//Week in review - 2 Dec 2019

AusCERT Week in Review for 22nd November 2019


Welcome to the new format for the Week in Review. We hope you like it!

AusCERT’s Week in Review will move to a new mailing list known as the AusCERT Daily Intelligence Report. This consists of a daily report on Mondays to Thursdays, and a weekly report on Fridays.

If you don’t want this, please click the “unsubscribe” link at the bottom of the email. If you encounter any problems, please email <membership@auscert.org.au>.

“Sic Transit Gloria Mundi”, and so our perception of a secure system does erode away with time. Well, systems do not form security cracks over time but there is an enormous amount of effort being made to find them and then patch them. So don’t let your systems security fade: keep the patches up to date.

Microsoft Outlook for Android Bug Opens Door to XSS

Date: 2019-11-21
Author: Threatpost

Users of the Microsoft Outlook for Android app should update their apps to avoid a range of attacks.
The bug (CVE-2019-1460) would allow an attacker to perform cross-site scripting attacks on the affected systems and run scripts in the security context of the current user, according to Microsoft’s advisory on the bug. XSS occurs when malicious parties inject client-side scripts into web pages, which trick the unsuspecting user’s browser into thinking that the script came from a trusted source.

Phineas Fisher Offers $100,000 Bounty to Hack Banks and Oil Companies

Date: 2019-11-17
Author: VICE

An infamous vigilante hacker known for their hits on surveillance companies is launching a new kind of bug bounty to reward hacktivists who do public interest hacks and leaks.
In their new manifesto, Phineas Fisher also claimed to have hacked an offshore bank and called on other hacktivists to join in the fight against inequality and capitalism. The hacker said that in 2016 they hacked the Cayman Bank and Trust Company from the Isle of Man, an island between the UK and Northern Island. The hacker said they were able to steal money, documents, and emails from the bank.
The hacker shared the stolen documents and emails from the bank to the leaking website Distributed Denial of Secrets, run by journalist and activist Emma Best, who said they uploaded 640,000 emails, in what is “the most detailed look at international banking that the public will have ever had access to.”

Get ahead of the cybersecurity curve

Date: 2019-11-18
Author: SC Magazine

Experienced cybersecurity leaders are beginning to call for a move from reactive detection to proactive prevention. It’s clear that the need to get ahead of the cybersecurity curve is real.
Over the past decade, experts talked about the number of days that malware is in your system, and now the discussion is fast becoming how many seconds you have between detection and disaster. There is no longer time to call the boss, check your files or phone a friend. Victims are literally watching their systems being taken over, and they are powerless to stop it despite massive budgets and plans. Clearly, spending on an arms race with dollars, people and technology is not an effective long-term solution. We need a different approach.
Enter proactive prevention, the concept behind this move toward flipping the script and finally getting ahead of our adversaries.

Twitter will finally let users disable SMS as default 2FA method

Date: 2019-11-22
Author: ZDNet

Twitter announced today that users will finally be able to disable SMS-based two-factor authentication (2FA) for their accounts, and use an alternative method only, such as a mobile one-time code (OTP) authenticator app or a hardware security key.

Google will pay $1.5 million for the most severe Android exploits

Date: 2019-11-22
Author: Ars Technica

Google will pay up to $1.5 million for the most severe hacks of its Pixel line of Android phones, a more than seven-fold increase over the previous top Android reward, the company said.
Effective immediately, Google will pay $1 million for a “full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices,” the company said in a post published on Thursday. The company will also pay $500,000 for exploits that exfiltrate data out of a Pixel or bypass its lock screen.

Millions of Sites Exposed by Flaw in Jetpack WordPress Plugin

Date: 2019-11-20
Author: Bleeping Computer

Admins and owners of WordPress websites are urged to immediately apply the Jetpack 7.9.1 critical security update to prevent potential attacks that could abuse a vulnerability that has existed since Jetpack 5.1.
You can update your installation to the 7.9.1 version through your dashboard, or manually download the Jetpack 7.9.1 release.

ANU students forced to re-sit exam after data leak

Date: 2019-11-19
Author: The Riot ACT

Students in the Digital Analysis course at the ANU will be forced to re-take an exam, potentially delaying their graduation, after the university confirmed a data leak last week.
“The need for a class to re-sit an exam is extremely rare, and is only undertaken when absolutely required,” an ANU spokesperson said after security protocols successfully identified that a breach had occurred.

Noteworthy bulletins this week:

ESB-2019.4421 – [Win][UNIX/Linux] Asterisk: Multiple vulnerabilities

Denial of Service from Remote Unauthenticated Sessions

ESB-2019.4410 – [UNIX/Linux] BIND: Denial of service – Remote/unauthenticated

“… the load on the server releasing these multiple resources can cause it to become unresponsive …”

ESB-2019.4400 – [Cisco] Cisco Small Business Routers: Access confidential data – Remote/unauthenticated

“… could allow an unauthenticated, remote attacker to view information displayed in the web-based management interface …”

ESB-2019.4384 – [Win][Linux][Mac] Flexera FlexNet Publisher: Multiple vulnerabilities

“… could allow the attacker to deny the acquisition of a valid license …”

ESB-2019.4379 – [Linux] Apache Solr: Execute arbitrary code/commands – Remote/unauthenticated

“… which may in turn allow them to upload malicious code for execution on the Solr server.”

Stay safe, stay patched and have a good weekend!