Personal tools

AusCERT Conference

The annual AusCERT conference is Australia's best cyber security event for anyone with an interest in cyber and information security.

AusCERT PKI certificate service

The AusCERT Certificate Service offers PKI certificates for people, servers and software for Australian and New Zealand education and research organisations.

AusCERT Vision & Mission Statement

AusCERT is the trusted cyber emergency response team for the Australian information economy, providing valued incident prevention and detection.

AusCERT Week in Review for 26th August 2016

Greetings!

As another Friday comes to a close, there have been numerous security related news items this week. Here's a summary (including excerpts) of some of the more interesting stories we've seen:

---

Title: Gold Coast Commonwealth Games could swap sponsorship for cyber protection

Author: Paris Cowan

Date: 22/08/2016

Excerpt: Security supplier sought for high-profile event.

The organisers of the 2018 Gold Coast Commonwealth Games are hunting for an IT security firm to protect the high-profile event from cyber attack, and say they will consider swapping branding at the event for the service.

The government body running the event is expecting a cumulative TV audience of over a billion people, 1.1 million ticket sales, 84 million page views on its websites, and 6600 athletes and officials for the April 2018 games.

This scale, it says, will make it a popular target for would-be hackers and cyber criminals, so it is looking for a provider with a strong Australian presence to deliver 24x7 security monitoring and forensic response capability for the lead-up to and duration of the event.

---

Title: Twitoor first Android malware known to leverage Twitter for command and control

Author: Bradley Barth

Date: 24/08/2016

Excerpt: Researchers have found the first known Android mobile malware to use a Twitter account, rather than a traditional command-and-control server, to control infected devices.

According to an ESET blog post, the malware, dubbed Twitoor, is a dropper program designed to periodically check in with a maliciously registered Twitter account in order to receive instructions for actions such as downloading secondary payloads and switching to another account.

“Using Twitter instead of command-and-control servers is pretty innovative for an Android botnet,” said Lukas Stefanko, the ESET malware researcher who discovered the malicious app, in a company blog post.

Thought to be distributed via SMS or malicious URLs, Twittoor typically disguises itself as a porn player app or MMS application, but in reality it has been used to download several versions of mobile banking malware (ESET did not specify which one). The malware has been active for around a month, ESET noted, and has the ability to recruit devices into an Android botnet.

---

Title: Apple releases iOS 9.3.5 to fix 3 zero-day vulnerabilities [Updated]

Author: Andrew Cunningham

Date:  26/08/2016

Excerpt: Just a few weeks after posting iOS 9.3.4 to fix a jailbreaking-related bug, Apple has released iOS 9.3.5 to all supported iPhones and iPads. The update provides an "important security update" and comes just a few weeks before the expected release of iOS 10, which is currently pretty far along in the developer/public beta process.

Update: Apple also tells us that these bugs were fixed in the latest versions of the iOS 10 public and developer betas, which were released last week.

Apple's security release notes say that three bugs have been fixed, two in the iOS kernel and one in WebKit. The bugs were discovered by Citizen Lab and Lookout, which said they were actively exploited to hijack the iPhone of a political dissident. Lookout collectively calls the three zero-day vulnerabilities "Trident," and says that they could allow an victim's personal data to be accessed after opening a link sent in a text message. Trident infects a user's phone "invisibly and silently, such that victims do not know they’ve been compromised." We'll have more information about the vulnerability in a forthcoming article.

---

Title: This Biohacker Wants to Implant Cryptographic Keys Beneath Your Skin

Author:

Date:  26/08/2016

Excerpt: The millennial trope of your phone feeling like another limb may not be so far off, with new technology that would allow much of the same information in your phone to be stored in a chip under your skin.

Motherboard went behind the scenes with Amal Graafstra, founder of biohacking company Dangerous Things—a business he runs out of his garage—to get an early glimpse at some of Graafstra's new prototypes.

One of those prototypes is UKI, a small, NFC-compliant security chip implanted under the skin that allows people to do things like integrate cryptographic keys into their bodies.

Implantable chips could be useful if you lose your keys, but could also change how we grapple with privacy issues. Instead of being stored on external internet-connected devices, UKI allows users to carry cryptographic keys within their bodies, merging both your digital and physical identities.

---

Finally, here are some of this week's more interesting security bulletins (sorted by oldest to newest):

1) ESB-2016.2009 - ALERT [Appliance] Navis WebAccess: Execute arbitrary code/commands - Remote/unauthenticated

Navis WebAccess does not properly sanitise input, potentially resulting in SQL injection. There is proof of concept code publicly available.

2) ESB-2016.2039 - ALERT [Apple iOS] Apple iOS: Multiple vulnerabilities


Multiple vulnerabilities have been patched in an out-of-band update for iOS, the most severe being a root compromise. In addition, the vulnerabilities are being actively exploited by new spyware called Pegasus. Due to the severity of this vulnerability all users should update immediately. If you have not been prompted to update, please update manually as per Apple's instructions.

Have an excellent weekend!
Olivia