7 Dec 2018
Week in review
AUSCERT Week in Review for 7th December 2018
Greetings,
The word on everybody’s lips today is #aabill. With the hasty passage yesterday of the Assistance & Access Act 2018, Australia has extended the reach of its law-enforcement groups. They will shortly be able to serve notices to access protected data.
The extent of the powers is not yet fully understood, and terms such as “systemic weakness” will likely require judicial interpretation. What impact will this have on your business? We’ll just have to wait and see.
After the jump, some news articles.
Australia gets world-first encryption busting laws
https://www.itnews.com.au/news/australia-gets-world-first-encryption-busting-laws-516601
Author: iTnews
Published: December 6 2018
Australia’s law enforcement agencies have a wide range of new encryption-busting powers after Labor dropped all opposition to a highly contentious bill and let it pass without extra changes it claimed all day were needed.
The bill passed into law by 44 votes to 12 in the senate, having already cleared the lower house where just two MPs voted against it.
Assistance and Access Bill 2018: Explanatory Document
https://www.homeaffairs.gov.au/how-to-engage-us-subsite/files/assistance-access-bill-2018/explanatory-document.pdf
Author: Department of Home Affairs
Published: August 2018
This explanatory document accompanies the exposure draft of the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (the Bill).
The Bill provides national security and law enforcement agencies with powers to respond to the challenges posed by the increasing use of encrypted communications and devices. The proposed changes are designed to help agencies access intelligible communications through a range of measures, including improved computer access warrants and enhanced obligations for industry to assist agencies in prescribed circumstances. This includes accessing communications at points where it is not encrypted. The safeguards and limitations in the Bill will ensure that communications providers cannot be compelled to build systemic weaknesses or vulnerabilities into their products that undermine the security of communications. Providers cannot be required to hand over telecommunications content and data.
‘Outlandish’ encryption laws leave Australian tech industry angry and confused
https://www.abc.net.au/news/science/2018-12-07/encryption-bill-australian-technology-industry-fuming-mad/10589962
Author: ABC News
Published: December 7 2018
The situation has left Australian technology companies struggling to understand the potential impact on their global standing and bottom line.
John Stanton, chief executive of the Communications Alliance, said the bill’s passing was a “magnificent triumph of politics over policy”.
Partner at M8 Ventures Alan Jones argued the bill will have unintended consequence for the security reputation of Australian businesses — “crippling” attempts to export their technology.
“It could be just enough to lose a deal to a competitor in Israel and the US,” he said.
Adobe releases out-of-band security update for newly-discovered Flash zero-day
https://www.zdnet.com/article/adobe-releases-out-of-band-security-update-for-newly-discovered-flash-zero-day/
Author: ZDNet
Published: December 5 2018
Adobe released patches today for a new zero-day vulnerability discovered in the company’s popular Flash Player app. The zero-day has been spotted embedded inside malicious Microsoft Office documents.
These documents were discovered last month after they’ve been uploaded on VirusTotal, a web-based file scanning service, from a Ukrainian IP address.
A Breach, or Just a Forced Password Reset?
https://krebsonsecurity.com/2018/12/a-breach-or-just-a-forced-password-reset/
Author: Brian Krebs
Published: December 4 2018
Software giant Citrix Systems recently forced a password reset for many users of its Sharefile content collaboration service, warning it would be doing this on a regular basis in response to password-guessing attacks that target people who re-use passwords across multiple Web sites. Many Sharefile users interpreted this as a breach at Citrix and/or Sharefile, but the company maintains that’s not the case.
Warning about tax scams
https://www.scamwatch.gov.au/news/warning-about-tax-scams
Author: ACCC Scamwatch
Published: December 4 2018
Tax scams seem to be everywhere at the moment and Scamwatch is warning people not to engage with phone calls or emails they receive threatening arrest or jail over unpaid tax debts.
Reports of these scams have jumped significantly during the past month. The scam is timed to coincide with the cut-off date for people needing to have their tax returns submitted to the Australian Tax Office.
Most of these scams occur over the phone. People get a call from an aggressive scammer directly or receive a robotic-sounding voice message informing them they need to contact a phone number in relation to an outstanding tax debt, or face imminent arrest and jail time.
Buying a new device
https://www.cert.govt.nz/businesses-and-individuals/guides/stepping-up-your-cyber-security/buying-a-new-device
Author: CERT-NZ
Get our tips to help you stay secure when you’re thinking of buying a new device.
Here are this week’s noteworthy security bulletins:
1. ESB-2018.3747 – ALERT [RedHat] Red Hat OpenShift Container Platform & Kubernetes: Multiple vulnerabilities
https://portal.auscert.org.au/bulletins/72578
Nasty privilege escalation/hijacking vulnerability in Kubernetes with a CVSSv3 score of 9.8 out of 10.
2. ESB-2018.3766 – [Apple iOS] iOS: Multiple vulnerabilities
https://portal.auscert.org.au/bulletins/72658
Apple’s monthly patches include multiple vulnerabilities in WebKit (used widely) and some significant vulnerabilities in iOS.
3. ASB-2018.0296 – [Win][UNIX/Linux] Google Chrome: Multiple vulnerabilities
https://portal.auscert.org.au/bulletins/72650
The release of Chrome 71 includes some fixes for significant vulnerabilities, including RCE from a web page.
4. ESB-2018.3702 – ALERT [Cisco] Cisco Prime License Manager: Execute arbitrary code/commands – Remote/unauthenticated
https://portal.auscert.org.au/bulletins/72390
Cisco cleaning up SQL injection in another product.
Stay safe, stay patched, and may you not be served with a technical capability notice,
David and the team at AUSCERT