//Week in review - 8 Dec 2017

AusCERT Week in Review for 8th December 2017

AusCERT Week in Review
08 December 2017


Remember that the holiday season is the time we relax so don’t get caught by someone trying to take advantage of this.

And the Call for Proposals for AusCERT 2018 is now open.

Important Dates for submission
13 Nov 2017 – (Monday) – Call for Presentations submissions open
19 Jan 2018 – (Friday) – Call for Presentations submission deadline
19 Feb 2018 – (Monday) – Notifications from Program Committee

Conference Date
29 May 2018 – 01 Jun 2018 | AusCERT2018 Conference

As for more news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:


Title: Banking Apps Found Vulnerable to MITM Attacks issue
URL: https://threatpost.com/banking-apps-found-vulnerable-to-mitm-attacks/129105/
Date: December 07, 2017
Author: Tom Spring
Excerpt: “Using a free tool called Spinner, researchers identified certificate pinning vulnerabilities in mobile banking apps that left customers vulnerable to man-in-the-middle attacks”


Title: Uber hacker is a 20 yr-old Florida man
URL: https://www.itnews.com.au/news/uber-hacker-is-a-20-yr-old-florida-man-479365 
Date: Decemeber 07, 2017
Author: Joseph Menn and Dustin Volz
Excerpt: “Paid to keep quiet in bug bounty. A 20-year-old Florida man was responsible for a massive data breach at Uber last year and was paid by Uber to destroy the data through a bug bounty program, three people familiar with the events have told Reuters.”


Title: Bitcoin Miner NiceHash Hacked, Possibly Losing $62 Million in Bitcoin
URL: https://www.darkreading.com/cloud/bitcoin-miner-nicehash-hacked-possibly-losing-$62-million-in-bitcoin/d/d-id/1330585 
Date: Decemeber 07, 2017
Author: Dark Reading
Excerpt: “Slovenia-based bitcoin mining company NiceHash has temporarily halted its operations while it investigates a security breach and determines how many bitcoins were stolen, the company announced Wednesday.”


Title: The Cumulative Effect of Major Breaches: The Collective Risk of
Yahoo & Equifax
Date: Decemeber 07, 2017
Author: Markus Jakobsson
Excerpt: “While there are no signs today of criminals consolidating and reselling data from different breaches, it is an obvious concern as the value-add of the packaging would be substantial.”


And lastly, here are this week’s most noteworthy security bulletins:

1. ASB-2017.0210 – [Win][UNIX/Linux] Firefox: Multiple vulnerabilities

A buffer overflow occurs when drawing and validating elements using Direct 3D 9 with the ANGLE graphics library, used for WebGL content.
This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash.

2. ASB-2017.0209 – [Win][UNIX/Linux] Tenable Nessus: Multiple vulnerabilities

Nessus leverages third-party software to help provide underlying functionality. One of the third-party components (OpenSSL) was found to
contain vulnerabilities, and updated versions have been made available by the providers.

3. ESB-2017.3144 – [Win][UNIX/Linux][FreeBSD] OpenSSL: Access privileged data – Remote/unauthenticated

OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an “error state” mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake.

4. ESB-2017.3117 – [SUSE] shibboleth-sp: Reduced security – Remote/unauthenticated

CVE-2017-16852: Fix critical security checks in the Dynamic MetadataProvider plugin in Shibboleth Service (bsc#1068689).

Wishing all the best from AusCERT and see you next week,