AUSCERT Week in Review for 27th October 2017 AUSCERT Week in Review27 October 2017 Greetings, With another named vulnerability and a new chapter in the unfolding Kaspersky saga,it seems that we are back to business as usual in the world of Information Security.Even NSA employees are susceptible to malware lurking within illegally-acquired copies of software.As security moves forward, will you protect your organisation by providing them with Microsoft Office licenses? Here’s a summary (including excerpts) of some of the more interestingstories we’ve seen this week: Title: Is Bad Rabbit the new NotPetya?URL: https://www.itnews.com.au/news/is-bad-rabbit-the-new-notpetya-476121Date: 25th October, 2017Author: Juha SaarinenExcerpt: “A new strain of ransomware is working its way around the globedisguised as a fake Adobe Flash player update delivered as a drive-bydownload.” — Title: Worker who snuck NSA malware home had his PC backdoored, Kaspersky saysURL: https://arstechnica.com/information-technology/2017/10/worker-who-snuck-nsa-secrets-home-had-a-backdoor-on-his-pc-kaspersky-says/Date: 25th October, 2017Author: Dan GoodinExcerpt: “The NSA worker’s computer ran a home version of Kaspersky AV thathad enabled a voluntary service known as Kaspersky Security Network. Whenturned on, KSN automatically uploads new and previously unknown malware tocompany Kaspersky Lab servers. The setting eventually caused the previouslyundetected NSA malware to be uploaded to Kaspersky Lab servers, where itwas then reviewed by a company analyst.” — Title: Attack of the week: DUHKURL: https://blog.cryptographyengineering.com/2017/10/23/attack-of-the-week-duhk/Date: 23rd October, 2017Author: Matthew GreenExcerpt: “This work comes from Nadia Heninger, Shaanan Cohney and myself,and follows up on some work we’ve been doing to look into the securityof pseudorandom number generation in deployed cryptographic devices.” — Title: APNIC Whois Database Password Hashes Were Available for DownloadURL: https://www.bleepingcomputer.com/news/security/apnic-whois-database-password-hashes-were-available-for-download/Date: 24th October, 2017Author: Catalin CimpanuExcerpt: “The Asia-Pacific Network Information Centre (APNIC), theorganization that manages domain name information for the Asia-Pacificregion, fixed on Monday an error that exposed password hashes needed toaccess and edit domain ownership details. The incident came to light onOctober 12 this when eBay employee Chris Barcellos spotted password hashesinside downloadable Whois information. The researcher reached out to APNICwith the issue, and the company fixed the problem by the second day.” — Title: IoT_reaper: A Rappid Spreading New IoT BotnetURL: http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/Date: 20th October, 2017Author: yegenshenExcerpt: “On 2017-09-13 at 01:02:13, we caught a new malicious sampletargeting IoT devices. Starting from that time, this new IoT botnet familycontinued to update and began to harvest vulnerable iot devices in a rapidpace. The bot borrowed some code from the famous mirai botnet, but it doesnot do any password crack all. Instead, it purely focuses on exploitingIoT device vulnerabilities. So, we name it IoT_reaper.” — And lastly, here are this week’s noteworthy security bulletins (in noparticular order): ESB-2017.2679 – [Win][UNIX/Linux][Ubuntu] curl: Execute arbitrary code/commands – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/53934 Brian Carpenter discovered that curl incorrectly handled IMAP FETCHresponse lines. A remote attacker could use this issue to cause curl tocrash, resulting in a denial of service, or possibly execute arbitrarycode. — ESB-2017.2710 – [Appliance] Rockwell Automation Stratix 5100: Access privileged data – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/54058 A Man-in-the-middle attack on Rockwell Automation wireless bridges couldlead to takeover of industrial hardware. — ESB-2017.2670 – [Appliance] F5 products: Execute arbitrary code/commands – Remote with user interactionESB-2017.2671 – [Appliance] F5 BIG-IP products: Root compromise – Existing accountESB-2017.2672 – [Appliance] F5 products: Access privileged data – Existing accountESB-2017.2673 – [Appliance] F5 BIG-IP Products: Denial of service – Remote/unauthenticatedESB-2017.2674 – [Appliance] F5 BIG-IP PEM: Access privileged data – Remote with user interactionESB-2017.2675 – [Appliance] F5 BIG-IP products: Unauthorised access – Existing accountESB-2017.2687 – [Appliance] F5 products: Denial of service – Remote/unauthenticatedESB-2017.2703 – [Appliance] F5 products: Multiple vulnerabilitiesESB-2017.2707 – [Appliance] F5 products: Denial of service – Remote/unauthenticatedESB-2017.2715 – [Appliance] F5 BIG-IP products: Denial of service – Remote/unauthenticatedESB-2017.2716 – [Appliance][Virtual] F5 BIG-IP products: Denial of service – Remote/unauthenticatedESB-2017.2717 – [Appliance] F5 products: Denial of service – Remote/unauthenticatedESB-2017.2718 – [Appliance][Virtual] F5 BIG-IP AAM and PEM: Denial of service – Remote/unauthenticatedESB-2017.2719 – [Appliance][Virtual] F5 BIG-IP products: Execute arbitrary code/commands – Remote/unauthenticatedESB-2017.2722 – [Appliance][Virtual] F5 BIG-IP products: Denial of service – Remote/unauthenticated   https://portal.auscert.org.au/bulletins/53898https://portal.auscert.org.au/bulletins/53902https://portal.auscert.org.au/bulletins/53906https://portal.auscert.org.au/bulletins/53910https://portal.auscert.org.au/bulletins/53914https://portal.auscert.org.au/bulletins/53918https://portal.auscert.org.au/bulletins/53966https://portal.auscert.org.au/bulletins/54030https://portal.auscert.org.au/bulletins/54046https://portal.auscert.org.au/bulletins/54078https://portal.auscert.org.au/bulletins/54082https://portal.auscert.org.au/bulletins/54086https://portal.auscert.org.au/bulletins/54090https://portal.auscert.org.au/bulletins/54094https://portal.auscert.org.au/bulletins/54106 Several important F5 updates have been published this week. — Have a good weekend everyone. Firewalls up! Anthony

AUSCERT Week in Review for 20th October 2017 AUSCERT Week in Review20 October 2017Greetings,What a week for Information Security! With the new vulnerabilities revealedin WPA2 and the Infineon RSA algorithm, can we be certain that anythingis truly secure any more? All eyes are on vendors and their responses tothese potentially catastrophic security flaws. As we go forward, puttingmore of our trust and confidential data into computers, being able torespond to new vulnerabilities in a timely fashion is critical.Here’s a summary (including excerpts) of some of the more interestingstories we’ve seen this week:Title: Millions of high-security crypto keys crippled by newly discovered flawURL: https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/Date: 16th October, 2017Author: Dan GoodinExcerpt: “A crippling flaw in a widely used code library has fatallyundermined the security of millions of encryption keys used in some ofthe highest-stakes settings, including national identity cards, software-and application-signing, and trusted platform modules protecting governmentand corporate computers.”—Title: Necurs Botnet malspam pushes Locky using DDE attackURL: https://isc.sans.edu/forums/diary/Necurs+Botnet+malspam+pushes+Locky+using+DDE+attack/22946/Date: 19th October, 2017Author: Brad DuncanExcerpt: “I’ve seen Twitter traffic today about malspam from the NecursBotnet pushing Locky ransomware using Word documents as their attachments.These Word documents use the DDE attack technique, something I alreadywrote about in a previous diary covering Hancitor malspam on 2017-10-16.”—Title: Adobe rushes out fix for exploited Flash bugURL: https://www.itnews.com.au/news/adobe-rushes-out-fix-for-exploited-flash-bug-475535Date: 17th October, 2017Author: Staff WriterExcerpt: “The patch came after Kaspersky Lab said a group it was tracking,BlackOasis, used the previously unknown weakness on October 10 to plantFinSpy or FinFisher malware on computers before connecting them back toservers in Switzerland, Bulgaria and the Netherlands.”—Title: ACORN received almost 48k cyber-related reports in 2016-17URL: http://www.zdnet.com/article/acorn-received-almost-48k-cyber-related-reports-in-2016-17/Date: 20th October, 2017Author: Asha McLeanExcerpt: “As revealed in the Connect Discover Understand Respond 2016-17Annual Report from the Australian Criminal Intelligence Commission (ACIC),scams and online fraud were the highest reported incidents to ACORN,accounting for 51 percent of the 47,873 total.”—Title: Australian government details Govpass digital IDURL: http://www.zdnet.com/article/australian-government-details-govpass-digital-id/Date: 17th October, 2017Author: Asha McLeanExcerpt: “The federal government has detailed what its digital identificationsolution will look like, outlining how citizens can apply for an optionalGovpass in a video posted on YouTube.”And lastly, here are this week’s noteworthy security bulletins (in noparticular order):ESB-2017.2607 – ALERT [Appliance] Infineon RSA: Access privileged data – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/53570A flaw in the Infineon RSA algorithm could result in keys that arefactorisable in months instead of centuries.—ESB-2017.2602 – ALERT [Win][Linux][OSX] Adobe Flash Player: Execute arbitrary code/commands – Remote with user interactionhttps://portal.auscert.org.au/bulletins/53546A newly-disclosed vulnerability in Adobe Flash affects all versions ofthe software, and has already been seen in the wild.—ESB-2017.2599 – ALERT [Win][UNIX/Linux][Appliance][Mobile] Wi-Fi Protected Access II (WPA2) devices: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/53534A flaw discovered in the WPA protocol itself could affect billions ofpeople, as the encryption protocol is used ubiquitously around the globefor WiFi networks.   Wishing you the best from AUSCERT and hope to see you next week.Stay patched, stay safe.Anthony  

AUSCERT Week in Review for 13th October 2017 AUSCERT Week in Review13 October 2017 Greetings, As Friday 13th of October closes, all eyes are in Kaspersky and how itwill manage? The above reflection came out of one of the news articles that have cappedoff a solid week in bulletins, and we have included a few more articlesof interest that have grabbed our attention. Here’s a summary (includingexcerpts) of some of the more interesting stories we’ve seen this week: Title: Kaspersky Lab and the AV Security HoleURL:https://www.darkreading.com/attacks-breaches/kaspersky-lab-and-the-av-security-hole/d/d-id/1330116Date: 10 October 2017Author: Jai Vijayan Excerpt: “It’s unclear what happened in the reported theft of NSA data byRussian spies, but an attacker would need little help to steal if he orshe had privileged access to an AV vendor’s network, security experts say.” ——- Title: Microsoft Patches Office Bug Actively Being ExploitedURL:https://threatpost.com/microsoft-patches-office-bug-actively-being-exploited/128367/Date: 10 October 2017Author: Tom Spring Excerpt: “Security experts are urging network administrators to patch aMicrosoft Office vulnerability that has been exploited in the wild.” ——- Title: Dumb bug of the week: Outlook staples your encrypted emails to,er, plaintext copies when sending messagesURL: https://www.theregister.co.uk/2017/10/11/outlook_smime_bug/Date: 11 October 2017Author: Iain Thomson Excerpt: “Attention anyone using Microsoft Outlook to encryptemails. Researchers at security outfit SEC Consult have found a bug inRedmond’s software that causes encrypted messages to be sent out withtheir unencrypted versions attached.” ——- Title: Equifax Website Caught Serving Malicious Ads to VisitorsURL:https://www.forbes.com/sites/leemathews/2017/10/12/equifax-website-caught-serving-malicious-ads-to-visitors/Date: 12 October 2017Author: Lee Mathews Excerpt: “It’s been just over a month since Equifax went public withnews of a massive server breach that affected roughly half of the adultpopulation of the United States and thousands more consumers in Canada andthe U.K. Now, a security researcher has spotted an ad campaign spreadingmalware from the company’s website.” ——- Title: Accentuate the negative: Accenture exposes data related to itsenterprise cloud platformURL:https://www.scmagazine.com/accentuate-the-negative-accenture-exposes-data-related-to-its-enterprise-cloud-platform/article/699636/ Date: 11 October 2017Author: Bradley Barth Excerpt: “Yet another company has mistakenly exposed its sensitiveinternal information after storing data on misconfigured cloud-basedservers from Amazon Web Services. The culprit in this case – the $32.9billion consulting and professional services company Accenture – wasfound to be insecurely storing data that, ironically, has to do with itsown cloud-based enterprise solution, the Accenture Cloud Platform.” ——- Title: Office 365 Adoption Picks Up Pace Amid Security ConcernsURL:https://www.infosecurity-magazine.com/news/office-265-adoption-picks-up-pace/Date: 12 October 2017Author: Tara Seals Excerpt: “Adoption rates for Microsoft’s cloud-based, hosted productivitysuite, Office 365, have increased significantly in the past 12 months;however, security concerns remain a barrier to adoption.”   And lastly, here are this week’s noteworthy security bulletins (in noparticular order): 1. ASB-2017.0161 – ALERT [Win] Microsoft Windows: Multiplevulnerabilitieshttps://portal.auscert.org.au/bulletins/53282 Plenty to patch this Microsoft patch Tuesday. 2. ASB-2017.0159 – ALERT [Win] Microsoft Office: Multiplevulnerabilitieshttps://portal.auscert.org.au/bulletins/53274 MS Office and there is a exploit out now. 3. ESB-2017.2561 – [Debian] wordpress: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/53382 WordPress has vulnerabilities, that is a lot of websites. 4. ESB-2017.2562 – [RedHat] thunderbird: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/53386 Thunderbirds are go! 5. ESB-2017.2591 – [SUSE] git: Execute arbitrary code/commands –Existing accounthttps://portal.auscert.org.au/bulletins/53498 Should I git onto patching this? Wishing you the best from AUSCERT and hope to see you next week.Stay patched, stay safe.Peter  

AUSCERT Week in Review for 6th October 2017 AUSCERT Week in Review06 October 2017 Greetings, As Friday 6th of October closes, the Equifax event highlights the need to have a patch management program in your organization.  In that patch management program it is important to ensure that the risks of not patching gets transferred as high up as possible and as soon as possible. So, should you not have a patch management program in place at this moment, next Monday may be a good time to set one up.  It may be better to point the finger at best practices and frameworks for patch management now, then have the finger pointed at your staff later. The above reflection came out of one of the news articles that have capped off a solid week in bulletins, and we have included a few more articles of interest that have grabbed our attention. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title:  Sole Equifax security worker at fault for failed patch, says former CEOURL:    http://www.theregister.co.uk/2017/10/04/sole_security_worker_at_fault_for_equifax_fail_says_former_ceo/Date:   October 4, 2017Author: Simon Sharwood Excerpt:“Recently-and-forcibly-retired Equifax CEO Rick Smith has laid the blame for his credit-check biz’s IT security breach on a single member of the company’s security team.” ——- Title:  Equifax failed to patch security vulnerability in March — testimonyURL:    https://www.reuters.com/article/equifax-breach/equifax-failed-to-patch-security-vulnerability-in-march-testimony-idUSL2N1MD0UQDate:   October 3, 2017Author: David Shepardson Excerpt:“Equifax Inc failed to patch a software security vulnerability after being alerted in March by the U.S. Homeland Security Department to the issue that led to hackers obtaining personal information from over 140 million Americans, the company’s former chief executive will tell Congress in written testimony made public Monday. “ ——- Title:  Hey, IoT vendors. When a paediatric nurse tells you to fix security, you definitely screwed upURL:    https://www.theregister.co.uk/2017/10/05/nurse_iot/Date:   October 5, 2017Author: John Leyden Excerpt:“…Jelena Milosevic, who developed an interest in cybersecurity over the last three years, told attendees that the healthcare sector needs to work with infosec experts and manufacturers to sort out the emerging problem of the security risk posed by internet-connected medical kit.” ——- Title:  So, Uh, That Billion-Account Yahoo Breach Was Actually 3 BillionURL:   https://www.wired.com/story/yahoo-breach-three-billion-accounts/Date:   October 3, 2017    Author: Lily Hay Newman Excerpt:“When Yahoo disclosed in December that a billion (yes, billion) of its users’ accounts had been compromised in an August 2013 breach, it came as a staggering revelation. Now, 10 months later, the company would like to make a correction: That incident actually exposed three billion accounts—every Yahoo account that existed at the time.” ——- Title:  Google’s October Android patches have landed: There’s a big fix for dnsmasq bugURL:    http://www.zdnet.com/article/googles-october-android-patches-have-landed-theres-a-big-fix-for-dnsmasq-bug/Date:   October 3, 2017Author: Liam Tung Excerpt:“Google has published its October Android security bulletin and is rolling out the OTA update to Nexus and Pixel devices. It’s also introduced a new way of handling its security bulletins. As usual it’s publishing a monthly Android security bulletin with details about a partial patch level and complete patch level, But it’s now introduced a new ‘Pixel/Nexus bulletin’ that documents additional bugs fixed in these devices.” ——- Title:  Apple issues update to patch password vulnerabilities in High Sierra operating softwareURL:    https://siliconangle.com/blog/2017/10/05/apple-releases-high-sierra-security-update-patch-password-vulnerabilities/Date:   October 5, 2017Author: Duncan Riley Excerpt:“Apple Inc. has issued a security update for macOS High Sierra that patches a severe vulnerability identified in September that allows unsigned apps to capture plain-text passwords from the Mac keychain. The High Sierra 10.13 Supplemental Update actually fixes two security issues, the previously discovered security issue in the Mac keychain as well as a newly identified vulnerability that allows passwords to be accessed via the Apple File System, also known as APFS.” And lastly, here are this week’s noteworthy security bulletins (in no particular order): 1.    ASB-2017.0156 – [Android] Google Nexus devices: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/53034 Google Nexus devices were patched for remote code execution, elevation of privileges and accessing information from phones. 2.    ESB-2017.2518 – [Appliance] Siemens 7KT PAC1200 Data Manager: Administrator compromise – Remote/unauthenticated https://portal.auscert.org.au/bulletins/53186Successful exploitation of this vulnerability could allow an attacker to bypass authentication mechanisms and perform administrative functions. 3.    ESB-2017.2523 – [Appliance] IBM Netezza Analytics: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/53206 OpenSSL and zlib were patched in the IBM Netezza Analytics product. 4.    ESB-2017.2521 – [Mac] Apple StorageKit and Apple Security: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/53198A method existed for applications to bypass the keychain access prompt with a synthetic click as well as, if a hint was set in Disk Utility when creating an APFSencrypted volume, the password was stored as the hint. 5.    ESB-2017.2520 – [Ubuntu] ruby: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/53194 ruby allowed remote unauthenticated attackers to execute arbitrary code, denial of service, overwrite arbitrary Files as well as access confidential data. Wishing you the best from AUSCERT and hope to see you next week. Stay patched, stay safe.Geoffroy

AUSCERT Week in Review for 27th September 2017 AUSCERT Week in Review29th September 2017 Greetings, As Friday 29th of September comes to a close, the big news is AUSCERT is hiring https://www.seek.com.au/job/34448215 Here is our summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Dark Web Drug Suspect Cuffed On Way to Beard ContestURL: https://www.infosecurity-magazine.com/news/dark-web-drug-suspect-cuffed-beard/Date: 28 September 2017 Author: Phil MuncasterExcerpt: “A suspected dark web drug kingpin has been arrested in the US on the way to a beard-growing contest, it has emerged. Gal Vallerius, 38, was cuffed in Atlanta International Airport at the end of August en route from his home in France to the competition in Austin, Texas. Searching his laptop, border officials apparently found hundreds of thousands of dollars in Bitcoin, a Tor browser, and PGP keys linked to an “OxyMonster”. That name is used by an administrator and senior moderator on Dream Market: a typical darknet drugs marketplace.” ——- Title: Mac High Sierra hijinks continue: Nasty apps can pull your passwordsURL: http://www.theregister.co.uk/2017/09/28/high_sierra_hijinks_continue_nasty_apps_can_pull_your_passwords/Date: 28 September 2017 Author: Shaun NicholsExcerpt: “Apple still hasn’t been able to seal up keychain access hole for unsigned applications.A security shortcoming in earlier versions of OS X has made its way into macOS High Sierra despite an expert’s best efforts to highlight the flaw. Patrick Wardle, of infosec biz Synack, found that unsigned, and therefore untrustworthy, applications running on High Sierra, aka macOS 10.13, were able to quietly access sensitive information – including stored passwords and keys – without any notification to the user. Normally, apps, even signed trusted ones, trigger a prompt to appear on screen when touching the operating system’s Keychain database of saved passphrases and other secrets.” ——- Title: Android unlock patterns are too easy to guess, stop using themURL: https://nakedsecurity.sophos.com/2017/09/28/android-unlock-patterns-are-too-easy-to-guess-stop-using-them/Date: 28 September 2017 Author: Lisa VaasExcerpt: “Let’s start with some things we knew already: people are really bad at creating and remembering secure passwords and PINs. We’re also bad at choosing and answering password recovery questions. Most of us can’t even cook up an unlock pattern for our Androids that’s not crazy easy to predict, be it by shoulder-surfing or the tell-tale streaks we leave with our greasy fingers. Now, a new report (PDF) from security researchers at the US Naval Academy and the University of Maryland Baltimore County has quantified just how absurdly easy it is to do an over-the-shoulder glance that accurately susses out an Android unlock pattern.” ——- Title: Deloitte Hit by Cyber-Attack Revealing Clients’ Secret EmailsURL: https://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-revealing-clients-secret-emailsDate: 25 September 2017 Author: Nick HopkinsExcerpt: “Deloitte, which is registered in London and has its global headquarters in New York, was the victim of a cybersecurity attack that went unnoticed for months. Deloitte provides auditing, tax consultancy and high-end cybersecurity advice to some of the world’s biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies. The Guardian understands Deloitte clients across all of these sectors had material in the company email system that was breached. The companies include household names as well as US government departments.” ——- Title: US Plans to Collect Social Media Info From Permanent Residents, Naturalized CitizensURL: https://www.bleepingcomputer.com/news/government/us-plans-to-collect-social-media-info-from-permanent-residents-naturalized-citizens/Date: 26 September 2017Author: Catalin CimpanuExcerpt:“The US Department of Homeland Security (DHS) published documents on Monday that detail a plan for collecting extra information on all US immigrants, including not only permanent residents but also previously naturalized citizens. According to a notice of modification to the 1974 Privacy Act System of Records, the DHS wants to collect extra information such as “social media handles, aliases, associated identifiable information, and search results.” The data will be used to expand the DHS’ database on US immigrants with new information that would allow for easier tracking of immigrants, but also Americans who obtained official citizenship years or decades before.” ——- And lastly, here are this week’s noteworthy security bulletins (in no particular order): 1. ESB-2017.2425 – [OSX] macOS: Multiple vulnerabilities It’s time to patch your Mac! The most severe vulnerability addressed could allow a malicious application to execute arbitrary code withsystem privileges. 2. ESB-2017.2436 – ALERT [Linux][RedHat] kernel: Root compromise – Existing account This Linux PIE/stack corruption (CVE-2017-1000253) was an existing two-year-old bug in the Linux kernel. Qualys published a detailed analysis including demonstration of a proof-of-concept to exploit the vulnerability – https://www.qualys.com/2017/09/26/cve-2017-1000253/cve-2017-1000253.txt 3. ESB-2017.2444 – ALERT [Cisco] Cisco IOS and IOS XE: Multiple vulnerabilities Make plans to patch your Cisco network appliances. Many subsystems of IOS are impacted, of particular note is CVE-2017-12240. 4. ASB-2017.0155 – [Win][UNIX/Linux] Mozilla Firefox: Multiple vulnerabilities Mozilla has rated the security vulnerabilities fixed in Firefox 56 as critical. Wishing you the best from AUSCERT and stay safe, Danny

AUSCERT Week in Review for 22nd September 2017 AUSCERT Week in Review22 September 2017 Greetings, As Friday 22nd of September comes to a close, the big news is: AUSCERT is hiring! Apply here: https://www.seek.com.au/job/34448215 Here is our weekly summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: CCleaner malware spread via supply chain attackURL: http://searchsecurity.techtarget.com/news/450426573/CCleaner-malware-spread-via-supply-chain-attackDate: 19 September 2017 Author: Michael HellerExcerpt: “CCleaner malware was spread to users via an infected software update for close to one month, highlighting the dangers of supply chain attacks and the need for code signing. The CCleaner malware gathered information about systems and transmitted it to a command and control (C&C) server; it was reportedly downloaded by users for close to one month from Aug. 15 to Sept. 12, according to Morphisec. However, Avast noted that the CCleaner malware was limited to running on 32-bit systems and would only run if the affected user profile had administrator privileges.” ——- Title: Apache “Optionsbleed” vulnerability – what you need to knowURL: https://nakedsecurity.sophos.com/2017/09/19/apache-optionsbleed-vulnerability-what-you-need-to-know/Date: 19 September 2017Author: Paul DucklinExcerpt: “Remember Heartbleed? … Well, something similar has happened again. This time, the bug isn’t in OpenSSL, but in a program called httpd, probably better known as the Apache Web Server, and officially called the Apache HTTP Server Project. The vulnerability has been dubbed OptionsBleed, because the bug is triggered by making HTTP OPTIONS requests.” ——- Title: Here’s What Your Identity Sells For on the Dark WebURL: https://www.bloomberg.com/news/articles/2017-09-15/equifax-hack-your-social-security-and-identity-are-for-saleDate: 15 September 2017Author: Suzanne WoolleyExcerpt:“How much is your personal data worth to you? A lot. (Thanks, Equifax.) And how much is it worth to an identity thief? You may be surprised, or insulted, or enraged, to find out.” ——- Title: Internet Providers Possibly Involved in FinFisher Surveillance Operations: ReportURL: http://www.securityweek.com/internet-providers-possibly-involved-finfisher-surveillance-operations-reportDate: 21 September 2017Author: Ionut ArghireExcerpt:“New campaigns featuring the infamous FinFisher spyware are using a previously unseen infection vector, strongly suggesting that Internet service providers (ISPs) might be involved in the distribution process, ESET security researchers warn. Also known as FinSpy, the malware has been around for over half a decade and is being sold exclusively to governments and their agencies worldwide for surveillance purposes. The use of this lawful interception solution has increased, and researchers observed it earlier this month abusing a .NET framework zero-day tracked as CVE-2017-8759 for distribution. “ ——- Title: Government promises $50 million boost to security researchURL: https://www.computerworld.com.au/article/627667/government-promises-50-million-boost-to-security-research/Date: 22 September 2017Author: Rohan Pearce Excerpt:“The government will invest $50 million over seven years to help establish an industry-led Cyber Security Cooperative Research Centre (CRC). The government said that cash and in-kind contributions of more than $89 million towards the CRC had been pledged by 25 industry, research and government partners.” ——- And lastly, here are this week’s noteworthy security bulletins (in no particular order):   1. ESB-2017.2369 – ALERT [Win][UNIX/Linux][Ubuntu] apache2-bin: Access privileged data – Remote/unauthenticated “..the Apache HTTP Server incorrectly handled Limit directives in .htaccess files. In certain configurations, a remote attacker could possibly use this issue to read arbitrary server memory, including sensitive information. This issue is known as Optionsbleed.”   2. ASB-2017.0151 – [Win][UNIX/Linux] WordPress: Multiple vulnerabilities Two of the big three CMS released major patch updates this week – Joomla! and WordPress. WordPress vulnerabilities include multiple Cross-site scripting, path traversal, open redirect and a potential SQL injection via plugins and themes.   3. ASB-2017.0152.2 – UPDATE [Win][UNIX/Linux] Joomla!: Access privileged data – Remote/unauthenticated AUSCERT recommends members avoid using Joomla! because of its history of serious vulnerabilities including this latest round.   4. ESB-2017.2398 – ALERT [UNIX/Linux][Ubuntu] samba: Multiple vulnerabilities Vendors and Linux distributions were quick to release patches for the latest samba vulnerabilities. A man-in-the-middle attack can potentially read and alter documents transferred via a client connection.Also, a client with write access to a share can cause the server memory contents to be written to a file or printer.   5. ASB-2017.0154 – [Win][Linux][OSX] Google Chrome: Multiple vulnerabilities Update your Google and Apple Safari browsers before you surf the web this weekend. Both Google Chrome and Apple Safari have addressed vulnerabilities in their latest updates.   Wishing you the best from AUSCERT and stay safe, Danny

AUSCERT Week in Review for 15th September 2017 AUSCERT Week in Review15th September 2017 Greetings, As Friday 15th of September comes to a close, we are looking forward to having as many people answering the 2017 Cyber Security Survey – Last chance to submit! Public awareness of cyber-crime has never been higher, but is that translating to business readiness? For the second consecutive year, AUSCERT and BDO are delivering the Cyber Security Survey. By taking part you will gain direct access to our survey report in November. This contains valuable data allowing you to compare your business’ current cyber security efforts with trends in your industry sector. Time is running out! Complete the survey and go in the draw to win one of three Apple Watches.* The survey closes at midnight on Friday, 15 September 2017. The survey is anonymous and takes 15 minutes to complete. https://www.bdo.com.au/en-au/insights/cyber-security/surveys/2017-cyber-security-survey?utm_medium=Email&utm_source=AUSCERT * Refer to the website for competition terms and conditions.https://www.bdo.com.au/en-au/insights/cyber-security/surveys/2017-cyber-security-survey/terms This is all topped off with numerous security related news items this week. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: US govt bans Kaspersky productsURL: https://www.itnews.com.au/news/us-govt-bans-kaspersky-products-473254Date: 14 Sep 2017Author: Dustin Volz Excerpt: ” Orders purge amid concern about Kremlin influence. The Trump administration has told United States government agencies to remove Kaspersky Lab products from their IT systems, saying it was concerned the Moscow-based cyber security firm is vulnerable to Kremlin influence.” ——-Title: BlueBorne: Bluetooth bug could expose billions of devices to attack,cyber experts warnURL: http://www.abc.net.au/news/2017-09-13/bluetooth-bug-could-expose-billions-of-devices-to-attack/8942378Date: 14 Sep 2017Author: George Roberts Excerpt: “Internet security experts are urging people to update their software to protect against a serious vulnerability, which if exploited could spread uncontrollably via the common wireless technology bluetooth.” ——-Title: Microsoft patches zero-day used to install police spywareURL: https://www.itnews.com.au/news/microsoft-patches-zero-day-used-to-install-police-spyware-473176Date: 13 Sep 2017Author: Juha Saarinen Excerpt: “.NET framework flaw exploited. Microsoft’s regular Patch Wednesday round of security updates for Windows has closed a bug that left computers open to malware installed by law enforcement agencies.” ——-Title: Zerodium offering $1M for TOR browser zero DaysURL: https://threatpost.com/zerodium-offering-1m-for-tor-browser-zero-days/127959/Date: 13 Sep 2017Author: Chris Brook Excerpt:”The exploit acquisition vendor Zerodium is doubling down again. Weeks after the company said it would pay $500,000 for zero days in private messaging apps such as Signal and WhatsApp, Zerodium said Wednesday it will pay twice that for a zero day in Tor Browser.” ——-Title: Equifax’s Mega-Breach Was Made Possible by a Website Flaw ItCould Have FixedURL: http://fortune.com/2017/09/14/equifax-data-breach-security-apache-struts/Date: 14 Sep 2017Author: David Meyer Excerpt:”Good website security is tough, but the consequences of bad website security can be far tougher. That appears to be one of the big lessons coming out the debacle surrounding Equifax’s mega-breach, which has “humbled” the credit-reporting giant.” ——-Title: Edward Snowden offers mixed review on Apple’s Face IDURL: https://www.cnet.com/news/edward-snowden-offers-mixed-review-on-apples-face-id/Date: 12 Sep 2017Author: Steven Musil Excerpt:”The new facial recognition system sports a “robust” design but may normalize technology that is ripe for abuse, the NSA leaker tweets.” ——- And lastly, here are this week’s noteworthy security bulletins (in no particular order): 1. ESB-2017.2298 – [Linux][RedHat] kernel: Execute arbitrary code/commands – Remote/unauthenticatedBluetooth not designed with security in mind. 2. ASB-2017.0148 – [Win] Microsoft .NET Framework: Execute arbitrary code/commands – Remote with user interactionWas this the vulnerability that was allegedly used by law enforcement? 3. ESB-2017.2296 – [RedHat] chromium-browser: Multiple vulnerabilityThe browser, a window to a world. 4. ESB-2017.2331 – [Ubuntu] tcpdump: Multiple vulnerabilitiesA reminder to keep your tools up to date as well as OS. Wishing you the best from AUSCERT and stay safe,Peter

AUSCERT Week in Review for 8th September 2017 AUSCERT Week in Review8th September 2017 Greetings, As Friday 8th of September comes to a close, we are looking forward to having as many people answering the 2017 Cyber Security Survey – Time is running out to submit! Public awareness of cyber-crime has never been higher, but is that translating to business readiness? For the second consecutive year, AUSCERT and BDO are delivering the Cyber Security Survey.By taking part you will gain direct access to our survey report in November. This contains valuable data allowing you to compare your business’ current cyber security efforts with trends in your industry sector.Time is running out! Complete the survey and go in the draw to win one of three Apple Watches.* The survey closes at midnight on Friday, 15 September 2017. The survey is anonymous and takes 15 minutes to complete.https://www.bdo.com.au/en-au/insights/cyber-security/surveys/2017-cyber-security-survey?utm_medium=Email&utm_source=AUSCERT * Refer to the website for competition terms and conditions. This is all topped off with numerous security related news items this week. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Breach at Equifax May Impact 143M AmericansURL: https://krebsonsecurity.com/2017/09/breach-at-equifax-may-impact-143m-americans/Date: 7th September 2017Author: Brian Krebs Excerpt:“Equifax, one of the “big-three” U.S. credit bureaus, said today a data breach at the company may have affected 143 million Americans, jeopardizing consumer Social Security numbers, birth dates, addresses and some driver’s license numbers.” ——- Title: Patch Released for Critical Apache Struts BugURL: https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/Date: 5tht September 2017Author: Tom Spring Excerpt:“This particular vulnerability allows a remote attacker to execute arbitrary code on any server running an application built using the Struts framework and the popular REST communication plugin. The weakness is caused by the way Struts deserializes untrusted data,” ——- Title: Australian SMEs consider antivirus software sufficient defence: MYOBURL: http://www.zdnet.com/article/australian-smes-consider-antivirus-software-sufficient-defence-myob/Date: 6th September 2017Author: Asha McLean Excerpt:“A study by accounting software firm MYOB has found that 87 percent of small and medium-sized enterprises (SMEs) in Australia consider their business to be safe from cyber attacks, mainly because they use antivirus software.” ——-Title: Xero users targeted by info stealer malwareURL: https://www.itnews.com.au/news/xero-users-targeted-by-info-stealer-malware-472853Date: 8th September 2017Author:Juha Saarinen Excerpt:“..a sophisticated phishing email campaign in August that purported to be from Xero.The messages were similar to Xero monthly billing notifications, and asked users to review their invoices by clicking on a link in the email.If the targeted users clicked on the link, a ZIP archive containing obfuscated Javascript was downloaded to their computers..” ——-Title: Australians turning a blind eye to data backup & securityURL:  https://securitybrief.com.au/story/australians-turning-blind-eye-data-backup-security/Date: 6th September 2017Author: Sara Barker Excerpt:“Some Australians are turning a blind eye to their computer safety – even despite highly publicised cyber attacks, according to a survey from Acronis.The global poll was conducted on the general internet population from Australia, Japan, Germany, the US, U.K, Germany, France and Spain in August.The survey found that 46.5% of respondents do not back up their computers – possibly because 67.8% have never lost important photos or files from a computer or mobile device.” ——-Title: CSIRO’s Data61 builds innovative security platform for defence sectorURL: https://securitybrief.com.au/story/csiros-data61-builds-innovative-security-platform-defence-sector/Date: 7th September 2017Author: Sara Barker Excerpt:“The technology, dubbed ‘Cross-Domain Desktop Compositor’ (CDDC), provides a single interface for staff, which works well in areas with limited physical workspace such as ships, Data61 says.The CDDC also provides a seamless and fully integrated secure system, as well as additional functionality such as controlled data transfer and copy-paste.According to Data61, solutions in the market often trade off security and usability against each other. Buyers who favour usability are more vulnerable to attacks and data leakage between secret networks.” ——- And lastly, here are this week’s noteworthy security bulletins (in no particular order): 1.    ESB-2017.2220 – [RedHat] kernel-rt : Root compromise – Existing account https://portal.auscert.org.au/bulletins/51926 A vulnerability in the web interface for Cisco Prime Collaboration Provisioning could allow an unauthenticated, remote attacker to bypass authentication and perform command injection with root privileges 2.    ASB-2017.0141 – [Android] Google Nexus devices: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/51978 Multiple vulnerabilities have been identified in Android prior to security patch level strings 2017-09-01 and 2017-09-05. 3.    ESB-2017.2261 – [BlackBerry] BlackBerry: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/52102 BlackBerry has released a security update to address multiple vulnerabilities in BlackBerry powered by Android smartphones. 4.    ESB-2017.2271 – [Win][UNIX/Linux] IBM Db2: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/52142 A series of vulnerabilities in IBM Db2 that include Administrator Compromise. Wishing you the best from AUSCERT and stay safe,Geoffroy

AUSCERT Week in Review for 1st September 2017 AUSCERT Week in Review 01 September 2017 Greetings, 2017 Cyber Security Survey – Time is running out to submit! Public awareness of cyber-crime has never been higher, but is that translating to business readiness? For the second consecutive year, AUSCERT and BDO are delivering the Cyber Security Survey. By taking part you will gain direct access to our survey report in November. This contains valuable data allowing you to compare your business’ current cyber security efforts with trends in your industry sector. Time is running out! Complete the survey and go in the draw to win one of three Apple Watches*. The survey closes at midnight on Friday, 15 September 2017. The survey is anonymous and takes 15 minutes to complete. https://www.bdo.com.au/en-au/insights/cyber-security/surveys/2017-cyber-security-survey?utm_medium=Email&utm_source=AUSCERT * Refer to the website for competition terms and conditions.  As Friday 1st of September comes to a close, we have seen another busy week of security updates. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:   Title: 700 Million-Plus Email Addresses Leaked by Spam OperationDate Published: 31 Aug 2017URL: https://www.bankinfosecurity.com/700-million-plus-email-addresses-leaked-by-spam-operation-a-10246Author: Jeremy KirkExcerpt: “A sloppy spamming operation has exposed on a server in the Netherlands gigabytes of files that include 711 million email addressees and some associated account passwords.”   Title: China Creates Secure Communications NetworkDate Published: 1 Sep 2017URL: http://www.securitymagazine.com/articles/88280-china-creates-secure-communications-networkAuthor: Kylie BullExcerpt: “China is to use quantum cryptography to create an unhackable communications network. Using the network, some 200 users from the military, government, finance and electricity sectors will be able to send messages without the concern that others may be able to read them.” Title: Session hijacking bug exposed GITLab users private tokensDate Published: 31 Aug 2017URL: https://threatpost.com/session-hijacking-bug-exposed-gitlab-users-private-tokens/127747/Author: Chris BrookExcerpt: “GitLab, the popular web-based Git repository manager, fixed a vulnerability recently that could have opened its users up to session hijacking attacks.”   Title: Prevention is no Longer the Best Medicine – Recovery is KeyDate Published: 29 Aug 2017URL: https://www.infosecurity-magazine.com/opinions/prevention-medicine-recovery-key/Author: Rick Orloff Excerpt: “In an ideal world, every company could trust each of its employees not to make any mistakes or slip up in regards to the handling of sensitive corporate data. In this utopia, each employee would also have an impregnable security solutionrendering themselves invulnerable to attack or breach.” Title: Cyber-squatters Target Luxury Brands from Fendi to PradaDate Published: 31 Aug 2017URL: https://www.infosecurity-magazine.com/news/cybersquatters-target-luxury-brands/Author: Tara Seals Excerpt: “Fan of Fendi? Lover of Louboutin? Gaga for Gucci? Be careful, as there are more than 500 websites out here that are actively tricking web usersinto thinking they’re legitimate luxury fashion websites.”   Here are this week’s noteworthy security bulletins: 1) ASB-2017.0137 – [Win][UNIX/Linux] RubyGems: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/51746 This one is a gem. 2) ESB-2017.2157 – [Appliance] Abbott Laboratories Accent/Anthem, Accent MRI, Assurity/Allure and Assurity MRI: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/51662 Is your patching keeping pace? 3) ESB-2017.2165 – [Win][UNIX/Linux] Wireshark: Denial of service – Remote with user interaction https://portal.auscert.org.au/bulletins/51694   A reminder to keep your tools up to date also. Stay safe and have a great weekend. Peter

AUSCERT Week in Review for 25th August 2017 Greetings, 2017 Cyber Security Survey – Time is running out to submit! Public awareness of cyber-crime has never been higher, but is that translating to business readiness? For the second consecutive year, AUSCERT and BDO are delivering the Cyber Security Survey. By taking part you will gain direct access to our survey report in November. This contains valuable data allowing you to compare your business’ current cyber security efforts with trends in your industry sector. Time is running out! Complete the survey and go in the draw to win one of three Apple Watches. The survey closes at midnight on Friday, 15 September 2017. The survey is anonymous and takes 15 minutes to complete.https://www.bdo.com.au/en-au/insights/cyber-security/surveys/2017-cyber-security-survey?utm_medium=Email&utm_source=AUSCERT —–As Friday 25th August comes to a close, we have seen another busy week of security updates. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Malware rains on Googles Android Oreo parade Date Published: 24 Aug 2017 URL: https://nakedsecurity.sophos.com/2017/08/24/malware-rains-on-googles-android-oreo-parade/Author: Bill Brenner Excerpt: “Google has had an exciting summer, for good and bad reasons. The good news: Google just officially launched the eighth version of its operating system, Android Oreo, with enhancements for battery life and security. Last month, it also began rolling out a new feature called Google Play Protect, designed to scan apps that could cause harm to your Android device and data. The bad news: at least five different types of malware were found in Google Play in August alone, including spyware, banking bots and aggressive adware. Thousands of apps contain these malicious payloads and have infected millions of users.” —– Title: Ropemaker exploit allows for changing of email post-delivery Date Published: 23 Aug 2017 URL: https://threatpost.com/ropemaker-exploit-allows-for-changing-of-email-post-delivery/127600/Author: Chris Brook Excerpt: “Researchers say a new exploitable attack vector for email, one that could enable the changing of email content content post-delivery, could let attackers bypass security controls and trick victims into clicking through to a malicious site.”—– Title: OAIC investigating Flight Centre customer data leak Date Published: 21 Aug 2017 URL: https://www.itnews.com.au/news/oaic-investigating-flight-centre-customer-data-leak-471346Author: Allie Coyne Excerpt: “Firm is ‘co-operating’ with inquiries. Travel agency Flight Centre is under investigation by the country’s privacy regulator after accidentally releasing personal information of an undisclosed number of its customers to third-party suppliers.”—– Title: Turnbull’s counter-terrorism plan goes beyond whether our cities need bollards Date Published: 23 Aug 2017 URL: https://www.theguardian.com/commentisfree/2017/aug/23/turnbulls-counter-terrorism-plan-goes-beyond-whether-our-cities-needs-bollards-or-notAuthor: Patrick Walsh Excerpt: “Its yet unclear how much help small business owners in public places can expect in order to become resilient to terrorist attacks. But the strategy serves a more important point”—– Here are this week’s noteworthy security bulletins: 1) ESB-2017.2135 – ALERT [Appliance] Westermo MRD: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/5157010 for the CVE score need I say more! 2) ESB-2017.2128 – [Appliance] HPE Integrated Lights-out 4: Execute arbitrary code/commands – Remote/unauthenticated https://portal.auscert.org.au/bulletins/51542 Lights out cards for priviliged remote access. 3) ESB-2017.2110 – [Debian] smb4k: Root compromise – Existing account https://portal.auscert.org.au/bulletins/51470 Samba we are blocking it at the edge right? Where is the edge today? — Stay safe and have a great weekend. Peter

AUSCERT Week in Review for 18th August 2017 Greetings, As Friday 18th August comes to a close, we have seen another busy week of security updates. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Botched Firmware Update Bricks Hundreds of Smart Door LocksDate Published: 12/08/17URL: https://www.bleepingcomputer.com/news/hardware/botched-firmware-update-bricks-hundreds-of-smart-door-locks/Author: Catalin CimpanuExcerpt: “On Tuesday, August 8, smart locks manufacturer LockState botched an over-the-air firmware update for its WiFi enabled smart locks, causing the devices to lose connectivity to the vendor’s servers and the ability to open doors for its users.”—– Title: Seven More Chrome Extensions CompromisedDate Published: 15/08/17URL: https://threatpost.com/seven-more-chrome-extensions-compromised/127458/Author: Tom SpringExcerpt: “The number of compromised Chrome browser extensions is growing beyond the initial Aug. 1 hijacking of the OCR add-on called Copyfish. Added to list are seven additional legitimate Chrome Extensions that attackers took over and used to manipulate internet traffic and web-based ads, according to researchers at Proofpoint.”—– Title: Maersk Shipping Reports $300M Loss Stemming from NotPetya AttackDate Published: 16/08/17URL: https://threatpost.com/maersk-shipping-reports-300m-loss-stemming-from-notpetya-attack/127477/Author: Michael MimosoExcerpt: “Maersk was just one of hundreds of companies impacted around the world by NotPetya, also known as ExPetr. The wiper attack was disguised as ransomware, and like WannaCry before it, was spread via the leaked NSA EternalBlue exploit along with a few other distribution vectors, including a watering hole attack.”—– Title: LambdaLocker ransomware victim? Now you can decrypt your files for freeDate Published: 17/08/17URL: http://www.zdnet.com/article/lambdalocker-ransomware-victim-now-you-can-decrypt-your-files-for-free/Author: Danny PalmerExcerpt: “No More Ransom recently celebrated its one-year anniversary, and now offers over 50 decryption tools for use against more than 100 ransomware families.”—– Title: Biohackers Encoded Malware in a Strand of DNADate Published: 08/08/17URL: https://www.wired.com/story/malware-dna-hack/Author: Andy GreenbergExcerpt: “In new research they plan to present at the USENIX Security conference on Thursday, a group of researchers from the University of Washington has shown for the first time that it’s possible to encode malicious software into physical strands of DNA, so that when a gene sequencer analyzes it the resulting data becomes a program that corrupts gene-sequencing software and takes control of the underlying computer.” —– Here are this week’s noteworthy security bulletins: 1) ESB-2017.2048 – [Win][UNIX/Linux] Drupal Core: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/51222The latest release of Drupal Core fixes some vulnerabilities that could allow attackers to bypass access restrictions. 2) ESB-2017.2032 – [Ubuntu] postgresql: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/51158New vulnerabilities in the authentication modules of postgresql could allow attackers to access users’ passwords, or log in with an empty password. 3) ESB-2017.2010 – [Linux][Debian] iortcw: Execute arbitrary code/commands – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/51070The Quake 3 engine, despite being 18 years old now, still has bugs present. —   Stay safe and have a great weekend. Anthony

AUSCERT Week in Review for 11th August 2017 Greetings, As Friday 11th August comes to a close, we have seen another busy week of security updates. AUSCERT published its 2000th ESB bulletin for the year today – an average of nearly 9 each day since the year began! Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Attackers Use Typo-Squatting To Steal npm CredentialsDate Published: 4/08/2017URL: https://threatpost.com/attackers-use-typo-squatting-to-steal-npm-credentials/127235/Author: Tom SpringExcerpt: “Hackers seeking developer credentials used typo-squatting to spread malicious code via libraries hosted at the online repository npm. In all,40 npm packages were found malicious and removed from the Node.js package management registry, according to npm.” —— Title: Aussie domain registrars sued over alleged fake invoice scamDate Published: 11/08/2017URL: https://www.itnews.com.au/news/aussie-domain-registrars-sued-over-alleged-fake-invoice-scam-470631Author: Allie CoyneExcerpt: “Two Australian domain name registration companies are being taken to court by the competition watchdog for an alleged fake invoice scam that reaped $2.3 million from their customers.” —— Title: Blood Service escapes penalties in data breach investigationDate Published: 07/08/2017URL: https://www.itnews.com.au/news/blood-service-escapes-penalties-in-data-breach-investigation-470264Author: Allie CoyneExcerpt: “The Australian Red Cross Blood Service and its website contractor have escaped penalties from the country’s privacy watchdog over a 2016 data breach that exposed the data of 550,000 donors.” —— Title: VPN Provider Accused of Sharing Customer Traffic With Online AdvertisersDate Published: 08/08/2017URL: https://www.bleepingcomputer.com/news/technology/vpn-provider-accused-of-sharing-customer-traffic-with-online-advertisers/Author: Catalin CimpanuExcerpt: “In a 14-page complaint, the CDT accuses AnchorFree — the company behind the Hotspot Shield VPN — of breaking promises it made to its users by sharing their private web traffic with online advertisers for the purpose of improving the ads shown to its users.” —— Here are this week’s noteworthy security bulletins: 1) ESB-2017.1987 – [Linux][Debian][OSX] git: Execute arbitrary code/commands — Remote with user interactionhttps://portal.auscert.org.au/bulletins/50982A newly-discovered vulnerability in git can cause users to execute shell commands by cloning a malicious repo, by making use of ssh:// URLs. 2) ESB-2017.1978 – [Win][OSX] Adobe: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/50942The latest round of Adobe patches fix various security vulnerabilities in Adobe Reader, including remote code execution and denial of service. 3) ASB-2017.0134 – [Win][UNIX/Linux] Mozilla Firefox and Mozilla Firefox ESR: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/50958A new update for Mozilla Firefox fixes several significant security issues. Stay safe, stay patched and have a good weekend! Anthony