Personal tools

AusCERT Conference

The annual AusCERT conference is Australia's best cyber security event for anyone with an interest in cyber and information security.

AusCERT PKI certificate service

The AusCERT Certificate Service offers PKI certificates for people, servers and software for Australian and New Zealand education and research organisations.

AusCERT Vision & Mission Statement

AusCERT is the trusted cyber emergency response team for the Australian information economy, providing valued incident prevention and detection.

AusCERT Week in Review for 30th September 2016


As another Friday comes to a close, there have been numerous security related news items this week. Here's a summary (including excerpts) of some of the more interesting stories we've seen:


Title: Unsafe at any clock speed: Linux kernel security needs a rethink

Author: J.M. Porup (UK)

Date: 27/09/2016

Excerpt: The Linux kernel today faces an unprecedented safety crisis. Much like when Ralph Nader famously told the American public that their cars were "unsafe at any speed" back in 1965, numerous security developers told the 2016 Linux Security Summit in Toronto that the operating system needs a total rethink to keep it fit for purpose.

No longer the niche concern of years past, Linux today underpins the server farms that run the cloud, more than a billion Android phones, and not to mention the coming tsunami of grossly insecure devices that will be hitched to the Internet of Things. Today's world runs on Linux, and the security of its kernel is a single point of failure that will affect the safety and well-being of almost every human being on the planet in one way or another.

"Cars were designed to run but not to fail," Kees Cook, head of the Linux Kernel Self Protection Project, and a Google employee working on the future of IoT security, said at the summit. "Very comfortable while you're going down the road, but as soon as you crashed, everybody died."


Title: Govt will make it a crime to re-identify anonymised data

Author: Allie Coyne

Date: 28/09/2016

Excerpt: Proposed changes to the national Privacy Act would make it a criminal offence to re-identify government data that has been stripped of identifying markers.

Attorney-General George Brandis today said he intended to introduce the amendments to the privacy legislation in the current spring sitting of parliament, which runs until December 1.

The changes would also make it an offence to "counsel, procure, facilitate, or encourage anyone" to re-identify anonymised data.

Publishing or communicating "any re-identified dataset" would similarly be considered a criminal offence.


Title: Fingerprint tech makes ATMs super secure, say banks. Crims: Bring it on, suckers

Author: John Leyden

Date: 29/09/2016

Excerpt: Cybercriminals are hawking their claimed ability to exploit newly introduced biometric-based ATM authentication technologies.

Many banks view biometric-based technologies such as fingerprint recognition to be one of the most promising additions to current authentication methods, if not a complete replacement to chip and PIN.

Crooks, however, regard biometrics as a new opportunity to steal sensitive information, research by Kaspersky Lab shows.

Credit card-related financial fraud against ATMs started many years ago with primitive skimmers – homemade devices attached to an ATM and capable of stealing information from the card’s magnetic strip and PIN with help of a fake ATM pin pad or a web camera. This information was subsequently used to make counterfeit cards.


Title: How 1.5 Million Connected Cameras Were Hijacked to Make an Unprecedented Botnet

Author: Lorenzo Franceschi-Bicchierai

Date: 30/09/2016

Excerpt: Last week, hackers forced a well-known security journalist to take down his site after hitting him for more than two days with an unprecedented flood of traffic.

That cyberattack was powered by something the internet had never seen before: an army made of more than one million hacked Internet of Things devices.

The hackers, whose identity is still unknown at this point, used not one, but two networks—commonly referred to as “botnets” in hacking lingo—made of around 980,000 and 500,000 hacked devices, mostly internet-connected cameras, according to Level 3 Communications, one of the world’s largest internet backbone providers. The attackers used all those cameras and other unsecured online devices to connect to the journalists’ website, pummeling the site with requests in an attempt to make it collapse.


Finally, here are some of this week's more interesting security bulletins (sorted by oldest to newest):

1) ASB-2016.0091 - [Win][UNIX/Linux][Android] Mozilla Firefox and Firefox ESR: Multiple vulnerabilities

Multiple vulnerabilities have been fixed in Mozilla Firefox 49 and ESR 45.4. The vulnerabilities include remote code execution, denial of service, information disclosure, and the ability for a remote attacker to send malicious add-on updates.

Have a happy, bug free, weekend!