//Week in review - 7 Sep 2018

AusCERT Week in Review for 7th September 2018


Submissions close shortly for comments on the Assistance and Access Bill 2018. This bill is for communication providers to allow law enforcement to access encrypted communication. The type of assistance the bill has requested includes:

– removing one or more forms of electronic protection that are or were applied by, or on behalf of, the provider
– assisting access to devices or services
– installing, maintaining, testing or using software or equipment or assisting with those activities where the provider is already capable of removing this protection
– concealing that any other thing has been covertly performed in accordance with the law

Souce: https://www.homeaffairs.gov.au/consultations/Documents/industry-assistance-factsheet.pdf

Public feedback is open until September the 10th. For more information on having your say, see https://digitalrightswatch.org.au/2018/08/19/defend-encryption/

Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:

NIST Releases Draft on BGP Security
Date Published: 05 September 2018
URL: https://www.darkreading.com/perimeter/nist-releases-draft-on-bgp-security/d/d-id/1332740
Author: Dark Reading Staff
Excerpt: “A new draft publication from the NIST National Cybersecurity Center of Excellence (NCCoE) takes aim at security concerns about the Border Gateway Protocol (BGP), the default routing protocol to route traffic among Internet domains. The paper, “Protecting the Integrity of Internet Routing: Border Gateway Protocol (BGP) Route Origin Validation,” is open for public comment until Oct. 15.”

Google Wants to Kill the URL
Date Published: 04 September 2018
URL: https://www.wired.com/story/google-wants-to-kill-the-url/
Author: Lily Hay Newman
Excerpt: “The focus right now, they say, is on identifying all the ways people use URLs to try to find an alternative that will enhance security and identity integrity on the web while also adding convenience for everyday tasks like sharing links on mobile devices.”

Five-Eyes nations to force encryption backdoors
Date Published: 03 September 2018
URL: https://www.itnews.com.au/news/five-eyes-nations-to-force-encryption-backdoors-511865
Author: Juha Saarinen
Excerpt: “At the Five Country Ministerial meeting on the Gold Coast last week, security and immigration ministers put forward a range of proposals to combat terrorism and crime, with a particular emphasis on the internet.
As part of that, the countries that share intelligence with each other under the Five-Eyes umbrella agreement, intend to “encourage information and communications technology service providers to voluntarily establish lawful access solutions to their products and services.”

While the rhetoric is sharp, the specifics are vague. Governments won’t specify any particular interception technology, and will leave it to technology companies to create the solutions required that provide lawful access capability.”

Faster internet speeds for Queensland as undersea cable confirmed
Date Published: 07 September 2018
URL: https://www.brisbanetimes.com.au/national/queensland/faster-internet-speeds-for-queensland-as-undersea-cable-confirmed-20180907-p5029p.html
Author: Tony Moore
Excerpt: “State Development Minister Cameron Dick and Sunshine Coast mayor Mark Jamieson announced on Friday that tech giant RTI Connectivity and the Sunshine Coast Council will build the 550-kilometre undersea cable into the Sunshine Coast by 2020.”

Here are this week’s noteworthy security bulletins:

ASB-2018.0209 – [Android] Google Android devices: Multiple vulnerabilities
“Multiple security vulnerabilities have been identified in the Android operating system prior to the 2018-09-05 patch level.”

ASB-2018.0206 – [Win][UNIX/Linux][BSD][Mobile] Mozilla Firefox: Multiple vulnerabilities
“Multiple vulnerabilities have been identified in Mozilla Firefox prior to version 62. One of these vulnerabilities have been classified as critical.”

ESB-2018.2641 – [UNIX/Linux][Debian] curl: Execute arbitrary code/commands – Remote/unauthenticated
“Zhaoyang Wu discovered that cURL, an URL transfer library, contains a buffer overflow in the NTLM authentication code triggered by passwords that exceed 2GB in length on 32bit systems.”

ESB-2018.2631 – [UNIX/Linux] ghostscript: Multiple vulnerabilities
“Ghostscript contains multiple -dSAFER sandbox bypass vulnerabilities, which may allow a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system.”

Stay safe, stay patched and have a good weekend!