//Week in review - 8 Jun 2018

AusCERT Week in Review for 8th June 2018


AusCERT is back to business as usual after the conference, and so is the security ecosystem. This week delivered the usual suspects in vulnerability reporting – a Flash 0day, updates for both Firefox and Chrome, an Android update, and a slew of Cisco updates.

PageUp (a HR SaaS provider) has reported a breach of its systems, likely the largest in scope reported under the new mandatory breach notification laws. The company has as clients various Australian government departments, large Australian businesses across multiple sectors, and parts of the education sector. Clients such as Wesfarmers (Coles, Target, Kmart, amongst others), the Australian Red Cross, and Medibank have made statements that they have suspended access to the service pending further updates and assurances. Since the system is customisable, the data potentially exposed may vary by client. Australia Post has stated that it requested TFNs, bank and superannuation details, and driver licence numbers from successful candidates via the service. Though passwords were salted and hashed, users are recommended to change their passwords. No matter how heat-death-of-the-universe-scale your hashing algorithm’s time complexity is, it’s no match for “Password123”.

Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:

Malware hits HR software firm PageUp with possible data compromise
Author: Asha McLean
Excerpt: “Australia-based human resources firm PageUp has confirmed it found “unusual” activity on its IT infrastructure last month, which has resulted in the potential compromise of client data.”


ATO becomes ASD Top 4 compliant
Author: Justin Hendry
Excerpt: “The department reached full compliance with the Australian Signal’s Directorate’s (ASD) ‘top four strategies to mitigate cyber security incidents’ in November last year, after failing a cyber resilience audit only months earlier.”


Aussie cyber security spend surged last year
Author: Samira Sarraf
Excerpt: “A new report by Australia’s Cyber Emergency Response Team (AusCERT) showed that 58 per cent of organisations in Australia and New Zealand surveyed increased their security spend in 2017 – with respondents’ figures representing a 35 per cent year-on-year increase in security investment.”


Adobe Patches Zero-Day Flash Flaw
Author: Brian Krebs
Excerpt: “Adobe has released an emergency update to address a critical security hole in its Flash Player browser plugin that is being actively exploited to deploy malicious software. If you’ve got Flash installed – and if you’re using Google Chrome or a recent version of Microsoft Windows you do – it’s time once again to make sure your copy of Flash is either patched, hobbled or removed.”


Here are this week’s noteworthy security bulletins:

1) ESB-2018.1706 – ALERT [Win][Linux][Mac] Adobe Flash Player: Multiple vulnerabilities

Another week, another Flash 0day.

2) ASB-2018.0126 – [Win][UNIX/Linux] Google Chrome: Multiple vulnerabilities

Google has patched an issue in Chrome where the CSP header was handled incorrectly. No technical details yet, but always keep your browser up to date.

3) ESB-2018.1664 – [Debian] Debian 7: Reduced security – Unknown/unspecified

It had a good run, but Debian 7 has reached End of Life. Jessie and Stretch are eagerly awaiting your upgrade.

4) ESB-2018.1702 – [Cisco] Multiple Cisco Products: Denial of service – Remote/unauthenticated

Turns out more than a few Cisco products have unbounded log file sizes which can be exploited to DoS the products by consuming all available disk space.

Stay safe, stay patched and have a good weekend!