//Week in review - 30 Nov 2018

AusCERT Week in Review for 30th November 2018

AusCERT Week in Review
30 November 2018


Happy computer security day! Established in 1988, computer security day is celebrated on Nov 30th each year to raise awareness for computer security issues.

Here are some ways you can celebrate too:

– Make sure everything is patched and up to date
– Help a friend set up a password manager and change their email password
– Encourage a relative to enable 2FA on their email or online banking
– Test your backups!
– Ensure your home WiFi has a nice long and unique password

Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:

ATO may get direct telco metadata and bank data access
Date Published: 26 Nov 2018
Author: Ry Crozier
“The Australian Taxation Office (ATO) could be allowed to directly access telecommunications metadata and other records such as those held by banks under a proposal aired by Treasury late last week.”


LinkedIn violated data protection by using 18M email addresses of non-members to buy targeted ads on Facebook
Date Published: 26 Nov 2018
Author: Ingrid Lunden
“The DPC found that LinkedIn in the US had obtained emails for 18 million people who were not already members of the social network, and then used these in a hashed form for targeted advertisements on the Facebook platform, “with the absence of instruction from the data controller” — that is, LinkedIn Ireland — “as is required.” “

Check your repos… Crypto-coin-stealing code sneaks into fairly popular NPM lib (2m downloads per week)
Date Published: 26 Nov 2018
Author: Thomas Claburn
“A widely used Node.js code library listed in NPM’s warehouse of repositories was altered to include crypto-coin-stealing malware. The lib in question, event-stream, is downloaded roughly two million times a week by application programmers.

This vandalism is a stark reminder of the dangers of relying on deep and complex webs of dependencies in software: unless precautions are taken throughout the whole chain, any one component can be modified to break an app’s security. “

Half of all Phishing Sites Now Have the Padlock
Date Published: 26 Nov 2018
Author: Brian Krebs
“Recent data from anti-phishing company PhishLabs shows that 49 percent of all phishing sites in the third quarter of 2018 bore the padlock security icon next to the phishing site domain name as displayed in a browser address bar. That’s up from 25 percent just one year ago, and from 35 percent in the second quarter of 2018.

This alarming shift is notable because a majority of Internet users have taken the age-old “look for the lock” advice to heart, and still associate the lock icon with legitimate sites. A PhishLabs survey conducted last year found more than 80% of respondents believed the green lock indicated a website was either legitimate and/or safe.”

Potentially disastrous Rowhammer bitflips can bypass ECC protections
Date Published: 22 Nov 2018
Author: Dan Goodin
“In early 2015, researchers unveiled Rowhammer, a cutting-edge hack that exploits unfixable physical weaknesses in the silicon of certain types of memory chips to transform data they stored. In the 42 months that have passed since then, an enhancement known as error-correcting code (or ECC) available in higher-end chips was believed to be an absolute defense against potentially disastrous bitflips that changed 0s to 1s and vice versa.

Research published Wednesday has now shattered that assumption.”


Here are this week’s noteworthy security bulletins:

ESB-2018.3699 – [Win] Sennheiser HeadSetup and HeadSetup Pro: Provide misleading information – Remote/unauthenticated

Two inadvertently disclosed digital certificates could be used to spoof
content and to provide an update to the Certificate Trust List (CTL) to
remove user-mode trust for the certificates.

ESB-2018.3702 – ALERT [Cisco] Cisco Prime License Manager: Execute arbitrary code/commands – Remote/unauthenticated

A vulnerability in the web framework code of Cisco Prime License Manager
(PLM) could allow an unauthenticated, remote attacker to execute arbitrary
SQL queries.

ESB-2018.3688 – [Win][UNIX/Linux][Debian] ghostscript: Multiple vulnerabilities

Several vulnerabilities were discovered in Ghostscript, the GPL
PostScript/PDF interpreter, which may result in denial of service or the
execution of arbitrary code if a malformed Postscript file is processed.

ESB-2018.3652 – [Win][UNIX/Linux][Debian] gnuplot5: Execute arbitrary code/commands – Existing account

gnuplot5, a command-line driven interactive plotting program, has been
examined with fuzzing by Tim Blazytko, Cornelius Aschermann, Sergej
Schumilo and Nils Bars.
They found various overflow cases which might lead to the execution of
arbitrary code.

ESB-2018.3650 – [UNIX/Linux][Debian] roundcube: Cross-site scripting – Remote with user interaction

Roundcube, a skinnable AJAX based webmail solution for IMAP servers,
is prone to a cross-site scripting vulnerability in handling invalid
style tag content.

Stay safe, stay patched and have a good weekend!