Personal tools

AusCERT Conference

The annual AusCERT conference is Australia's best cyber security event for anyone with an interest in cyber and information security.

AusCERT PKI certificate service

The AusCERT Certificate Service offers PKI certificates for people, servers and software for Australian and New Zealand education and research organisations.

AusCERT Vision & Mission Statement

AusCERT is the trusted cyber emergency response team for the Australian information economy, providing valued incident prevention and detection.

AusCERT Week in Review for 9th September 2016


As another Friday comes to a close, there have been numerous security related news items this week. Here's a summary (including excerpts) of some of the more interesting stories we've seen:


Title: Spoof an Ethernet adapter on USB, and you can sniff credentials from locked laptops

Author: Richard Chirgwin

Date: 07/09/2016

Excerpt: Security consultant and blogger Rob Fuller has turned a USB SoC-based device into a credential-sniffer that works even on locked machines.

Fuller's attack works by modifying the dongle; when it's plugged in, it installs and makes itself the victim's network gateway, DNS server, and WPAD (Web proxy autodiscovery protocol) server. In the process of trying to install what it thinks is an Ethernet adapter, the target machine will send its credentials over the spoofed network.

The modded Ethernet adapter also needs to be set up to capture the credentials the target machine offers, as it's trying to connect to the network through the adapter.

While the password it captures has whatever hash the victim's machine applies in storage, that's also what a server will expect to see.


Title: NBN Co beefs up cyber security offense

Author: Ry Crozier

Date: 08/09/2016

Excerpt: NBN Co is rejigging its approach to IT security by adopting the ‘cyber hunt’ methodology to detect and manage threats, and by building out a cyber threat intelligence capability.

The network builder revealed its thinking on addressing issues of cyber security this week, pointing to a more offensive posture and data-driven approach.

An NBN spokesperson would only say that the company “is continually working to build its cyber threat capability as we roll out the network across Australia.”

The concept of cyber hunt teams has been around several years; the teams typically work on “longer range, data-driven investigations” of threats instead of real-time detection and mitigation.


Title: Yes, you can hack cell phones like on Mr. Robot—just not the way they did

Author: Sean Gallagher

Date: 08/06/2016

Excerpt: Time and time again, Mr. Robot has proven to be a show that prides itself on extreme attention to detail. Whether it involves hiring ex-FBI employees as consultants or tracking down the duo behind the Full House theme, the series wants to ground its high-stakes story in a healthy dose of realism.

Mr. Robot’s tech guru: “My job is to outsmart this hive of geniuses”

“The notion of there being an E-Corp, a conglomerate in charge of 70 percent of the world’s debt, is a big pill to swallow," Kor Adana, staff writer and the show's lead tech producer, told Ars recently. "The way I see it, anything we can do to ground the show in reality with all the other tools at our disposal, the better it is to sell this version of reality."

In the series' latest episode, hero-hacker Elliot Alderson launches an attack script called crackSIM from a real-world device—Pwnie Express' PwnPhone—to allow him to eavesdrop on a cell phone call. As superhuman as the attack seems, it's yet another realistic portrayal from Adana and his team. Yes, this hack is technically possible. It's also possible for an attacker to eavesdrop on a cell phone call. But this being a ~50 minute cable series, creative license does ultimately rear its head. And unfortunately, the hack Elliot used wouldn't work to do the eavesdropping as we understand infosec today. Instead, the show (rightfully) took a few artistic liberties when demonstrating how such an attack would happen.


Title: Google Chrome to start marking HTTP connections as insecure

Author: Lucian Constantin

Date: 09/09/2016

Excerpt: To push more websites to implement encryption and to better protect users, Google will start flagging plain HTTP connections as insecure in its popular Chrome browser.

The plan will go into effect in January with the release of Chrome 56 and will roll out in stages. Chrome 56 will display a "not secure" indicator before HTTP URLs in the browser's address bar, but only for those web pages that contain password or credit card form fields.

Transmitting such sensitive information over HTTP is dangerous because the data can be intercepted by man-in-the-middle attackers on public wireless networks or via compromised routers, for example.

In later Chrome releases, the HTTP warnings will be further expanded. First, HTTP pages will be labeled as "not secure" when accessed in the browser's privacy-oriented Incognito mode. Eventually, Chrome will show the warning for all HTTP pages and will switch the security indicator to the red triangle now used for broken HTTPS connections.


Finally, here are some of this week's more interesting security bulletins (sorted by oldest to newest):

1) ASB-2016.0086 - [Win][UNIX/Linux] Plone and Zope2: Cross-site scripting - Remote with user interaction

Hotfix 20160830 fixes multiple vulnerabilities in Plone and Zope2. The vulnerabilities include cross-site scripting, information disclosure, and a redirection attack.

2) ASB-2016.0088 - [Win][UNIX/Linux] WordPress: Cross-site scripting - Remote with user interaction

Cross-site scripting and information disclosure vulnerabilities have been fixed in WordPress 4.6.1.

Have a happy, bug free, weekend!