//Week in review - 5 Oct 2018

AusCERT Week in Review for 5th October 2018


The Shearwater 2018 Hackathon is going to be held on the 16th of November in Sydney, Melbourne, Canberra, and Brisbane. It’s a one-day CTF and learning event with two different challengest and prizes to be won. There’s also a 20% discount if you use the code AUSCERT.

In case you’ve missed it, the third AusCERT and BDO Security Survey is now open.

This annual survey identifies and monitors current cyber security trends, issues and threats facing businesses in Australia and New Zealand.
By taking part you will gain direct access to our survey report, which contains valuable data that allows you to compare business’ current cyber security efforts with trends in your industry sector.
Survey respondents have the chance to go in the draw to win one of three Apple Watches. The survey closes at midnight on Friday, 23 November 2018. The survey is anonymous and takes 15 minutes to complete.

Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:

The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies
Date Published: 04/10/2018
Author: Jordan Robertson, Michael Riley
Excerpt: “Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.”

A response from Apple:

What Businessweek got wrong about Apple
Date Published: 04/10/2018
Author: Apple Statement
Excerpt: “The October 8, 2018 issue of Bloomberg Businessweek incorrectly reports that Apple found “malicious chips” in servers on its network in 2015. As Apple has repeatedly explained to Bloomberg reporters and editors over the past 12 months, there is no truth to these claims.”

A follow up from Bloomberg:

The Big Hack: The Software Side of China’s Supply Chain Attack
Date Published: 04/10/2018
Author: Jordan Robertson, Michael Riley
Excerpt: “In its denial that a chip attack had reached its server network, Apple did acknowledge to Bloomberg Businessweek that it had encountered malware downloaded from Supermicro’s customer portal.”

Wi-Fi now has version numbers, and Wi-Fi 6 comes out next year
Date Published: 03/10/2018
Author: Jacob Kastrenakes
Excerpt: “If you’ve ever bought a Wi-Fi router, you may have had to sort through specs that read like complete gibberish — like “802.11ac” or “a/b/g/n.” But going forward, Wi-Fi is adopting version numbers so that it’ll be easier to tell whether the router or device you’re buying is on the latest version.”

Voice Phishing Scams Are Getting More Clever
Date Published: 01/10/2018
Author: Brian Krebs
Excerpt: “Most of us have been trained to be wary of clicking on links and attachments that arrive in emails unexpected, but it’s easy to forget scam artists are constantly dreaming up innovations that put a new shine on old-fashioned telephone-based phishing scams. Think you’re too smart to fall for one? Think again: Even technology experts are getting taken in by some of the more recent schemes (or very nearly).”

Everything We Know About Facebook’s Massive Security Breach
Date Published: 28/09/2018
Author: Louise Matsakis, Issie Lapowsky
Excerpt: “Facebook’s privacy problems severely escalated Friday when the social network disclosed that an unprecedented security issue, discovered September 25, impacted almost 50 million user accounts. Unlike the Cambridge Analytica scandal, in which a third-party company erroneously accessed data that a then-legitimate quiz app had siphoned up, this vulnerability allowed attackers to directly take over user accounts.”

Here are this week’s noteworthy security bulletins:

1) ESB-2018.3017 – [Cisco] Cisco Identity Services Engine: Execute arbitrary code/commands – Existing account

Hardcoded credentials in a Cisco device.

2) ESB-2018.2961 – [Linux][OSX] WebKitGTK+ and WPE WebKit: Multiple vulnerabilities

A truckload of vulnerabilities were discovered in WebKitGTK+ and WPE WebKit.

3) ESB-2018.2966 – [UNIX/Linux][Ubuntu] haproxy: Denial of service – Remote/unauthenticated

HAProxy could be made to crash if it received a specially crafted request.

4) ASB-2018.0225 – [Android] Google Android devices: Multiple vulnerabilities

Multiple security vulnerabilities have been identified in the Android operating system prior to the 2018-10-05 patch level.

5) ESB-2018.2952 – ALERT [Win][Mac] Adobe Acrobat and Reader: Multiple vulnerabilities

Adobe has released security updates for Adobe Acrobat and Reader for Windows and MacOS.

Stay safe, stay patched and have a good weekend!