//Week in review - 9 Nov 2018

AusCERT Week in Review for 9th November 2018


This week in information security: a research paper has unveiled several techniques for defeating hardware-level SSD encryption, a proposal would give SA Police the right to compel you to access your devices, and Cisco have removed more hard-coded credentials.

If you like the Week in Review, the AusCERT Daily Intelligence Report is a daily news summary, in the same vein but simpler and – dare I say – prettier. It’s currently in beta. If you’d like to sign up, please email auscert@auscert.org.au.

Flaws in Popular SSD Drives Bypass Hardware Disk Encryption
Date: 5 November
Author: Lawrence Abrams
Excerpt: “We have analyzed the hardware full-disk encryption of several SSDs by reverse engineering their firmware,” stated the report. “In theory, the security guarantees offered by hardware encryption are similar to or better than software implementations. In reality, we found that many hardware implementations have critical security weaknesses, for many models allowing for complete recovery of the data without knowledge of any secret.”
To make matters worse, as Windows’ BitLocker software encryption will default to hard drive encryption if supported, it can be bypassed using the same discovered flaws.

South Australia Police to be able to compel passwords and biometrics from suspects
Date: 8 November
Author: Chris Duckett
Excerpt: “South Australia Police is set for a boost to its powers under proposed laws introduced on Thursday in Adelaide, which would enable police officers to compel passwords and biometrics from suspects.
That can include the provision of passwords, fingerprints, facial scans, or retinal scans — whatever enables authorities to access a device that may contain evidence of a serious offence.
“Anyone who fails to comply with the order could face up to five years imprisonment.”

Govt adds new safeguards to My Health Record
Date: 7 November
Author: iTnews
Excerpt: The federal government has moved to introduce extra privacy and security changes to the legislation behind the controversial My Health Record just a week out from the end of the opt-out period.
The proposed amendments are focused on introducing tougher penalties for system misuse, including by employers, as well as strengthening provisions to safeguard against domestic violence.
They add to the August changes to privacy provisions to make it harder for agencies and police to gain access to the content of a personal electronic health record and allow individuals to delete records permanently at any time.

Defence shipbuilder Austal hit by cyber security breach and extortion attempt
Date: 2 November
Author: ABC
Excerpt: Western Australia-based Defence shipbuilder Austal has been the subject of a cyber security breach and extortion attempt.
The company announced to the stock exchange last night that its Australian data management system had been targeted by an “unknown offender”.
Some staff email addresses and mobile phone numbers were accessed, according to the statement which acknowledged that a “small number” of customers had been affected.
The company, which builds patrol vessels and frigates for the Australian Navy, said there was “no evidence to date that information affecting national security has been stolen”.
But it indicated the hackers got access to — or stole — drawings and designs of its ships.

Stealing Chrome cookies without a password
Date: 26 September
Author: the hacker known as “Alex”
Excerpt: Chrome stores your cookies, history, deepest secrets, etc. in a user-data-dir. By default (if you have no Chrome Profiles), this will be $HOME/Library/Application Support/Google/Chrome/.
Needless to say, this directory is The Good Stuff, and we want to be extremely up in it.

[AusCERT adds: this is less serious than the other articles, but a high-quality writeup of an attack.]

Noteworthy bulletins this week:

1. ESB-2018.3504 – ALERT [Cisco] Cisco Unity Express: Root compromise – Remote/unauthenticated

Unsafe object deserialisation strikes again. 

2. ESB-2018.3484.2 – UPDATE [Win][Linux][Solaris][AIX] IBM Db2: Multiple vulnerabilities

A grab-bag of vulnerabilities in IBM Db2, including an authenticated root compromise via symlink. 

3. ESB-2018.3479 – [Linux][Ubuntu] SpamAssassin: Multiple vulnerabilities

SpamAssassin, which is designed to handle baddies entering your mail system, has a couple of RCEs from crafted input.

4. ESB-2018.3410.4 – UPDATED ALERT [Appliance] Cisco Adaptive Security Appliance Software and Cisco Firepower Software: Denial of service – Remote/unauthenticated

Noteworthy updates to the DoS vulnerability in Cisco firewalls via SIP: v9.4 has a fix, v9.6 onwards are still pending, clearer instructions on disabling SIP.

5. ESB-2018.3501 – [Cisco] Cisco Small Business Switches: Unauthorised access – Remote/unauthenticated

The seventh backdoor account removed this year.

Stay patched, stay safe, and have a good weekend!