Personal tools

AusCERT Conference

The annual AusCERT conference is Australia's best cyber security event for anyone with an interest in cyber and information security.

AusCERT PKI certificate service

The AusCERT Certificate Service offers PKI certificates for people, servers and software for Australian and New Zealand education and research organisations.

AusCERT Vision & Mission Statement

AusCERT is the trusted cyber emergency response team for the Australian information economy, providing valued incident prevention and detection.

AusCERT Week in Review for 4th November 2016

As Friday 4th November comes to a close, there have been numerous security related news items this week. Here's a summary (including excerpts) of some of the more interesting stories we've seen this week:

Title: Phishers go after Red Cross data breach victims
Date: 02/11/2016
URL: http://www.itnews.com.au/news/phishers-go-after-red-cross-data-breach-victims-440618
Author: Allie Coyne

Excerpt:
“Opportunistic cyber attackers are attempting to pilfer sensitive data from individuals affected by the Red Cross Blood Service data breach by sending text messages containing phishing links.

The leak was made public last Friday, and scammers are already using the incident to try and extract sensitive information from individuals.

The Red Cross Blood Service has received reports from six donors about being targeted by a text message that purports to be from the organisation.
The text advises victims that they have an anomaly in their blood donation, and asks them to click on a dubious link.
The messages are being sent via Flash, or class zero, SMS, which pop up on the full screen of the device and disappear without a trace once the message is dismissed. The use of class zero SMS has given rise to the theory that the scammers are using the method as a testing ground before a wider campaign.
The blood service has reported the issue to AusCERT, which has been working with the organisation to handle the data breach, and is warning customers to disregard any such messages."

---
Title: Google Publicly Discloses Security Flaw In Adobe Flash, Microsoft Windows
Date: 31/10/2016
URL: http://www.ibtimes.com/google-publicly-discloses-security-flaw-adobe-flash-microsoft-windows-2439811
Author: Ken Manbert Salcedo

Excerpt:
“Google’s Threat Analysis Group recently discovered vulnerabilities in Adobe Flash and Microsoft’s Windows which allow malware attacks on the Chrome  web browser. The company made the discovery on Oct. 21 and has also disclosed it publicly today, which isn’t sitting well with Microsoft.

Adobe has already issued a patch to fix the vulnerability this past Friday. However, Microsoft hasn’t released a patch yet which prompted Google to announce it to the public in order to warn its users.

Google’s disclosure of the vulnerability is part of the company’s strict seven-day policy, wherein the company will alert the public seven days after the a security flaw has been reported to the vendor regardless of whether a patch has already been rolled out. The policy is controversial as many software companies believe that a week is not enough to code, test and rollout a fix.”

---

Title: BIND security update patches DoS flaw
Date: 02/11/2016
URL: https://www.scmagazine.com/isc-releases-bind-patch-flaw-that-could-lead-to-assertion-failure/article/570335/
Author: Robert Abel

Excerpt:
“The Internet Systems Consortium (ISC) released a patch for a remote vulnerability in BIND that could allow an attack to carry out denial-of-service (DoS) attacks.

The glitch was rated as a High severity and was caused by a defect in BIND's handling of responses containing a DNAME answer which could cause a resolver to exit after encountering an assertion failure in db.c or resolver.c, according to a Nov. 1 threat advisory.

Available updates include BIND 9 version 9.9.9-P4, BIND 9 version 9.10.4-P4, BIND 9 version 9.11.0-P1, and BIND 9 version 9.9.9-S6 and there are no known workarounds to address the issue so users are urged to update to the patch release most closely related to their current version of BIND.

While there are no known active exploits, a query which could trigger the crash was briefly discussed on a public mailing list before the domain owner pulled the record causing the problem, the advisory said.”
---

Title: Microsoft extends EMET end of life date
Date: 04/11/2016
URL: http://www.itnews.com.au/news/microsoft-extends-emet-end-of-life-date-440707
Author: Juha Saarinen

“Microsoft will continue to support and provide security patches for its Enhanced Mitigation Experience Toolkit security software for Windows until July 31 2018, after taking customer feedback into account.

EMET is a security utility software popular with enterprise customers running supported versions of Windows. It uses mitigation techniques to block attackers from exploiting vulnerabilities in software.

The company's lead program manager for operating system security, Jeffrey Sutherland, said while EMET 5.5x will continue to be supported for another 18 months after the original end of life date of January next year, Microsoft recommended customers migrate to Windows 10 for improved security.

Sutherland said EMET has been useful to Microsoft over the years, allowing the company to disrupt exploit kits and protect customers. EMET has also been used to try out new features and security innovations that have then been integrated into Windows 7, 8, 8.1 and 10.”

---

Title: Outlook Web Access Two-Factor Authentication Bypass Exists
Date: 03/11/2016
URL: https://threatpost.com/outlook-web-access-two-factor-authentication-bypass-exists/121777/
Author: Michael Mimoso

Excerpt:
“Enterprises running Exchange Server have been operating under a false sense of security with regard to two-factor authentication implementations on Outlook Web Access (OWA) adding an extra layer of protection.

A design weakness has been exposed that can allow an attacker to easily bypass 2FA and access an organization’s email inboxes, calendars, contacts and more

The problem lies in the fact that Exchange Server also exposes the Exchange Web Services (EWS) interface alongside OWA and it is not covered by two-factor authentication. EWS is enabled by default and shares the same port and server as OWA, meaning an attacker with [stolen] credentials can remotely access EWS, which talks to the same backend infrastructure as OWA, and would enable access a user’s inbox.

The issue was publicly disclosed on Wednesday by researcher Beau Bullock of Black Hills Information Security, a consultancy based in South Dakota. Bullock privately disclosed his findings to Microsoft on Sept. 28, and after an initial acknowledgement, repeated follow-up emails failed to produce a patch or mitigation. Bullock went public yesterday, but shortly thereafter, Microsoft contacted him with a mitigation that would likely break some services that rely on Exchange Web Services, such as thick clients like Outlook for Mac.”


And lastly, here are this week's noteworthy security bulletins (in no particular order):

1.    ESB-2016.2500 - ALERT [Win][Linux][OSX] Adobe Flash Player: Execute arbitrary code/commands - Remote with user interaction
https://www.auscert.org.au/40002

Adobe has released security updates for Adobe Flash Player for Windows,
Macintosh, Linux and Chrome OS. These updates address a critical vulnerability
that could potentially allow an attacker to take control of the affected
system.

2.    ASB-2016.0099 - ALERT [UNIX/Linux] Memcached: Multiple vulnerabilities
https://www.auscert.org.au/40302

Multiple integer overflow vulnerabilities exist within Memcached that could be exploited to achieve remote code execution on the targeted system. These vulnerabilities manifest in various Memcached functions that are used in inserting, appending, prepending, or modifying key-value data pairs

3.    ASB-2016.0101 - [Win][UNIX/Linux] cURL: Multiple vulnerabilities
https://www.auscert.org.au/40374

Multiple vulnerabilities have been identified in cURL prior to version 7.51.0


---

Have a great weekend!
Geoffroy