4 Sep 2020

Week in review

AUSCERT Week in Review for 4th September 2020

Greetings,

This week, the team made headlines with our research piece on a data dump claimed to be from the Department of Education, which turned out to be low-threat info from a third-party company.

Members, don’t forget that we are extending the closing date of the AUSCERT Security Bulletins survey (member portal login required) to 5.00pm AEST on Friday 18th September. Every completed survey will go in the draw to win Nintendo Switch Lite console, valued at AU$299.

As promised, we announced our AUSCERT2020 partnership with LIVIN.org, an organisation focussed on “Breaking the stigma of mental health.” In 2020, all revenue raised through our general admission registration sales for AUSCERT2020 will be donated directly to a chosen charity.

As an organisation, AUSCERT has always felt strongly about the effects of mental health in the cyber and information security industry and are proud to utilise this opportunity to contribute towards a very worthy cause.

Word on the street also has it that our various delegate swag bags are making their way this week to the first 600 registered delegates with an Australian address. We hope you love the items included in the swag bag and have to thank our wonderful sponsors.

Until next week, take care – don’t forget to spoil your awesome dads (Father’s Day on Sunday 6 September!) and have a great weekend everyone.

David Lord, former team lead:

On another note, I’m leaving AUSCERT today. I’m ADIR’s original creator and editor, although in recent times our comms expert Laura has taken the helm. It has been a pleasure to build and shape this service. Members sometimes send notes of thanks for our emphasis on concise but informative summaries, and that’s high praise indeed. I’ll certainly be staying subscribed ๐Ÿ˜‰


Large Australian education data leak traced to third-party service
Date: 2020-09-02
Author: iTnews

An online maths resource with a large Australian user base appears to be behind a large-scale leak of data touted online as a dataset belonging to the “Australian department of education”.
Images of the dataset purporting to contain the data of an unknown number of individuals, including those with vic.edu.au and wa.edu.au email addresses, emerged on Tuesday night.
Alon Gal, chief technology officer at cyber security intelligence firm Hudson Rock, claimed the dataset belonged to the “Australian Department of Education”, which does not exist.

AUSCERT says alleged DoE hack came from a third-party
Date: 2020-09-02
Author: ZDNet

In a statement posted on its website, AUSCERT said that after analyzing the data with cyber-security firm Cosive, it determined that the leaked data originated from K7Maths, an online service providing school e-learning solutions.
AUSCERT is now urging Australian schools to check if their staff are using the K7Maths service for their daily activities, and take appropriate measures, such as resetting the teacher and students’ password, in case they had re-used passwords across other internal applications.

SendGrid under siege from hacked accounts
Date: 2020-08-29
Author: Krebs on Security

Email service provider Sendgrid is grappling with an unusually large number of customer accounts whose passwords have been cracked, sold to spammers, and abused for sending phishing and email malware attacks. Sendgrid’s parent company Twilio says it is working on a plan to require multi-factor authentication for all of its customers, but that solution may not come fast enough for organizations having trouble dealing with the fallout in the meantime.
[AUSCERT can empirically confirm that we see this daily.]

Over 54,000 scanned NSW driver’s licences found in open cloud storage
Date: 2020-08-28
Author: iTnews

Tens of thousands of scanned NSW driver’s licenses and completed tolling notice statutory declarations were left exposed on an open Amazon Web Services storage instance, but Transport for NSW doesn’t know how the sensitive personal data ended up in the cloud.
The open AWS S3 bucket was found by Bob Diachenko of Security Discovery, as part of an investigation into another data breach.
“All the documents I observed were related to the NSW area and there was no indication as to who might be the owner of the data,” Diachenko told iTnews.


ESB-2020.3001 – Django: Multiple vulnerabilities

Filesystem permissions meant that a malicious local user had more access than they should.

ESB-2020.2976 – Bacula: Denial of service

It’s just a cool name for a backup service.

ESB-2020.3028 – GitLab: Access confidential data

GitLab’s packaging woes continued as they released another security release which excluded the security fixes, and then another hasty release to include them. If you’re using v13.3.3, v13.2.7 or v13.1.9, you should update.

ESB-2020.3006 – Ansible: Multiple vulnerabilities (RCE)

Another user/admin can manipulate the package store, and ansible will install packages that have been altered but won’t know or report it – so the deployment/config/ansible workflow/admin will not be aware of the compromise.


Stay safe, stay patched and have a good weekend!

David