//Week in review - 28 May 2018

AusCERT Week in Review for 25th May 2018

AusCERT Week in Review
25 May 2018

Happy GDPR compliance deadline day!  I’m sure you’ve been receiving many privacy policy update emails this week.  Also this week we saw CVE-2018-3639 and CVE-2018-3640 announced, aka Spectre and Meltdown variants 3A and 4.  While they are hardware-level vulnerabilities which affect various processors from AMD, ARM, IBM POWER8, and  POWER9, and Intel, it’s still important to apply the latest microcode updates and software patches. With Microsoft’s $250,000 bounty, and more researchers looking at speculative execution vulnerabilities, it will be interesting to see how many more are discovered this year.

AusCERT has generated a new PGP/GPG Key to use for signing and receiving encrypted data, and this key comes into effect today. For more details: https://www.auscert.org.au/render.html?it=1967
Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:
Alert (TA18-141A) Side-Channel Vulnerability Variants 3a and 4
Date Published: 21 May 2018
Author: US-CERT
Excerpt: “On May 21, 2018, new variants of the side-channel central processing unit (CPU) hardware vulnerabilities known as Spectre and Meltdown were publicly disclosed. These variants–known as 3A and 4–can allow an attacker to obtain access to sensitive information on affected systems.”


Server? What server? Site forgotten for 12 years attracts hacks, fines
Date Published:  22 May 2018
Author: John E Dunn
Excerpt: “A web server set up by an enterprising student for a conference in 2004 and then forgotten about has left the University of Greenwich nursing a ?120,000 ($160,000) fine from Britain’s Information Commissioner (ICO).”

Here’s Amazon’s explanation for the Alexa eavesdropping scandal
Date Published:  24 May 2018
Author: Jason Del Rey
Excerpt:  “Asked for more details, Amazon provided Recode with the following explanation:
“Echo woke up due to a word in background conversation sounding like “Alexa.” Then, the subsequent conversation was heard as a “send message” request. At which point, Alexa said out loud “To whom?” At which point, the background conversation was interpreted as a name in the customers contact list. Alexa then asked out loud, “[contact name], right?” Alexa then interpreted background conversation as “right”. As unlikely as this string of events is, we are evaluating options to make this case even less likely.”

Chrome to remove ‘secure’ and padlock icon for HTTPS
Date Published: 18 May 2018
Author: Juha Saarinen
Excerpt: “Google will treat Transport Layer Security encrypted pages as the default soon with no indications shown, and call out unencoded HTTP web content as unsafe.”

ASADA latest to access smartphone-hacking tool raising fresh privacy concerns
Date Published: 23 May 2018
Author: Ariel Bogle
Excerpt: “Critics flagged concerns about potential misuse of the technology, after Fairfax Media reported in 2017 that Centrelink, the Australian Taxation Office and the Australian Securities and Investment Commission have also deployed it. The use of such tools typically requires a warrant.”

Here are this week’s noteworthy security bulletins:
1) ASB-2018.0122 – [Win][UNIX/Linux] Joomla!: Multiple vulnerabilities
An XSS vulnerability has been identified in Joomla! in versions prior through 3.8.7

2) ASB-2018.0121 – ALERT [Win][UNIX/Linux][Virtual][Mobile] CPU Microcode: Access privileged data – Existing account
Two new speculative execution side-channel vulnerabilities announced.

3) ESB-2018.1547 – [Win][UNIX/Linux] Zookeeper: Provide misleading information – Remote/unauthenticated

No authentication/authorization is enforced when a server attempts to join a quorum. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.

4) ESB-2018.1543 – [Debian] Debian 8: Deprecation

This is an advance notice that regular security support for Debian GNU/Linux 8 (code name “jessie”) will be terminated on the 17th of June.

5) ASB-2018.0119 – [Win][UNIX/Linux] Mozilla Thunderbird: Multiple vulnerabilities

Multiple security vulnerabilities have been identified in Mozilla Thunderbird prior to version 52.8.

Stay safe, stay patched and have a good weekend!