the attack – no matter how small it is. You may miss something if you leave a piece of evidence out. As you can see, collecting electronic evidence is no trivial matter. There are many complexities to consider and you must always be able to justify your actions. It is far from impossible though – the right tools and knowledge of how everything works is all you need to gather the evidence required.   References 1. Collie, Byron S. “Intrusion Investigation and Post Intrusion Computer Forensic Analysis”. 2000. URL: http://www.usyd.edu.au/su/is/comms/security/intrusion_investigation.html 2. Collie, Byron S. “Collecting and Preserving Evidence after a System Compromise”. 2000. URL: http://mangrove.nswrno.net.au/dist/public/auugsec2000/Collecting%20and%20Preserving%20Evidence%20after%20a%20System%20Compromise.ppt 3. Romig, Steve. “Forensic Computer Investigations”. 2000 URL: http://www.net.ohio-state.edu/security/talks/2001-10_forensic-computer-investigations/ 4. McKemmish, R. (Australian Institute of Criminology) “What is Forensic Computing?” June 1999. URL: http://www.aic.gov.au/publications/tandi/ti118.pdf 5. Brezenski, Dominique and Killalea, Tom (Internet Engineering Task Force). “Guidelines for Evidence Collection and Archiving” July 2000. URL: http://www.globecom.net/ietf///draft/draft-ietf-grip-prot-evidence-01.html 6. Action Group into the Law Enforcement Implications of Electronic Commerce. “Issues Paper: Evidence and the Internet” September 2000. URL: http://www.austrac.gov.au/publications/agec/ 7. Wright, T. “An Introduction to the Field Guide for Investigating Computer Crime (Part 1)” 17 April 2000. URL: http://www.securityfocus.com/infocus/1244 8. Wright, T. “The Field Guide for Investigating Computer Crime: Overview of a Methodology for the Application of Computer Forensics (Part 2)” 26 May 2000. URL: http://www.securityfocus.com/infocus/1245 9. Wright, T. “The Field Guide for Investigating Computer Crime: Search and Seizure Basics (Part 3)” 28 July 2000. URL: http://www.securityfocus.com/infocus/1246 10. Wright, T. “The Field Guide for Investigating Computer Crime : Search and Seizure Planning (Part 4)” 1 September 2000. URL: http://www.securityfocus.com/infocus/1247 11. Wright, T. “The Field Guide for Investigating Computer Crime: Search and Seizure Approach, Documentation, and Location (Part 5)” 10 November 2000. URL: http://www.securityfocus.com/infocus/1248 12. Wright, T. “The Field Guide for Investigating Computer Crime, Part 6: Search and Seizure – Evidence Retrieval and Processing” 8 January 2000. URL: http://www.securityfocus.com/infocus/1249 13. Wright, T. “The Field Guide for Investigating Computer Crime, Part 7: Information Discovery – Basics and Planning” 26 February 2001. URL: http://www.securityfocus.com/infocus/1250 14. Wright, T. “The Field Guide for Investigating Computer Crime, Part 8: Information Discovery – Searching and Processing” 21 March 2001. URL: http://www.securityfocus.com/infocus/1251   Attached Documents collecting_evidence_after_a_system_compromise.pdf

Learn more

Week in review

AUSCERT Week in Review for 1st September 2017

AUSCERT Week in Review for 1st September 2017 AUSCERT Week in Review 01 September 2017 Greetings, 2017 Cyber Security Survey – Time is running out to submit! Public awareness of cyber-crime has never been higher, but is that translating to business readiness? For the second consecutive year, AUSCERT and BDO are delivering the Cyber Security Survey. By taking part you will gain direct access to our survey report in November. This contains valuable data allowing you to compare your business’ current cyber security efforts with trends in your industry sector. Time is running out! Complete the survey and go in the draw to win one of three Apple Watches*. The survey closes at midnight on Friday, 15 September 2017. The survey is anonymous and takes 15 minutes to complete. https://www.bdo.com.au/en-au/insights/cyber-security/surveys/2017-cyber-security-survey?utm_medium=Email&utm_source=AUSCERT * Refer to the website for competition terms and conditions.  As Friday 1st of September comes to a close, we have seen another busy week of security updates. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:   Title: 700 Million-Plus Email Addresses Leaked by Spam OperationDate Published: 31 Aug 2017URL: https://www.bankinfosecurity.com/700-million-plus-email-addresses-leaked-by-spam-operation-a-10246Author: Jeremy KirkExcerpt: “A sloppy spamming operation has exposed on a server in the Netherlands gigabytes of files that include 711 million email addressees and some associated account passwords.”   Title: China Creates Secure Communications NetworkDate Published: 1 Sep 2017URL: http://www.securitymagazine.com/articles/88280-china-creates-secure-communications-networkAuthor: Kylie BullExcerpt: “China is to use quantum cryptography to create an unhackable communications network. Using the network, some 200 users from the military, government, finance and electricity sectors will be able to send messages without the concern that others may be able to read them.” Title: Session hijacking bug exposed GITLab users private tokensDate Published: 31 Aug 2017URL: https://threatpost.com/session-hijacking-bug-exposed-gitlab-users-private-tokens/127747/Author: Chris BrookExcerpt: “GitLab, the popular web-based Git repository manager, fixed a vulnerability recently that could have opened its users up to session hijacking attacks.”   Title: Prevention is no Longer the Best Medicine – Recovery is KeyDate Published: 29 Aug 2017URL: https://www.infosecurity-magazine.com/opinions/prevention-medicine-recovery-key/Author: Rick Orloff Excerpt: “In an ideal world, every company could trust each of its employees not to make any mistakes or slip up in regards to the handling of sensitive corporate data. In this utopia, each employee would also have an impregnable security solutionrendering themselves invulnerable to attack or breach.” Title: Cyber-squatters Target Luxury Brands from Fendi to PradaDate Published: 31 Aug 2017URL: https://www.infosecurity-magazine.com/news/cybersquatters-target-luxury-brands/Author: Tara Seals Excerpt: “Fan of Fendi? Lover of Louboutin? Gaga for Gucci? Be careful, as there are more than 500 websites out here that are actively tricking web usersinto thinking they’re legitimate luxury fashion websites.”   Here are this week’s noteworthy security bulletins: 1) ASB-2017.0137 – [Win][UNIX/Linux] RubyGems: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/51746 This one is a gem. 2) ESB-2017.2157 – [Appliance] Abbott Laboratories Accent/Anthem, Accent MRI, Assurity/Allure and Assurity MRI: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/51662 Is your patching keeping pace? 3) ESB-2017.2165 – [Win][UNIX/Linux] Wireshark: Denial of service – Remote with user interaction https://portal.auscert.org.au/bulletins/51694   A reminder to keep your tools up to date also. Stay safe and have a great weekend. Peter

Learn more