The annual AusCERT conference is Australia's best cyber security event for anyone with an interest in cyber and information security.
AusCERT PKI certificate service
The AusCERT Certificate Service offers PKI certificates for people, servers and software for Australian and New Zealand education and research organisations.
AusCERT Vision & Mission Statement
AusCERT is the trusted cyber emergency response team for the Australian information economy, providing valued incident prevention and detection.
AusCERT Week in Review for 12th August 2016
Before we get stuck into this week's review, we encourage everyone to complete the 2016 Cyber Security Survey.
AusCERT and BDO have joined forces to launch the 2016 Cyber Security Survey. This survey will help identify current cyber security trends, issues and threats facing businesses in Australia and New Zealand.
The goal is to deliver insights that will help businesses build and maintain their cyber resilience over the long term. The findings will be tailored to key industry segments, as well as country (ie, Australia and New Zealand) and enable you to compare your business’s cyber security efforts with similar businesses.
By taking part in this anonymous survey you will gain access to our survey report in November. The survey questions are non-technical and will take about 10 minutes to complete.
The survey is now open and closes at midnight on Friday 9 September 2016.
Win a 360 degree camera!
By completing and submitting the survey you can enter a prize draw to win a 360 degree camera. Two respondents from Australia and one from New Zealand will be randomly selected as the winners and notified via email after the survey closes.
Finally, AusCERT is hiring! We are looking for two Senior Information Security Analysts (one fixed-term, one continuing) and a fixed-term Events, Marketing and Communications Coordinator.
Now for this week's news:
Title: Hackers Make the First-Ever Ransomware for Smart Thermostats
Author: Lorenzo Franceschi-Bicchierai
Excerpt: One day, your thermostat will get hacked by some cybercriminal hundreds of miles away who will lock it with malware and demand a ransom to get it back to normal, leaving you literally in the cold until you pay up a few hundred dollars.
This has been a scenario that security experts have touted as one of the theoretical dangers of the rise of the Internet of Things, internet-connected devices that are often insecure. On Saturday, what sounds like a Mr. Robot plot line came one step closer to being reality, when two white hat hackers showed off the first-ever ransomware that works against a “smart” device, in this case a thermostat.
Luckily, Andrew Tierney and Ken Munro, the two security researchers who created the ransomware, actually have no ill intention. They just wanted to make a point: some Internet of Things devices fail to take simple security precautions, leaving users in danger.
Title: Companies are leaking potential insider trading data: ASIC
Author: Paris Cowan
Excerpt: Australia’s corporate watchdog has probed the information exchanges between listed companies and market analysts in an effort to stamp loose data handling procedures that lead to insider trading and market manipulation.
In 2014 the Australian Securities and Investments Commission (ASIC) won its suit against Newcrest Mining after discovering the company had handed over confidential and market-sensitive data to a number of research analysts, without also releasing the same data to the market. The miner was fined $1.2 million by the courts.
But ASIC says the practice is by no means limited to this case.
In a report handed down today, it complained many public companies are ignoring their own information handling policies and risking the integrity of the market.
Title: Linux security backfires: Flaw lets hackers inject malware into downloads, disrupt Tor users, etc
Author: Iain Thomson
Excerpt: Analysis A flaw in the Linux kernel lets hackers inject malware into downloads and webpages, smash Tor connections, launch denial-of-service attacks, and more.
This is a troubling security headache because Linux is used widely across the internet, from web servers to Android smartphones, tablets and smart TVs.
The TCP/IP networking blunder, present in the open-source kernel since version 3.6, can be exploited by miscreants to confirm whether any two systems are talking to each other over a network. Furthermore, it can be abused to break their connections or insert malicious code and data into their communications if the exchange is not properly encrypted. In other words, you can hijack HTTP with this.
Crucially, you do not need to be a man-in-the-middle attacker to pull this off; you do not need to be eavesdropping on a network. You can be off to the side, firing the right packets at both ends to compromise their exchanges. You have to know the IP addresses of both sides of the connection, and you have to be able to send spoofed packets to them. And that's about it.
Title: Secure Boot snafu: Microsoft leaks backdoor key, firmware flung wide open
Author: Tom Mendelsohn
Excerpt: Microsoft has inadvertently demonstrated the intrinsic security problem of including a universal backdoor in its software after it accidentally leaked its so-called "golden key"—which allows users to unlock any device that's supposedly protected by Secure Boot, such as phones and tablets.
The key basically allows anyone to bypass the provisions Microsoft has put in place ostensibly to prevent malicious versions of Windows from being installed, on any device running Windows 8.1 and upwards with Secure Boot enabled.
And while this means that enterprising users will be able to install any operating system—Linux, for instance—on their Windows tablet, it also allows bad actors with physical access to a machine to install bootkits and rootkits at deep levels. Worse, according to the security researchers who found the keys, this is a decision Microsoft may be unable to reverse.
Finally, here are some of this week's more interesting security bulletins (sorted by oldest to newest):
1) Microsoft Patch Tuesday (critical advisories)
ESB-2016.1918 - ALERT [Win] Microsoft Internet Explorer: Multiple vulnerabilities
ESB-2016.1919 - ALERT [Win] Microsoft Edge: Multiple vulnerabilities
ESB-2016.1920 - ALERT [Win] Microsoft Windows, Office, and Communications Platforms Software: Execute arbitrary code/commands - Remote with user interaction
ESB-2016.1922 - ALERT [Win][OSX] Microsoft Office: Multiple vulnerabilities
ESB-2016.1925 - ALERT [Win] Microsoft Windows: Execute arbitrary code/commands - Remote with user interaction
Microsoft released nine security bulletins this month, five of which are rated as critical. These critical vulnerabilities (remote code execution and information disclosure) affect Internet Explorer, Microsoft Edge, Microsoft Office, Microsoft Graphics Component, and Microsoft Windows PDF Library. User interaction is required to exploit the vulnerabilities.
Until next time,