Personal tools

AusCERT Conference

The annual AusCERT conference is Australia's best cyber security event for anyone with an interest in cyber and information security.

AusCERT PKI certificate service

The AusCERT Certificate Service offers PKI certificates for people, servers and software for Australian and New Zealand education and research organisations.

AusCERT Vision & Mission Statement

AusCERT is the trusted cyber emergency response team for the Australian information economy, providing valued incident prevention and detection.

AusCERT Week in Review for 23rd September 2016


As another Friday comes to a close, there have been numerous security related news items this week. Here's a summary (including excerpts) of some of the more interesting stories we've seen:


Title: Hackers claim they breached Aussie point-of-sale tech firm, try to sell 'customer DB'

Author: Darren Pauli

Date: 20/09/2016

Excerpt: Exclusive Hackers are claiming to have hacked Australian point-of-sale technology (PoS) company H&L Australia, and have been claiming to potential buyers that they had lifted its customer database. They were already offering it for sale for AU$22,000 ($16,580, £12,723) more than two months ago.

If indeed they have hacked into H&L, credit card data and personal information would potentially be at risk: the firm's clients include several major retailers.

The Register received information about an alleged breach at H&L Australia two weeks ago, plus the credentials required to access what was alleged to be an active backdoor on the company's network and an open public link to a large SQL database dump.


Title: Crims place booby-trapped USB drives in letter boxes

Author: Paris Cowan

Date: 22/09/2016

Excerpt: Victorians warned not to plug in malware-laden devices.

Would-be cyber criminals have been targeting Victorians by dropping malware loaded USB-drives into their letter boxes, in the hope unsuspecting residents will stick the devices into their home computers.

The Victoria Police have published a memo alerting Pakenham residents to the scam, following a spate of reports last week.

The force published a photo of some of the unmarked thumb drives it has already recovered from Victorian mailboxes.

It said recipients who inserted the USBs into the computers were served “fraudulent media streaming service offers, as well as other serious issues”.


Title: Yahoo says half a billion accounts breached by nation-sponsored hackers

Author: Dan Goodin

Date: 23/09/2016

Excerpt: At least half a billion Yahoo accounts have been breached by what investigators believe is a nation-sponsored hacking operation. Attackers probably gained access to a wealth of holders' personal information, including names, e-mail addresses, phone numbers, birth dates, answers to security questions, and cryptographically protected passwords.

Yahoo Chief Information Security Officer Bob Lord dropped that bombshell announcement on Thursday afternoon, several hours after news site Recode reported the company was poised to disclose a compromise affecting several hundred million accounts. With at least 500 million accounts included in Yahoo's official statement, the breach is among the biggest ever to hit a single Web property.


Title: Teen Hacker Says He Jailbroke The iPhone 7 in Just 24 Hours

Author: Lorenzo Franceschi-Bicchierai

Date: 23/09/2016

Excerpt: The iPhone 7 is, in Apple’s own words, “the best, most advanced iPhone ever.” It is not, however, impossible to hack.

A teenage hacker has found a way to circumvent the phone’s security and restrictions, jailbreaking a brand new iPhone 7 running iOS 10, effectively taking full control of it and allowing him to install apps not approved by Apple. The 19-year-old hacker, who’s known online as qwertyoruiop but whose real name is Luca Todesco, took advantage of a series of bugs he found and exploited—and all it took him, he said, was just 24 hours.

“They definitely made my life harder,” Todesco, who has a well-established reputation for finding bugs and jailbreaking iPhones, told Motherboard in a message. “The iPhone 7 is a step in the right direction. Obviously it’s not 100 percent secure—like nothing else is.”


Finally, here are some of this week's more interesting security bulletins (sorted by oldest to newest):

1) ESB-2016.2203 - ALERT [Cisco] Cisco IOS, IOS XE, and IOS XR: Access confidential data - Remote/unauthenticated

Proof of concept code is publicly available for a remote information disclosure vulnerability in Cisco IOS, IOS XE, and IOS XR software. The vulnerability is due to insufficient condition checks during IKEv1 security negotiation requests. Cisco is expected to release patches soon. In the meantime, Cisco recommends that administrators use an IDS or IPS to help detect attacks.

2) ESB-2016.2238 - ALERT [Win][UNIX/Linux] OpenSSL: Multiple vulnerabilities

OpenSSL has patched multiple vulnerabilities, including information disclosure and several denial of service bugs. One of the denial of service vulnerabilities (CVE-2016-6304) can be exploited using an excessively large OCSP Status Request extension. This vulnerability is rated as high and there is proof of concept code publicly available. Users should upgrade to versions 1.1.0a, 1.0.2i, or 1.0.1u.

3) ESB-2016.2243 - ALERT [Cisco] Cisco Email Security Appliances: Root compromise - Remote/unauthenticated

The Cisco Email Security Appliance includes a testing and debugging interface which is intended for use during the manufacturing process. A remote, unauthenticated attacker could connect to this interface and completely takeover the device. Cisco recommends disabling the interface as a workaround.

Have a happy, bug free, weekend!