Member information

Membership Services and Benefits

9 Jan 2024

Membership Services and Benefits   AUSCERT provides members with proactive and reactive advice and solutions to current threats and vulnerabilities. We’ll help you prevent, detect, respond and mitigate cyber-based attacks. As a not-for-profit security group based at The University of Queensland, AUSCERT provides a range of comprehensive services to strengthen your cyber security strategy. AUSCERT services are split across three capability pillars: Incident Support, Vulnerability Management and Threat Intelligence. These services are all included in AUSCERT Membership. Incident Support Incident Support – Assists your organisation to detect, interpret and respond to attacks from around the world. Includes access to our highly skilled team of analysts and developers who are available through email, Slack or a 24/7 hotline. Phishing Takedown – Designed to help your organisation with targeted phishing, spear phishing and whaling attacks. Vulnerability Management Security Bulletins – Provides information on threats and vulnerabilities affecting a range of platforms, applications and devices. Member Security Incident Notifications – Customised composite security report containing incident notifications relevant to your organisation’s domains and IP ranges. Proactively informs about security incidents affecting your organisation’s data, systems or networks. Early Warning SMS – Receive SMS notifications for the most critical security threats and vulnerabilities. Threat Intelligence AusMISP – Our MISP service provides threat indicators acquired from trusted communities and organisations to enhance your cyber security posture. Malicious URL Feed – AUSCERT provides a list of active phishing, malware, malware logging or mule recruitment web sites which can added to your firewall blacklist. Sensitive Information Alert – Alert notification for sensitive material and breached credentials found online by our analyst team which specifically targets your organisation. Additional Benefits Member benefits for the annual AUSCERT Cyber Security Conference, Australia’s longest running information security conference. The next conference will be held on 21-24 May 2024 at The Star Gold Coast. Further details are available here: https://conference.auscert.org.au/ Reduced registration price (available to all members) 50% off one conference registration or 1-day registration (small members) One or more conference registrations (medium members and above). Member pricing for AUSCERT’s range of cyber security training courses. Course information, pricing and calendar are available here: https://wordpress-admin.auscert.org.au/services/auscert-education/ Access to AUSCERT member meetups, workshops and events. Download AUSCERT Membership Services & Benefits.pdf

Learn more

Member information

AUSCERT Bulletin Formats

11 Jul 2017

AUSCERT Bulletin Formats AUSCERT sends out two forms of bulletin – AUSCERT Security Bulletins (or ‘ASB’s) and External Security Bulletins (or ‘ESB’s). Previously, there were four types of bulletin – External Security Bulletins (ESB), AUSCERT Advisories (AA), AUSCERT Alerts (AL) and AUSCERT Updates (AU). The new two-type system allows a simpler differentiation between bulletin types – ASB’s are written in-house, referencing information available that may not have a current coherent source, while ESB’s are bulletins written by other vendors that we have summarised and re-released. Both ASBs and ESBs contain ‘header information’ that quickly summarise the contents and allow readers to determine important information at a glance. Document Titles and Subject Lines Bulletin titles (which is also used as the subject line of mailouts) are formatted to indicate basic information in as short a format as possible. The titles include the AUSCERT bulletin ID (for instance ASB-2009.0001 or ESB-2009.0123), revision number if applicable (eg. ESB-2009.0123.2) and an ‘ALERT’ flag if the contents of the bulletin are time critical or reference an actively exploited vulnerability. Titles also include a list of ‘environment’ tags that list operating systems or hardware types the vulnerability affects. Unless the vulnerability is very specific this will usually only contain operating system families such as Windows ([Win]) and Linux ([Linux]). The rest of the title is either the product or publisher along with the most severe impact of the vulnerability. In the case of a bulletin regarding multiple vulnerabilities this will be replaced with ‘Multiple Vulnerabilities’. For instance, previously what might have been sent out with a subject line of: (AUSCERT AL-2009.0000) [Win] Critical vulnerabilities in ImportantProgram may result in data loss would now have a subject line like: ESB-2009.0000 – ALERT [Win] ImportantProgram: Delete arbitrary files – Remote/unauthenticated or ESB-2009.0000 – ALERT [Win] ImportantProgram: Multiple vulnerabilities Bulletin Header Since more information is now included in the bulletin title the header will only include the bulletin ID, date and a short descriptive sentence. In the case of ESBs, this is often the subject of the original bulletin. Bulletin Summary The bulletin summary is an index of the important information in the bulletin. Both ESBs and ASBs contain a summary, although some fields may only be found in one type. A description of each field is below. Product The product field gives the names and version numbers of products affected by the bulletin. The product may be an operating system, in which case no Operating System field will be given. Both ESBs and ASBs will have a Product field. Publisher Only present in an ESB, the Publisher field gives the name of the original source of the bulletin. Often this is an operating system vendor (like Microsoft or Red Hat), but it may be another security team or research group. Operating System This field gives a list of operating systems or operating system families that are affected by the vulnerability. The operating systems themselves are not affected by the vulnerability, but the program that is affected will run on those operating systems. Platform A rarely used field, platform will specify particular architectures (eg i386, SPARC) that are affected by this vulnerability in a similar fashion to the Operating System field. In order to be brief, the Platform field will only be used if the architectures affected is a subset of the architectures that the operating systems affected run on. Impact and Access Previously separate as two fields, the Impact and Access matrix list the impacts of the vulnerabilities along with the associated access required to exploit them. Impact Values There are several predefined values for the Impact. The values and their meanings are below. Root Compromise The root account in a Unix or Linux based system can be accessed. This is a serious issue and may result in an attacker taking complete control of the affected machine. Administrator Compromise An administrator account (for instance within Windows or within an administration application) can be accessed. This is a serious issue and may result in an attacker taking over the affected machine. Note that in Windows this may also be a compromise of the SYSTEM account. Execute Arbitrary Code/Commands An attacker can execute commands beyond what is usually possible. This can include machine code, interpreted code such as Java or Javascript or SQL. Increased Privileges An attacker can increase their privilege level on the affected system. This may allow them to gain normal user access to a machine they should have no access to, or allow them to access the data or privileges of another user on the system. Access Privileged Data An attacker can read (and possibly write) data on the system that would otherwise be protected by a security measure. The attacker may not be able to perform any other action or gain the use of the priveleges they would otherwise require to view this content. Modify Permissions An attacker can add or remove permissions from an object. This may allow them to deny access to a valid user, or allow them to access something they would otherwise be blocked from. Modify Arbitrary Files An attacker can read, write or delete arbitrary files. The files they can access may be limited. Overwrite Arbitrary Files An attacker can replace the contents of arbitrary files. This may lead to a denial of service if important system files are replaced, or allow further access. Create Arbitrary Files An attacker can create files that they would otherwise not be allowed to. This may be leveraged to perform other attacks or gain access. Delete Arbitrary Files An attacker can delete files. This may allow a denial of service, or weaken existing defenses and allow further attacks. Cross-site Scripting A specific form of code execution, cross-site scripting may allow an attacker to inject their own HTML into an affected site’s code. This is not restricted to public facing websites – an attacker may be able to insert code that is activated when an administrator examines logs or uses some other administrative interface. Denial of Service An attacker can block access to resources from legitimate users. This may include causing a program to crash or freeze and not recover, causing an entire system to crash or simply using up all of the resource (for instance network bandwidth). Website Defacement A specific form of Modify Arbitrary Files, this impact allows an attacker to change a website. The change may not be obvious – an attacker might use such a vulnerability to spread malware to visitors of the affected site. Provide Misleading Information An attacker may be able to force a program or protocol to produce incorrect information. This may be to hide an attacker’s activity or trick a user into performing an unsafe action. Read-only Data Access An attacker may be able to read data they would otherwise not have access to. This may include files, segments of memory or network traffic. Access Confidential Data An attacker may be able to access data that would otherwise be hidden or inaccessible. This differs from Access Privileged Data in that the data may not be directly protected by access restrictions, but is still important. For instance, if a vulnerability allowed access to credit card details before those details were protected or deleted that would be Access Confidential Data. Unauthorised Access An attacker is able to access data in a way that is otherwise disallowed. This is a more generic version of other access-based impacts. Reduced Security A catch-all impact – the security level of the systems involved is weakened. This is used when an exact impact is unknown, or if the impact doesn’t match any of the others. Access Values There are several possible values for the access required to exploit a vulnerability. Generally the less access required the worse the vulnerability. Remote/Unauthenticated The only access required is that a connection can be made to the affected system. Remote with User Interaction The attacker requires no access themselves, but they need to trick a legitimate user into initiating the exploit (for instance by visiting a website or opening a file). Existing Account The attacker must have an existing user account on the system and must authenticate to exploit the vulnerability. Console/Physical The attacker must have direct physical access to the system. This is usually related to a vulnerability in a screen saver or other physical locking system. Unknown/Unspecified No access information is currently known. Resolution The Resolution field gives a quick indication on how to protect against the vulnerability. The possible values are: None No resolution is currently available. Patch/Upgrade A patch or new, unaffected version of the product is available. Note that only official vendor patches are acceptable as a patch – third party patches would be considered a mitigation. Mitigation There are mitigation steps available that may be used, however there is no specific fix to the vulnerability Alternate Program Another program with similar functionality is available that is not vulnerable. CVE This field lists any CVE identifiers that relate to this vulnerability. CVE’s are an excellent way of tracking vulnerabilities that affect multiple products. Reference This fields lists other AUSCERT bulletin ID’s that are related to this vulnerability. These ID’s should also appear as links at the top of the page so that related bulletins can be navigated to easily. Bulletin URL Only available in ESB’s, this field lists URLs of the original bulletin source. Often the original bulletin will have further links and information that might be of use. Bulletin Versioning If new information becomes available regarding a bulletin we have already released we will update information on our website and may resend the bulletin if the information is important. Previously only the most recent version of the bulletin was available on our website, however now previous versions will be available as attachments to the current version. Updates will have a version number appended to the bulletin ID. For instance, the second version of ESB-2009.0000 is ESB-2009.0000.2. After an update is done the original version will be renamed to ESB-2009.0000.1. If a new version is considered to contain important information, the bulletin will be resent with an extra tag of ‘UPDATE’ in the subject line. For bulletins that were already tagged with ‘ALERT’, this will become ‘UPDATED ALERT’. Example An example bulletin under the new system is below. =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.0001 A critical vulnerability in ImportantProgram may allow code execution 16 April 2009 =========================================================================== AUSCERT Security Bulletin Summary --------------------------------- Product: ImportantProduct Publisher: ExamplePublisher Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Patches Available: Yes CVE Names: CVE-2009-0000 Original Bulletin: http://www.example.com/example?id --------------------------BEGIN INCLUDED TEXT-------------------- This is an example bulletin. Normally the details of the vulnerability and how to fix it would be here. --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AUSCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AUSCERT's members. As AUSCERT did not write the document quoted above, AUSCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AUSCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. ===========================================================================

Learn more

Member information

A guide to AUSCERT Member Security Incident Notifications: MSIN

11 Jul 2017

A guide to AUSCERT Member Security Incident Notifications: MSIN Introduction As part of its ongoing efforts to enhance member services, AUSCERT has launched its Member Security Incident Notification services. What’s an MSIN? An MSIN is a daily customised composite security report targeted towards AUSCERT member organizations. It contains a compilation of “security incident reports” as observed by AUSCERT through its threat intelligence platforms. Daily MSINs are issued on a daily basis. They are only issued to a member if at least one incident report specific to the member is detected within the past 24-hour period. This also means, if there are no incidents to report, you will not receive an MSIN! So it follows, the more security incidents spotted corresponding to your organization, the more incident reports will be included in the MSIN, the larger the MSIN you receive! Customised MSINs are tailored for each member organization, based on: IPs and Domains provided To receive accurate and useful MSINs, it’s important you keep this information updated (see FAQ) Severity Individual events in MSINs are categorised into the following severity levels: Critical Highly critical vulnerabilities that are being actively exploited, where failure to remediate poses a very high likelihood of compromise. For example, a pre-auth RCE or modification or leakage of sensitive data. High End of life systems, systems that you can log into with authentication that are meant to be internal   (SMB, RDP), some data can be leaked. Sinkhole events end up in this category. Medium Risk that does not pose an immediate threat to the system but can over time escalate to a higher severity. For example, risk of participating in DDoS, unencrypted services requiring login, vulnerabilities requiring visibility into network traffic (MITM without being able to manipulate the traffic) to exploit, attacker will need to know internal systems/infrastructure in order to exploit it. Low Deviation from best practice – little to no practical way to exploit, but setup is not ideal. Vulnerabilities requiring MITM (including manipulating the traffic) to exploit. For example, SSL POODLE reports may end up in this category. Info Informational only. Typically no concerns. Review in accordance with your security policy. These severity levels are based on those used by Shadowserver. Events which have not been assigned a severity will be marked as Unknown. A summary of reports by severity level can be found at the top of your MSIN. For example: Summary of reports based on severity: * Critical: accessible-ssh 3 * High : vulnerable-exchange-server 1 * Medium : accessible-cwmp 1 The MSIN subject will be prefixed with the highest level severity seen in the report. For example: [Severity:CRITICAL] AusCERT Member Security Incident Notification (MSIN) for “Member Name” Composite Each MSIN could potentially consist of multiple incident TYPE reportsFor example, it could contain an Infected Hosts report which highlights hosts belonging to a member organization that have been spotted attempting to connect to a known botnet C&C server, followed by a DNS Open Resolvers report listing open recursive DNS resolvers that could be used in a DNS amplification DDoS attack. Each incident type report could also include multiple incident reportsFor example, this “infected hosts” report contains 2 incidents:Incidents Reported     Timestamp:                      2015-08-25T00:20:34+00:00     Drone IP:                       123.456.789.abc     Drone Port:                     13164     Drone Hostname:                 abc.xxx.xxx.xxx.au     Command and Control IP:         aaa.bbb.ccc.ddd     Command and Control Hostname:   imacnc1.org     Command and Control Port:       80     Malware Type:                   redyms     Timestamp:                      2015-08-25T00:20:34+00:00     Drone IP:                       321.654.987.cba     Drone Port:                     2343     Drone Hostname:                 def.xxx.xxx.xxx.au     Command and Control IP:         ddd.eee.fff.ggg     Command and Control Hostname:   imacnc2.org     Command and Control Port:       123     Malware Type:                   dyre All timestamps are in UTC It is imperative these incidents be reviewed and handled individually. Structure An MSIN has the following basic structure. ==================HEADING FOR INCIDENT TYPE 1============== Incident Type Name of the incident and any known exploited vulnerabilities and associated CVEs. Incident Description Further information on potential attack vectors and impacts. Incidents Reported List of individual reports sighted by AUSCERT Incident report 1 Incident report 2 … Incident report n AUSCERT recommended mitigations Steps for resolution of incidents or mitigation of vulnerabilities which could be exploited in the future. References Links to resources referenced within the report Additional Resources Links to additional material such as tutorials, guides and whitepapers relevant to the report aimed at enhancing the recipients understanding of the addressed vulnerabilities, potential impacts and mitigation techniques. =============================END OF REPORT========================= =====================HEADING FOR INCIDENT TYPE 2==================== Incident Type Incident Description Incidents Reported Incident report 1 Incident report 2 … Incident report n AUSCERT recommended mitigations References Additional Resources =============================END OF REPORT========================= … … =====================HEADING FOR INCIDENT TYPE X==================== =============================END OF REPORT========================= Frequently Asked Questions How can I update domain/IP information for my organization?If you are a Primary AUSCERT contact simply write to AUSCERT Membership at membership@auscert.org.au and provide the updated information.If you have a privileged account in the Member portal you can request changes through the portal. AUSCERT will perform a validation check to ensure the domains are under your organization’s ownership or control prior to including them in the monitoring list. Where does the information in an MSIN come from?AUSCERT receives information relating to compromised and/or vulnerable resources from several trusted third parties, through secure means. The trust relationship between AUSCERT and third parties entails conditions which prevent  disclosure of the source(s) of information.

Learn more