Week in review

AUSCERT Week in Review for 25th August 2017

25 Aug 2017

AUSCERT Week in Review for 25th August 2017 Greetings, 2017 Cyber Security Survey – Time is running out to submit! Public awareness of cyber-crime has never been higher, but is that translating to business readiness? For the second consecutive year, AUSCERT and BDO are delivering the Cyber Security Survey. By taking part you will gain direct access to our survey report in November. This contains valuable data allowing you to compare your business’ current cyber security efforts with trends in your industry sector. Time is running out! Complete the survey and go in the draw to win one of three Apple Watches. The survey closes at midnight on Friday, 15 September 2017. The survey is anonymous and takes 15 minutes to complete.https://www.bdo.com.au/en-au/insights/cyber-security/surveys/2017-cyber-security-survey?utm_medium=Email&utm_source=AUSCERT —–As Friday 25th August comes to a close, we have seen another busy week of security updates. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Malware rains on Googles Android Oreo parade Date Published: 24 Aug 2017 URL: https://nakedsecurity.sophos.com/2017/08/24/malware-rains-on-googles-android-oreo-parade/Author: Bill Brenner Excerpt: “Google has had an exciting summer, for good and bad reasons. The good news: Google just officially launched the eighth version of its operating system, Android Oreo, with enhancements for battery life and security. Last month, it also began rolling out a new feature called Google Play Protect, designed to scan apps that could cause harm to your Android device and data. The bad news: at least five different types of malware were found in Google Play in August alone, including spyware, banking bots and aggressive adware. Thousands of apps contain these malicious payloads and have infected millions of users.” —– Title: Ropemaker exploit allows for changing of email post-delivery Date Published: 23 Aug 2017 URL: https://threatpost.com/ropemaker-exploit-allows-for-changing-of-email-post-delivery/127600/Author: Chris Brook Excerpt: “Researchers say a new exploitable attack vector for email, one that could enable the changing of email content content post-delivery, could let attackers bypass security controls and trick victims into clicking through to a malicious site.”—– Title: OAIC investigating Flight Centre customer data leak Date Published: 21 Aug 2017 URL: https://www.itnews.com.au/news/oaic-investigating-flight-centre-customer-data-leak-471346Author: Allie Coyne Excerpt: “Firm is ‘co-operating’ with inquiries. Travel agency Flight Centre is under investigation by the country’s privacy regulator after accidentally releasing personal information of an undisclosed number of its customers to third-party suppliers.”—– Title: Turnbull’s counter-terrorism plan goes beyond whether our cities need bollards Date Published: 23 Aug 2017 URL: https://www.theguardian.com/commentisfree/2017/aug/23/turnbulls-counter-terrorism-plan-goes-beyond-whether-our-cities-needs-bollards-or-notAuthor: Patrick Walsh Excerpt: “Its yet unclear how much help small business owners in public places can expect in order to become resilient to terrorist attacks. But the strategy serves a more important point”—– Here are this week’s noteworthy security bulletins: 1) ESB-2017.2135 – ALERT [Appliance] Westermo MRD: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/5157010 for the CVE score need I say more! 2) ESB-2017.2128 – [Appliance] HPE Integrated Lights-out 4: Execute arbitrary code/commands – Remote/unauthenticated https://portal.auscert.org.au/bulletins/51542 Lights out cards for priviliged remote access. 3) ESB-2017.2110 – [Debian] smb4k: Root compromise – Existing account https://portal.auscert.org.au/bulletins/51470 Samba we are blocking it at the edge right? Where is the edge today? — Stay safe and have a great weekend. Peter

Learn more

Blogs

AUSCERT in Korea for the 2017 APISC/TRANSITS Security Training Course

17 Aug 2017

AUSCERT in Korea for the 2017 APISC/TRANSITS Security Training Course AUSCERT participated in the APISC Security Training Course [1], organised by KrCERT/CC [2], operated by the Korea Internet & Security Agency [3] in the last week of July 2017.  AUSCERT sent a team member to join three (3) other instructors to facilitate the TRANSITS I [4] material to twenty-one (21) recipients CERT/CSIRT from across the globe. Along with the instruction of TRANSITS I material, there were also other CERT/CSIRT exercises and economy reports of CERT/CSIRT operations, that helped share experience in organising and operating CERT/CSIRT.  AUSCERT is honored to have been part of the APISC Security Training Course organised by KrCERT. [1] APISC Security Training Course – Asia Pacific Internet Security Conference Security Training Course. A yearly CERT capacity building initiative from South Korea that is run in conjunction to a yearly conference that bears the same name APISC.  [2] KrCERT/CC – Korean Computer Emergency Response Team / Coordination Centre. KrCERT/CC, created in 2010 and operates as the National CERT for South Korea. KrCERT is managed by KISA. https://www.krcert.or.kr/krcert/intro.do [3] KISA – Korean Internet & Security Agency. KISA sponsored by the South Korean Ministry of Science and ICT, commenced operation in 2009 and is responsible for the private sector of the Internet in South Korea. http://www.kisa.or.kr/eng/main.jsp [4] TRANSITS I. TRANSITS I course, created in 2001 is maintained by members of European CERTs with modules that deal with the Organization, Operation Legal and Technical aspect of CERT/CSIRT operation. https://www.terena.org/activities/transits/transits-i/

Learn more

Week in review

AUSCERT Week in Review for 11th August 2017

11 Aug 2017

AUSCERT Week in Review for 11th August 2017 Greetings, As Friday 11th August comes to a close, we have seen another busy week of security updates. AUSCERT published its 2000th ESB bulletin for the year today – an average of nearly 9 each day since the year began! Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Attackers Use Typo-Squatting To Steal npm CredentialsDate Published: 4/08/2017URL: https://threatpost.com/attackers-use-typo-squatting-to-steal-npm-credentials/127235/Author: Tom SpringExcerpt: “Hackers seeking developer credentials used typo-squatting to spread malicious code via libraries hosted at the online repository npm. In all,40 npm packages were found malicious and removed from the Node.js package management registry, according to npm.” —— Title: Aussie domain registrars sued over alleged fake invoice scamDate Published: 11/08/2017URL: https://www.itnews.com.au/news/aussie-domain-registrars-sued-over-alleged-fake-invoice-scam-470631Author: Allie CoyneExcerpt: “Two Australian domain name registration companies are being taken to court by the competition watchdog for an alleged fake invoice scam that reaped $2.3 million from their customers.” —— Title: Blood Service escapes penalties in data breach investigationDate Published: 07/08/2017URL: https://www.itnews.com.au/news/blood-service-escapes-penalties-in-data-breach-investigation-470264Author: Allie CoyneExcerpt: “The Australian Red Cross Blood Service and its website contractor have escaped penalties from the country’s privacy watchdog over a 2016 data breach that exposed the data of 550,000 donors.” —— Title: VPN Provider Accused of Sharing Customer Traffic With Online AdvertisersDate Published: 08/08/2017URL: https://www.bleepingcomputer.com/news/technology/vpn-provider-accused-of-sharing-customer-traffic-with-online-advertisers/Author: Catalin CimpanuExcerpt: “In a 14-page complaint, the CDT accuses AnchorFree — the company behind the Hotspot Shield VPN — of breaking promises it made to its users by sharing their private web traffic with online advertisers for the purpose of improving the ads shown to its users.” —— Here are this week’s noteworthy security bulletins: 1) ESB-2017.1987 – [Linux][Debian][OSX] git: Execute arbitrary code/commands — Remote with user interactionhttps://portal.auscert.org.au/bulletins/50982A newly-discovered vulnerability in git can cause users to execute shell commands by cloning a malicious repo, by making use of ssh:// URLs. 2) ESB-2017.1978 – [Win][OSX] Adobe: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/50942The latest round of Adobe patches fix various security vulnerabilities in Adobe Reader, including remote code execution and denial of service. 3) ASB-2017.0134 – [Win][UNIX/Linux] Mozilla Firefox and Mozilla Firefox ESR: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/50958A new update for Mozilla Firefox fixes several significant security issues. Stay safe, stay patched and have a good weekend! Anthony

Learn more

Week in review

AUSCERT Week in Review for 4th August 2017

4 Aug 2017

AUSCERT Week in Review for 4th August 2017 Greetings, As Friday 4th August comes to a close, there have been numerous security related news items this week. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: WannaCry hero arrested over banking malwareDate Published: 4/08/2017URL: https://www.itnews.com.au/news/wannacry-hero-arrested-over-banking-malware-470090Author: Juha SaarinenExcerpt: “Marcus Hutchins, the security researcher credited for blunting the effect of the WannaCry ransomware attack in May this year, has been arrested in the United States.”—– Title: HBO Security Contractor: Hackers Stole ‘Thousands of Internal Documents’ (EXCLUSIVE)Date Published: 2/08/2017URL: http://variety.com/2017/digital/news/hbo-hack-thousands-of-documents-stolen-1202513573/Author: Janko RoettgersExcerpt: “The HBO hack may have been worse than the initial leaks of a few unaired TV show episodes suggested. A security company hired by HBO to scrub search results for the hacked files from search engines has told Google that the hackers stole “thousands of Home Box Office (HBO) internal company documents.””—– Title: Cryptocurrency community readies for Bitcoin Cash forkDate Published: 31/07/2017URL: https://www.itnews.com.au/news/cryptocurrency-community-readies-for-bitcoin-cash-fork-469732Author: Juha SaarinenExcerpt: “A new version of the Bitcoin cryptocurrency will be launched this Wednesday, in an effort to rectify the network capacity issues that have plagued the digital currency in recent months.”—– Title: SMBLoris – the new SMB flawDate Published: 30/07/2017URL: https://isc.sans.edu/forums/diary/SMBLoris+the+new+SMB+flaw/22662/Author: Renato MarinhoExcerpt: “While studying the infamous EternalBlue exploit about 2 months ago, researchers Sean Dillon (zerosum0x0) and Zach Harding (Aleph-Naught-) found a new flaw in the Server Message Block (SMB) protocol that could allow an adversary to interrupt the service by depleting the memory and CPU resources of the targeted machine on a Denial of Service (DoS) attack.”—– Title: How Netflix DDoS’d Itself To Help Protect the Entire InternetDate Published: 28/07/2017URL: https://www.wired.com/story/netflix-ddos-attack/Author: Lily Hay NewmanExcerpt: “In June 2016, Netflix security engineer Scott Behrens ran a massive infrastructure test on the streaming system in front of dozens of coworkers. In the process, he brought the site down. But instead of panic or embarrassment, it was a moment of celebration. Behrens, working with cloud security engineer Jeremy Heffner and others, had successfully shown that Netflix was in fact vulnerable to an unorthodox type of distributed denial of service attack. And proving it worked was the first step toward preventing it in the future—not just for Netflix but for the entire internet.”—– Here are this week’s noteworthy security bulletins: 1) ESB-2017.1859 – ALERT [Win][UNIX/Linux] BIND: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/50434BIND 9 version 9.9.10-P2,BIND 9 version 9.10.5-P2 and BIND 9 version 9.11.1-P2 have been released and these versions fix two vulnerabilities that allow to Attacker to circumvent TSIG authentication of AXFR and NOTIFY requests or forge a valid TSIG or signature for a dynamic update. 2) ESB-2017.1932.2 – UPDATED ALERT [Win] Siemens Molecular Imaging: Execute arbitrary code/commands – Remote/unauthenticated https://portal.auscert.org.au/bulletins/50722Siemens Molecular Imaging are vulnerable to multiple remote code unauthenticated exploits, exploit have been seen in the wild so please apply mitigations until Siemens produces patches! 3) ESB-2017.1926 – [Win][OSX] Prenotification Security Advisory for Adobe Acrobat and Readerhttps://portal.auscert.org.au/bulletins/50702Adobe have been keeping with the Microsoft patch Tuesday schedule for a couple of years now but this vulnerability must be pretty severe if they are doing a pre-notification of the out of band update! Get ready to patch your SOEs/MOEs at least twice next month! Stay safe, stay patched and have a good weekend! Ananda

Learn more

Week in review

AUSCERT Week in Review for 28th July 2017

28 Jul 2017

AUSCERT Week in Review for 28th July 2017 Greetings, As Friday 28th July comes to a close, there have been numerous security related news items this week. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: WikiLeaks drops another cache of ‘Vault7’ stolen toolsDate Published: 26/07/2017URL: https://nakedsecurity.sophos.com/2017/07/26/wikileaks-drops-another-cache-of-vault7-stolen-tools/Author: Taylor ArmerdingExcerpt: “The WikiLeaks “Vault 7” almost-weekly drip-drip-drip of confidential information on the cybertools and tactics of the CIA continued last week. The latest document dump is a trove from agency contractor Raytheon Blackbird Technologies for the so-called “UMBRAGE Component Library” (UCL) Project, which includes reports on five types of malware and their attack vectors.” —– Title: Joint international operation sees US citizen arrested for denial of service attacks on IT systems Date Published: 28/07/2017 URL: https://www.afp.gov.au/news-media/media-releases/joint-international-operation-sees-us-citizen-arrested-denial-serviceAuthor: AFPExcerpt: “A two and a half year joint operation between the Australian Federal Police (AFP), Federal Bureau of Investigation (FBI) and Toronto Police Department has resulted in a 37-year-old Seattle man being arrested in connection with serious offences relating to distributed denial of service attacks on IT systems.” —– Title: Australia’s war on maths blessed with gong at Pwnie AwardsDate Published: 27/07/2017URL: https://www.computerworld.com.au/article/625351/australia-war-maths-blessed-gong-pwnie-awards/Author: Rohan PearceExcerpt: “Australia’s own Malcolm Turnbull has been recognised at the Pwnie Awards in Las Vegas, with the prime minister taking out the ‘Pwnie for Most Epic FAIL’. The annual awards, staged at the BlackHat security conference, recognise security successes and failures.” —–Title: Flash Player death warrant signed by AdobeDate Published: 27/07/2017URL: http://technology.inquirer.net/65543/flash-player-death-warrant-signed-by-adobeAuthor: INQUIRER.netExcerpt: “Adobe is making a move to permanently terminate it’s Flash Player feature—which many believe should have been done a while back. According to an Adobe press release, the end-of-life (EOL) of the multimedia software platform is already in the works, as they are working with various technology partners like Apple, Facebook, Google, Microsoft and Mozilla, to create a smooth transition into open web platform.” —–Title: Russian National And Bitcoin Exchange Charged In 21-Count Indictment For Operating Alleged International Money Laundering Scheme And Allegedly Laundering Funds From Hack Of Mt. GoxDate Published: 26/07/2017URL: https://www.justice.gov/usao-ndca/pr/russian-national-and-bitcoin-exchange-charged-21-count-indictment-operating-allegedAuthor: Department of JusticeExcerpt: “SAN FRANCISCO – A grand jury in the Northern District of California has indicted a Russian national and an organization he allegedly operated, BTC-e, for operating an unlicensed money service business, money laundering, and related crimes.” —–Here are this week’s noteworthy security bulletins: 1) ESB-2017.1841 – [Cisco] Cisco IOS and IOS XE: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/50358 Cisco has released information about three vulnerabilities (CVE-2017-6665, CVE-2017-6664, CVE-2017-6663) that do not have any patches currently. 2) ASB-2017.0125 – [Win][UNIX/Linux] Joomla!: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/50350 Two vulnerabilities have been fixed in Joomla! core, the first is a fix to the CMS Installer itself and the second is a fix in the lack of proper filtering of potentially malicious HTML tags. 3) ESB-2017.1852 – ALERT [Cisco] Cisco Products: Access privileged data – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/50402 Multiple Cisco Products are susceptible to an OSPF LSA Manipulation Vulnerability. This allows an attacker to take full control of the OSPF AS routing table. AUSCERT in the Media: Title: The Methodology of Improving Incident ResponseURL: http://www.bankinfosecurity.com/methodology-improving-incident-response-a-10124Author: Tom FieldExcerpt: “AUSCERT is one of the oldest CERT’s in the world, and Phil Cole says the independent organization is now laser-focused on helping enterprises across sectors to fundamentally improve their strategies and solutions for incident response.”—-Title: Is your company and customer data being sold on the darknet?URL: https://www.cio.com.au/article/621699/your-company-customer-data-being-sold-darknet/Author: George NottExcerpt: “Increasingly businesses are monitoring the darknet for clues that their company and customer data is being exposed. But it’s no easy task. Last week, The Guardian reported that Australians’ Medicare numbers were being offered for sale on a darknet marketplace for the equivalent of $30 in Bitcoins each.” Stay safe, stay patched and have a good weekend! Ananda

Learn more

Week in review

AUSCERT Week in Review for 21st July 2017

21 Jul 2017

AUSCERT Week in Review for 21st July 2017 As Friday 21st July comes to a close along with the latest Oracle and Apple security updates, there have been numerous security related news items this week. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Cisco patches critical bug in WebEx plug-in for Chrome, Firefox on WindowsDate Published: July 18 2017URL: http://www.zdnet.com/google-amp/article/cisco-patches-critical-bug-in-webex-plug-in-for-chrome-firefox-on-windows/Author: Liam TungExcerpt: “Google’s Project Zero researcher Tavis Ormandy reported the bug to Cisco earlier this month. It was discovered by him and Chris Neckar of Divergent Security, a former member of the Chrome security team. Ormandy earlier this year found two other flaws in the WebEx extension that allowed remote code execution. WebEx is a popular video conferencing tool in the enterprise. Ormandy notes that the WebEx extension for Chrome alone has 20 million active users. It’s also installed on 731,000 Firefox instances.” Title: Issues found via fuzzing by Guido VrankenDate Published: July 17 2017URL: http://freeradius.org/security/fuzzer-2017.htmlAuthor: FreeRADIUS Excerpt:“In order to improve the security of FreeRADIUS, we asked Guido to try fuzzing FreeRADIUS. He spent a week working with us, and managed to find a number of issues. We worked together to create and validate fixes for all of them. His blog contains a short note on the subject. The short summary is that if your RADIUS server is on a private network, accessible only by managed devices, you are likely safe. If your RADIUS server is part of a roaming consortium, then anyone within that consortium can attack it. If your RADIUS server is on the public internet, then you are not following best practices, and anyone on the net can attack your systems.” Title: Oracle e-business suite flaw allows downloads of documentsDate Published: July 18 2017URL: https://threatpost.com/oracle-e-business-suite-flaw-allows-downloads-of-documents/126897/Author: Michael MimosoExcerpt:“Oracle admins have more than 300 patches to contend with today, but one that should be considered a top priority is a bug in the E-Business Suite of business applications that could allow an attacker to download data without the need for authentication. The vulnerability, CVE-2017-10244, was addressed in today’s quarterly Critical Patch Update, but given the critical apps and data moving through the suite, and the potential downtime required to patch, it’s unknown how long it would take for the bulk of installations to be update and the risk be mitigated completely.” Title: Apple patches BROADPWN bug in IOS 10.3.3Date Published: July 20 2017 URL: https://threatpost.com/apple-patches-broadpwn-bug-in-ios-10-3-3/126955/Author: Tom SpringExcerpt:“Apple released iOS 10.3.3 Wednesday, which serves as a cumulative update that includes patches for multiple vulnerabilities including the high-profile BroadPwn bug that allowed an attacker to seize control of a targeted iOS device. BroadPwn was revealed earlier this month as a flaw in Broadcom Wi-Fi chipsets used in Apple and Android devices. Apple said the vulnerability affected the iPhone 5 to iPhone 7, the fourth-generation iPad and later versions, and the iPod Touch 6th generation.” —- Here are this week’s noteworthy security bulletins: 1) ESB-2017.1765 – ALERT [Win] Cisco WebEx extensions: Execute arbitrary code/commands – Remote with user interactionhttps://portal.auscert.org.au/bulletins/49958 WebEx is one the most widely used meeting and collaboration tools in use today. If you use the Google Chrome or Firefox WebEx extension on Windows, then upgrade as soon as possible. This vulnerability could allow an attacker to execute arbitrary code with the privileges of the affected browser on the affected system. 2) ESB-2017.1767 – ALERT [UNIX/Linux][BSD][RedHat] freeradius: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/49966 FreeRADIUS is a Remote Authentication Dial In User Service (RADIUS) server. It provides centralised authentication and authorization for many Fortune-500 companies and ISPs. It’s also widely used for Enterprise Wi-Fi and IEEE 802.1X network security, particularly in the academic community, including eduroam. A remote attacker could crash the FreeRADIUS server or execute arbitrary code in the context of the FreeRADIUS server process by sending a specially crafted request packet. For more information see the article we referenced earlier. 3) ASB-2017.0121 – ALERT [Appliance][Solaris] Oracle Sun Systems: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/50066 If you have Oracle Sun Solaris systems in your environment, we advise patching as soon as possible to mitigate a shadowbrokers EASYSTREET (CVE-2017-3632) vulnerability. This easily exploitable vulnerability allows an unauthenticated attacker with network access via TCP to completely take over the system. 4) ASB-2017.0106 – ALERT [Win][UNIX/Linux] Oracle E-Business Suite: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/50006 An easily exploitable vulnerability (CVE-2017-10244) would allow an unauthenticated attacker with network access to access any document stored there with a single HTTP request. 5) ASB-2017.0104.2 – UPDATE ALERT [Win][UNIX/Linux] Oracle Fusion Middleware: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/49998 This easily exploitable vulnerability (CVE-2017-10137) is rated 10.0 and allows the unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in the takeover of Oracle WebLogic Server. 6) ESB-2017.1783 – [Apple iOS] Apple iOS: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/50118 Of interest is the BroadPwn vulnerability (CVE-2017-9417). An attacker within range of an iPhone, iPad or IPod touch may be able to execute arbitrary code on the Wi-Fi chip. See more information in the article we referenced earlier. —- Stay safe, stay patched and have a good weekend! Danny  

Learn more

Week in review

AUSCERT Week in Review for 14th July 2017

14 Jul 2017

AUSCERT Week in Review for 14th July 2017 As Friday 14th July comes to a close along with the monthly Microsoft Security Update, there have been numerous security related news items this week. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Microsoft Patches 19 Critical Vulnerabilities in July Patch Tuesday UpdateDate Published: July 12 2017URL: http://www.esecurityplanet.com/endpoint/microsoft-patches-19-critical-vulnerabilities-in-july-patch-tuesday-update.htmlAuthor: Sean Michael KernerExcerpt: “Microsoft released its latest monthly Patch Tuesday update on July 11, patching a total of 54 vulnerabilities, of which 19 were rated as critical. Microsoft’s HoloLens Virtual Reality (VR) technology received its first patch this month, for a critical remote code execution vulnerability identified as CVE-2017-8584. The vulnerability could have been triggered by an attack that sent a malicious WiFi packet to the HoloLens.” —– Title: The laws of Australia will trump the laws of mathematics: TurnbullDate Published: July 14 2017 URL: http://www.zdnet.com/article/the-laws-of-australia-will-trump-the-laws-of-mathematics-turnbull/Author: Chris Duckett and Asha McLeanExcerpt: “Regardless of what the laws of mathematics state around breaking into end-to-end encryption, the Australian government is determined to bring in laws that go against them, with the Prime Minister of Australia telling ZDNet that the laws produced in Canberra are able to trump the laws of mathematics. ‘The laws of Australia prevail in Australia, I can assure you of that,’ he said on Friday. ‘The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.’ On Friday, the government unveiled plans to introduce legislation this year that would force internet companies to assist law enforcement in decrypting messages sent with end-to-end encryption.” —– Title: Let’s Encrypt Wildcard Certificates a ‘Boon’ for Cybercriminals, Expert SaysDate Published: July 12 2017URL: http://www.securityweek.com/lets-encrypt-wildcard-certificates-boon-cybercriminals-expert-saysAuthor: Ionut ArghireExcerpt: “The organization will be offering wildcard certificates free of charge via an upcoming ACME v2 API endpoint. Only base domain validation via DNS will be supported in the beginning, but the CA may explore additional validation options over time. Let’s Encrypt’s goal might be improved security and privacy for all users, but it doesn’t mean that its certificates can’t be misused. In March 2017, encryption expert Vincent Lynch revealed that, over a 12-month period, Let’s Encrypt issued over around 15,000 security certificates containing the term PayPal for phishing sites.“ —– Title: China orders complete block on VPNs to begin by February 2018Date Published: 11 July 2017URL: https://www.v3.co.uk/v3-uk/news/3013611/china-orders-complete-block-on-vpns-to-begin-by-february-2018Author: Graeme BurtonExcerpt: “The Chinese government has ordered the country’s big-three telecoms and internet service providers, China Mobile, China Telecom and China Unicom, to completely block access to virtual private networks (VPNs) by February 2018 in the latest stage of its campaign to prevent web users from circumventing the ‘great firewall of China’.” —– Here are this week’s noteworthy security bulletins: 1) ESB-2017.1714 – ALERT [Win][UNIX/Linux] Apache Struts: Execute arbitrary code/commands – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/49726 This *new* Apache struts issue went largely unnoticed by mainstream media despite there being POCs available and vulnerable servers visible in Google search. AUSCERT advises members to inform web developers and users to check if sites are vulnerable. 2) ESB-2017.1715 – [UNIX/Linux][Debian] xorg-server: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/49730 This was another vulnerability that went largely unnoticed. Two security issues were discovered in the X.org X server, the worst leading to privilege escalation. Since X server in most environments runs as root this vulnerability could potentially lead to root compromise. 3) ESB-2017.1721 – [Win][Linux][OSX] Adobe Flash Player: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/49754 Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. AUSCERT advises members to remove Adobe Flash if possible otherwise to keep Adobe products upgraded. 4) ASB-2017.0100 – [Win] Microsoft Windows: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/49782 Our hundredth ASB for 2017 is fittingly for Microsoft Windows and includes an unusual vulnerability – a critical remote code execution vulnerability in Microsoft’s HoloLens Virtual Reality (VR) technology. Refer to our first interesting article of the week for more details. —- Stay safe, stay patched and have a good weekend! Danny

Learn more

Blogs

How to check if your site is vulnerable to a POODLE attack

12 Jul 2017

How to check if your site is vulnerable to a POODLE attack How to check if your site is vulnerable to a POODLE attack Following the introduction of AUSCERT’s new Member Security Incident Notifications (MSINs), some members have asked us how they can confirm the accuracy of the POODLE reports. This is the incident type with the highest occurrence rate among AUSCERT members. The Padding Oracle On Downgraded Legacy Encryption or POODLE attack can lead to decryption of HTTPS connections between clients and servers by exploiting a weakness in SSL 3.0 with cipher-block chaining (CBC) mode ciphers enabled. While we’re confident that our data sources are high quality, you can use the methods below to manually check your publicly facing services for poodle exposure if you wish. If you believe the information we have provided in the report is incorrect then please let us know. Manual methods for testing poodle exposure Qualys SSL Labs test Note that as at 23 September 2015, the information contained in the SSL Labs report requires careful analysis to interpret correctly. The “Summary” section may indicate “This server uses SSL 3, which is obsolete and insecure” when a poodle attack is possible. Later in the report a line entry may indicate “poodle (SSLv3): No, mitigated” if the service supports a secure protocol upgrade.  However, since this relies upon the client correctly negotiating one of the secure protocols, the service should still be considered vulnerable to poodle attacks. OpenSSL and nmap Use the command-line OpenSSL client and an nmap scan to attempt connection using SSL 3.0 and enumerate available ciphers.  The OpenSSL command just checks if SSLv3 is enabled; nmap returns all possible ciphers with SSL v3, TLS1.0, TLS1.1 or TLS1.2. OpenSSL can be used to check each individual cipher but it would take more time. ~$ openssl s_client -ssl3 -connect your.domain.here:443 A successful connection indicates that SSL 3.0 is enabled and that a poodle attack is possible. ~$ nmap --script ssl-enum-ciphers -p 443 your.domain.here A server should be considered vulnerable to a poodle attack if CBC ciphers are offered while using SSLv3.  Please note that CBC ciphers, AES128-SHA and AES256-SHA, often don’t mention CBC in their names, but their presence does indicate a poodle vulnerable service. If no CBC ciphers are offered then it wouldn’t be vulnerable to a poodle attack (but most other ciphers are vulnerable to different attacks like RC4:BEAST). As you’ll already be aware, there is currently no fix for the vulnerability SSL 3.0 itself therefore disabling SSL 3.0 support is the most viable solution currently available. This means that even with up-to-date patches applied, it is possible to fail a poodle vulnerability scan if SSL 3.0 is still enabled. References and additional information https://www.us-cert.gov/ncas/alerts/TA14-290A https://www.openssl.org/~bodo/ssl-poodle.pdf https://www.ssllabs.com/ssltest https://www.tinfoilsecurity.com/blog/how-to-fix-poodle-and-why-you-are-probably-still-vulnerable

Learn more

Member information

A guide to AUSCERT Member Security Incident Notifications: MSIN

11 Jul 2017

A guide to AUSCERT Member Security Incident Notifications: MSIN Introduction As part of its ongoing efforts to enhance member services, AUSCERT has launched its Member Security Incident Notification services. What’s an MSIN? An MSIN is a daily customised composite security report targeted towards AUSCERT member organizations. It contains a compilation of “security incident reports” as observed by AUSCERT through its threat intelligence platforms. Daily MSINs are issued on a daily basis. They are only issued to a member if at least one incident report specific to the member is detected within the past 24-hour period. This also means, if there are no incidents to report, you will not receive an MSIN! So it follows, the more security incidents spotted corresponding to your organization, the more incident reports will be included in the MSIN, the larger the MSIN you receive! Customised MSINs are tailored for each member organization, based on: IPs and Domains provided To receive accurate and useful MSINs, it’s important you keep this information updated (see FAQ) Severity Individual events in MSINs are categorised into the following severity levels: Critical Highly critical vulnerabilities that are being actively exploited, where failure to remediate poses a very high likelihood of compromise. For example, a pre-auth RCE or modification or leakage of sensitive data. High End of life systems, systems that you can log into with authentication that are meant to be internal   (SMB, RDP), some data can be leaked. Sinkhole events end up in this category. Medium Risk that does not pose an immediate threat to the system but can over time escalate to a higher severity. For example, risk of participating in DDoS, unencrypted services requiring login, vulnerabilities requiring visibility into network traffic (MITM without being able to manipulate the traffic) to exploit, attacker will need to know internal systems/infrastructure in order to exploit it. Low Deviation from best practice – little to no practical way to exploit, but setup is not ideal. Vulnerabilities requiring MITM (including manipulating the traffic) to exploit. For example, SSL POODLE reports may end up in this category. Info Informational only. Typically no concerns. Review in accordance with your security policy. These severity levels are based on those used by Shadowserver. Events which have not been assigned a severity will be marked as Unknown. A summary of reports by severity level can be found at the top of your MSIN. For example: Summary of reports based on severity: * Critical: accessible-ssh 3 * High : vulnerable-exchange-server 1 * Medium : accessible-cwmp 1 The MSIN subject will be prefixed with the highest level severity seen in the report. For example: [Severity:CRITICAL] AusCERT Member Security Incident Notification (MSIN) for “Member Name” Composite Each MSIN could potentially consist of multiple incident TYPE reportsFor example, it could contain an Infected Hosts report which highlights hosts belonging to a member organization that have been spotted attempting to connect to a known botnet C&C server, followed by a DNS Open Resolvers report listing open recursive DNS resolvers that could be used in a DNS amplification DDoS attack. Each incident type report could also include multiple incident reportsFor example, this “infected hosts” report contains 2 incidents:Incidents Reported     Timestamp:                      2015-08-25T00:20:34+00:00     Drone IP:                       123.456.789.abc     Drone Port:                     13164     Drone Hostname:                 abc.xxx.xxx.xxx.au     Command and Control IP:         aaa.bbb.ccc.ddd     Command and Control Hostname:   imacnc1.org     Command and Control Port:       80     Malware Type:                   redyms     Timestamp:                      2015-08-25T00:20:34+00:00     Drone IP:                       321.654.987.cba     Drone Port:                     2343     Drone Hostname:                 def.xxx.xxx.xxx.au     Command and Control IP:         ddd.eee.fff.ggg     Command and Control Hostname:   imacnc2.org     Command and Control Port:       123     Malware Type:                   dyre All timestamps are in UTC It is imperative these incidents be reviewed and handled individually. Structure An MSIN has the following basic structure. ==================HEADING FOR INCIDENT TYPE 1============== Incident Type Name of the incident and any known exploited vulnerabilities and associated CVEs. Incident Description Further information on potential attack vectors and impacts. Incidents Reported List of individual reports sighted by AUSCERT Incident report 1 Incident report 2 … Incident report n AUSCERT recommended mitigations Steps for resolution of incidents or mitigation of vulnerabilities which could be exploited in the future. References Links to resources referenced within the report Additional Resources Links to additional material such as tutorials, guides and whitepapers relevant to the report aimed at enhancing the recipients understanding of the addressed vulnerabilities, potential impacts and mitigation techniques. =============================END OF REPORT========================= =====================HEADING FOR INCIDENT TYPE 2==================== Incident Type Incident Description Incidents Reported Incident report 1 Incident report 2 … Incident report n AUSCERT recommended mitigations References Additional Resources =============================END OF REPORT========================= … … =====================HEADING FOR INCIDENT TYPE X==================== =============================END OF REPORT========================= Frequently Asked Questions How can I update domain/IP information for my organization?If you are a Primary AUSCERT contact simply write to AUSCERT Membership at membership@auscert.org.au and provide the updated information.If you have a privileged account in the Member portal you can request changes through the portal. AUSCERT will perform a validation check to ensure the domains are under your organization’s ownership or control prior to including them in the monitoring list. Where does the information in an MSIN come from?AUSCERT receives information relating to compromised and/or vulnerable resources from several trusted third parties, through secure means. The trust relationship between AUSCERT and third parties entails conditions which prevent  disclosure of the source(s) of information.

Learn more

Member information

AUSCERT Bulletin Formats

11 Jul 2017

AUSCERT Bulletin Formats AUSCERT sends out two forms of bulletin – AUSCERT Security Bulletins (or ‘ASB’s) and External Security Bulletins (or ‘ESB’s). Previously, there were four types of bulletin – External Security Bulletins (ESB), AUSCERT Advisories (AA), AUSCERT Alerts (AL) and AUSCERT Updates (AU). The new two-type system allows a simpler differentiation between bulletin types – ASB’s are written in-house, referencing information available that may not have a current coherent source, while ESB’s are bulletins written by other vendors that we have summarised and re-released. Both ASBs and ESBs contain ‘header information’ that quickly summarise the contents and allow readers to determine important information at a glance. Document Titles and Subject Lines Bulletin titles (which is also used as the subject line of mailouts) are formatted to indicate basic information in as short a format as possible. The titles include the AUSCERT bulletin ID (for instance ASB-2009.0001 or ESB-2009.0123), revision number if applicable (eg. ESB-2009.0123.2) and an ‘ALERT’ flag if the contents of the bulletin are time critical or reference an actively exploited vulnerability. Titles also include a list of ‘environment’ tags that list operating systems or hardware types the vulnerability affects. Unless the vulnerability is very specific this will usually only contain operating system families such as Windows ([Win]) and Linux ([Linux]). The rest of the title is either the product or publisher along with the most severe impact of the vulnerability. In the case of a bulletin regarding multiple vulnerabilities this will be replaced with ‘Multiple Vulnerabilities’. For instance, previously what might have been sent out with a subject line of: (AUSCERT AL-2009.0000) [Win] Critical vulnerabilities in ImportantProgram may result in data loss would now have a subject line like: ESB-2009.0000 – ALERT [Win] ImportantProgram: Delete arbitrary files – Remote/unauthenticated or ESB-2009.0000 – ALERT [Win] ImportantProgram: Multiple vulnerabilities Bulletin Header Since more information is now included in the bulletin title the header will only include the bulletin ID, date and a short descriptive sentence. In the case of ESBs, this is often the subject of the original bulletin. Bulletin Summary The bulletin summary is an index of the important information in the bulletin. Both ESBs and ASBs contain a summary, although some fields may only be found in one type. A description of each field is below. Product The product field gives the names and version numbers of products affected by the bulletin. The product may be an operating system, in which case no Operating System field will be given. Both ESBs and ASBs will have a Product field. Publisher Only present in an ESB, the Publisher field gives the name of the original source of the bulletin. Often this is an operating system vendor (like Microsoft or Red Hat), but it may be another security team or research group. Operating System This field gives a list of operating systems or operating system families that are affected by the vulnerability. The operating systems themselves are not affected by the vulnerability, but the program that is affected will run on those operating systems. Platform A rarely used field, platform will specify particular architectures (eg i386, SPARC) that are affected by this vulnerability in a similar fashion to the Operating System field. In order to be brief, the Platform field will only be used if the architectures affected is a subset of the architectures that the operating systems affected run on. Impact and Access Previously separate as two fields, the Impact and Access matrix list the impacts of the vulnerabilities along with the associated access required to exploit them. Impact Values There are several predefined values for the Impact. The values and their meanings are below. Root Compromise The root account in a Unix or Linux based system can be accessed. This is a serious issue and may result in an attacker taking complete control of the affected machine. Administrator Compromise An administrator account (for instance within Windows or within an administration application) can be accessed. This is a serious issue and may result in an attacker taking over the affected machine. Note that in Windows this may also be a compromise of the SYSTEM account. Execute Arbitrary Code/Commands An attacker can execute commands beyond what is usually possible. This can include machine code, interpreted code such as Java or Javascript or SQL. Increased Privileges An attacker can increase their privilege level on the affected system. This may allow them to gain normal user access to a machine they should have no access to, or allow them to access the data or privileges of another user on the system. Access Privileged Data An attacker can read (and possibly write) data on the system that would otherwise be protected by a security measure. The attacker may not be able to perform any other action or gain the use of the priveleges they would otherwise require to view this content. Modify Permissions An attacker can add or remove permissions from an object. This may allow them to deny access to a valid user, or allow them to access something they would otherwise be blocked from. Modify Arbitrary Files An attacker can read, write or delete arbitrary files. The files they can access may be limited. Overwrite Arbitrary Files An attacker can replace the contents of arbitrary files. This may lead to a denial of service if important system files are replaced, or allow further access. Create Arbitrary Files An attacker can create files that they would otherwise not be allowed to. This may be leveraged to perform other attacks or gain access. Delete Arbitrary Files An attacker can delete files. This may allow a denial of service, or weaken existing defenses and allow further attacks. Cross-site Scripting A specific form of code execution, cross-site scripting may allow an attacker to inject their own HTML into an affected site’s code. This is not restricted to public facing websites – an attacker may be able to insert code that is activated when an administrator examines logs or uses some other administrative interface. Denial of Service An attacker can block access to resources from legitimate users. This may include causing a program to crash or freeze and not recover, causing an entire system to crash or simply using up all of the resource (for instance network bandwidth). Website Defacement A specific form of Modify Arbitrary Files, this impact allows an attacker to change a website. The change may not be obvious – an attacker might use such a vulnerability to spread malware to visitors of the affected site. Provide Misleading Information An attacker may be able to force a program or protocol to produce incorrect information. This may be to hide an attacker’s activity or trick a user into performing an unsafe action. Read-only Data Access An attacker may be able to read data they would otherwise not have access to. This may include files, segments of memory or network traffic. Access Confidential Data An attacker may be able to access data that would otherwise be hidden or inaccessible. This differs from Access Privileged Data in that the data may not be directly protected by access restrictions, but is still important. For instance, if a vulnerability allowed access to credit card details before those details were protected or deleted that would be Access Confidential Data. Unauthorised Access An attacker is able to access data in a way that is otherwise disallowed. This is a more generic version of other access-based impacts. Reduced Security A catch-all impact – the security level of the systems involved is weakened. This is used when an exact impact is unknown, or if the impact doesn’t match any of the others. Access Values There are several possible values for the access required to exploit a vulnerability. Generally the less access required the worse the vulnerability. Remote/Unauthenticated The only access required is that a connection can be made to the affected system. Remote with User Interaction The attacker requires no access themselves, but they need to trick a legitimate user into initiating the exploit (for instance by visiting a website or opening a file). Existing Account The attacker must have an existing user account on the system and must authenticate to exploit the vulnerability. Console/Physical The attacker must have direct physical access to the system. This is usually related to a vulnerability in a screen saver or other physical locking system. Unknown/Unspecified No access information is currently known. Resolution The Resolution field gives a quick indication on how to protect against the vulnerability. The possible values are: None No resolution is currently available. Patch/Upgrade A patch or new, unaffected version of the product is available. Note that only official vendor patches are acceptable as a patch – third party patches would be considered a mitigation. Mitigation There are mitigation steps available that may be used, however there is no specific fix to the vulnerability Alternate Program Another program with similar functionality is available that is not vulnerable. CVE This field lists any CVE identifiers that relate to this vulnerability. CVE’s are an excellent way of tracking vulnerabilities that affect multiple products. Reference This fields lists other AUSCERT bulletin ID’s that are related to this vulnerability. These ID’s should also appear as links at the top of the page so that related bulletins can be navigated to easily. Bulletin URL Only available in ESB’s, this field lists URLs of the original bulletin source. Often the original bulletin will have further links and information that might be of use. Bulletin Versioning If new information becomes available regarding a bulletin we have already released we will update information on our website and may resend the bulletin if the information is important. Previously only the most recent version of the bulletin was available on our website, however now previous versions will be available as attachments to the current version. Updates will have a version number appended to the bulletin ID. For instance, the second version of ESB-2009.0000 is ESB-2009.0000.2. After an update is done the original version will be renamed to ESB-2009.0000.1. If a new version is considered to contain important information, the bulletin will be resent with an extra tag of ‘UPDATE’ in the subject line. For bulletins that were already tagged with ‘ALERT’, this will become ‘UPDATED ALERT’. Example An example bulletin under the new system is below. =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.0001 A critical vulnerability in ImportantProgram may allow code execution 16 April 2009 =========================================================================== AUSCERT Security Bulletin Summary --------------------------------- Product: ImportantProduct Publisher: ExamplePublisher Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Patches Available: Yes CVE Names: CVE-2009-0000 Original Bulletin: http://www.example.com/example?id --------------------------BEGIN INCLUDED TEXT-------------------- This is an example bulletin. Normally the details of the vulnerability and how to fix it would be here. --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AUSCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AUSCERT's members. As AUSCERT did not write the document quoted above, AUSCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AUSCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. ===========================================================================

Learn more

Blogs

Phone scams targeting a variety of organisations in the Health industry

7 Jul 2017

Phone scams targeting a variety of organisations in the Health industry AUSCERT has recently received numerous reports of phone scams targeting a variety of organisations in the Health industry. The exact nature of the unsolicited calls varies but has included conference and event invites, training sessions, and attempts to confirm personal details of the callee or others in the organisation.  The callers have claimed to be associated with varied groups including GE Healthcare (who have been alerted to this), NEOH and the called organisation itself. Organisations should also be aware that fraudsters claiming to be from various GE businesses (including public reports of criminals using the name of GE Healthcare) often commit recruitment fraud and may do so as part of this activity. While phone scams such as these are ever present this recent spate of reports we have received specifically from the Health industry suggests the current need for increased awareness amongst Health industry organisatons. AUSCERT encourages members to review their current security awareness of their staff in relation to phone scams and consider alerting staff to this current activity. Guidelines for staff would include what steps to take when receiving unsolicited calls, the type of information that can and can not be provided, and any reporting guidelines. AUSCERT recommends staff are encouraged to report unsolicited or suspicious calls so that organisations can monitor for concerted attacks. AUSCERT has received reports of numerous calls to the same organisation (and individual) over a very short period of time. Information on what to do should also be provided for staff that have been defrauded or provided personal or organisational information. Useful resources include: https://www.scamwatch.gov.au/ https://www.staysmartonline.gov.au/ http://www.fairtrading.nsw.gov.au/ftw/Businesses/Scams/Business_scams To help gauge how wide spread this activity is AUSCERT would appreciate any feedback from organisations that have been targeted.  

Learn more

Week in review

AUSCERT Week in Review for 7th July 2017

7 Jul 2017

AUSCERT Week in Review for 7th July 2017 As Friday 7th July comes to a close, there have been numerous security related news items this week. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Westpac joins Swift blockchain testDate Published: 06/07/2017URL: https://www.itnews.com.au/news/westpac-joins-swift-blockchain-test-467746Author: Staff Writers Excerpt: “Second Aussie bank after ANZ to take part.Westpac has become the second Australian bank to join a proof-of-concept by payment messaging service Swift that aims to test blockchain for facilitating cross-border payments.It is one of 22 global banks to join the PoC today, adding to the six foundational banking participants, one of which is ANZ Bank.” —–Title: Microsoft to cut ‘thousands’ of jobsDate Published: 07/07/2016URL: http://www.bbc.com/news/business-40523172Author: BBCExcerpt: “Microsoft is to cut “thousands” of jobs worldwide as it attempts to beef up its presence in the cloud computing sector.The technology giant wants to strengthen its cloud computing division but is facing intense competition from rivals such as Amazon and Google.” —–Title: Australia stuck with higher cost of deploying FttP: NBN CoDate Published: 06/07/2017URL: https://www.itwire.com/telecoms-and-nbn/78880-australia-stuck-with-higher-cost-of-deploying-fttp-nbn-co.htmlAuthor: Peter DinhamExcerpt: “NBN Co, the builder of the national broadband network, has moved to defend the higher costs of deploying fibre-to-the-premises in Australia and “set the record straight” on recent media claims about the local cost of FttP compared to other operators around the world.” —–Title: Ukrainian police seize computers that spread global NotPetya attackDate Published: 05/07/2017URL: http://www.itworld.com/article/3205810/malware/ukrainian-police-seize-computers-that-spread-global-notpetya-attack.htmlAuthor: Peter Sayer Excerpt: “Ukraine’s Cyber Police have intervened to prevent further cyberattacks in the wake of last week’s global attack, initially considered to be ransomware and called by various names including NotPetya.” —–Title: Govt blames Medicare card breach on ‘traditional’ crimsDate Published: 04/07/2017URL: https://www.itnews.com.au/news/govt-blames-medicare-card-breach-on-traditional-crims-467502Author: Allie Coyne Excerpt: “Not wide-scale, and no IT breach, says minister. The federal government says there has been no breach of the Department of Human Services’ IT systems and the Medicare card data currently on sale likely affects only a small number of people.” Here are this week’s noteworthy security bulletins: 1) ESB-2017.1655 – [SUSE] Xen: Multiple vulnerabilities 2017-06-30https://portal.auscert.org.au/bulletins/49486Quite a few Xen Vulnerabilities, if you are running Xen it is time to check for updates. 2) ESB-2017.1659 – [Debian] libgcrypt20: Unauthorised access – Existing account 2017-07-03https://portal.auscert.org.au/bulletins/49510Side channel attacks are getting rather popular. 3) ESB-2017.1676 – [SUSE] sudo: Root compromise – Existing account 2017-07-05https://portal.auscert.org.au/bulletins/49570Regression fix for CVE-2017-1000368, this has been repeated in a few products. 4) ESB-2017.1682 – [Win][UNIX/Linux] samba: Denial of service – Remote/unauthenticated 2017-07-06https://portal.auscert.org.au/bulletins/49594Remote Samba denial of service, that has to be able to affect a lot of people. —- Stay safe, stay patched and have a good weekend! Peter

Learn more