//Week in review - 28 May 2018
AusCERT Week in Review for 25th May 2018
AusCERT Week in Review
25 May 2018
AusCERT has generated a new PGP/GPG Key to use for signing and receiving encrypted data, and this key comes into effect today. For more details: https://www.auscert.org.au/render.html?it=1967
Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:
Alert (TA18-141A) Side-Channel Vulnerability Variants 3a and 4
Date Published: 21 May 2018
Excerpt: “On May 21, 2018, new variants of the side-channel central processing unit (CPU) hardware vulnerabilities known as Spectre and Meltdown were publicly disclosed. These variants–known as 3A and 4–can allow an attacker to obtain access to sensitive information on affected systems.”
Server? What server? Site forgotten for 12 years attracts hacks, fines
Date Published: 22 May 2018
Author: John E Dunn
Excerpt: “A web server set up by an enterprising student for a conference in 2004 and then forgotten about has left the University of Greenwich nursing a ?120,000 ($160,000) fine from Britain’s Information Commissioner (ICO).”
Here’s Amazon’s explanation for the Alexa eavesdropping scandal
Date Published: 24 May 2018
Author: Jason Del Rey
Excerpt: “Asked for more details, Amazon provided Recode with the following explanation:
“Echo woke up due to a word in background conversation sounding like “Alexa.” Then, the subsequent conversation was heard as a “send message” request. At which point, Alexa said out loud “To whom?” At which point, the background conversation was interpreted as a name in the customers contact list. Alexa then asked out loud, “[contact name], right?” Alexa then interpreted background conversation as “right”. As unlikely as this string of events is, we are evaluating options to make this case even less likely.”
Chrome to remove ‘secure’ and padlock icon for HTTPS
Date Published: 18 May 2018
Author: Juha Saarinen
Excerpt: “Google will treat Transport Layer Security encrypted pages as the default soon with no indications shown, and call out unencoded HTTP web content as unsafe.”
ASADA latest to access smartphone-hacking tool raising fresh privacy concerns
Date Published: 23 May 2018
Author: Ariel Bogle
Excerpt: “Critics flagged concerns about potential misuse of the technology, after Fairfax Media reported in 2017 that Centrelink, the Australian Taxation Office and the Australian Securities and Investment Commission have also deployed it. The use of such tools typically requires a warrant.”
Here are this week’s noteworthy security bulletins:
1) ASB-2018.0122 – [Win][UNIX/Linux] Joomla!: Multiple vulnerabilities
An XSS vulnerability has been identified in Joomla! in versions prior through 3.8.7
2) ASB-2018.0121 – ALERT [Win][UNIX/Linux][Virtual][Mobile] CPU Microcode: Access privileged data – Existing account
Two new speculative execution side-channel vulnerabilities announced.
3) ESB-2018.1547 – [Win][UNIX/Linux] Zookeeper: Provide misleading information – Remote/unauthenticated
No authentication/authorization is enforced when a server attempts to join a quorum. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.
4) ESB-2018.1543 – [Debian] Debian 8: Deprecation
This is an advance notice that regular security support for Debian GNU/Linux 8 (code name “jessie”) will be terminated on the 17th of June.
5) ASB-2018.0119 – [Win][UNIX/Linux] Mozilla Thunderbird: Multiple vulnerabilities
Multiple security vulnerabilities have been identified in Mozilla Thunderbird prior to version 52.8.
Stay safe, stay patched and have a good weekend!