A Milestone for Microsoft Australia and Shearwater


We are very excited about Microsoft’s announcement that the Australian Signals Directorate (ASD) has certified a number of Microsoft’s Australian based online services offerings.

The majority of these newly certified services are simply not available from any other cloud service. With these certifications, Australian hospitals, educators and government agencies at federal, state and local level can all take advantage of sophisticated capabilities like machine learning and analytics, internet-of-things, and advanced threat protection – all in the cloud – with the confidence that these services are verified and certified by the Australian government.

We are proud to say that the Shearwater team with their combined expertise have played a key part in enabling this milestone. and in helping Microsoft demonstrate compliance with the Australian Government requirements for ICT systems.

In his LinkedIn article, Microsoft’s Chief Technology Officer, James Kavanagh, wrote “ We chose to engage an Australian company called Shearwater to lead that (IRAP) assessment because of their reputation for rigour and expertise. They performed their work in multiple stages and then presented their reports to Australian Signals Directorate.”

Engagements such as these are incredibly exhaustive. Our Canberra Team has worked tirelessly in Australia and the US to understand each cloud service architecture, review documentation and processes, interview stakeholders, and to validate that the right controls are in place and effective.

Our senior consultants have the necessary ASD IRAP experience and were able to execute on a methodology that successfully addressed Microsoft’s and ASD’s IRAP program requirements. They have handled what was a really complex set of objectives and demonstrated the wealth of experience and expertise that sets us apart from the crowd.

No two engagements are ever the same; the ability to use multiple tools and tailor a solution that delivers the best possible outcome for customers means that we’re always able to inform a strong, successful strategy.

Microsoft’s exciting announcement is just the start of a new and more connected future for government and business. We couldn’t be more delighted to be involved in the journey to guide one of the world’s most influential organisations through Australian Government ICT security requirements.

Well done team for delivering on our values of offering a magical customer experience and owning the outcome.

For more information on Microsoft’s latest offering, please check out these links:

LinkedIn
ARN
Computer World
The Australian
Australian Financial Review

October 2016 Internet Security Report


Joomla takes the cake for most serious exploits doing the rounds this month, with a combination of account creation and privilege escalation vulnerabilities proving an easy way to take complete control of various versions of Joomla. The diagnosis is grim for anyone who was not paying enough attention to patch within 24 hours as mass exploitation of these vulnerabilities have been reported, if you have not patched you should assume your Joomla site is already compromised.

Threats

  • Joomla 3.6.4 was released to address account creation, elevation, and modification vulnerabilities that are being actively exploited in mass across the web just days after the vulnerabilities were disclosed. Anyone who has not already updated should consider their site compromised.
    https://www.joomla.org/announcements/release-news/5678-joomla-3-6-4-released.html
  • Microsoft patched 45 security flaws in their October 2016 patches, one of which is being actively exploited as part of a malvertising campaign. This also being Microsoft first month with their new patching approach, removing the ability to pick-and-choose patches to apply. This new system puts much more pressure on software maintainers to push out patches for their applications that break due to patching, as companies would otherwise have to choose with being vulnerable to exploits, or have a functional application.
    https://technet.microsoft.com/en-us/library/security/ms16-oct.aspx
  • Google has released some unpatched 0-day vulnerabilities in Windows after the time limit of responsible disclosure of actively exploited vulnerabilities ran out. This vulnerability has no patch available and is “local privilege escalation in the Windows kernel that can be used as a security sandbox escape”. Windows 10 Anniversary update is not vulnerable and Microsoft reports that older versions of Microsoft will provide patches on Tuesday, November 8.
    https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html
    https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/
  • Linux Kernel local privilege escalation vulnerability known as Dirty COW has been patched 9 years after its introduction. As this vulnerability has existed for so long, it will affect practically all Linux-powered devices, from cars, to android phones, routers, etc… Cleaning up this Dirty COW is not going to be easy, with many devices simply no longer supported, or patches take months to be released.
    http://dirtycow.ninja/
  • DNS hosting provider DynDNS has been hit by a huge DDoS attack that shook much of their services offline. Being a DNS provider this had very long reaching effects with many major websites being brought offline because users were unable to perform DNS lookups for websites using DynDNS services.
    Read more on Krebs on Security website
  • Spam has been found to be delivered through a calendar invite file “.ics” that contained a cancellation request with many recipients. Depending on how the calendar invite is managed it could cause the spam email to be forwarded to all the recipients from your email address.
    https://isc.sans.edu/forums/diary/Spam+Delivered+via+ICS+Files/21611/

Breaches

Other

  • The Privacy Amendment (Notifiable Data Breaches) Bill 2016 has passed its second reading in the Australian House of Representatives. If passed, this bill will require entities subject to the Privacy Act 1988 to issue a notification in case personal information (that may result in serious harm) gets lost.
  • The Register has published an interesting post on the potential liabilities of being hacked.
    http://www.theregister.co.uk/2016/10/14/been_hacked_what_are_you_liable_for/

NSW Government announces first eight fintech startups entering Tel Aviv landing pad

The NSW Government has announced the first eight fintech startups to enter the Tel Aviv landing pad, one of five that has been commissioned by the the Federal Government’s Australian Trade and Investment Commission (Austrade). Looking to push Sydney’s reputation as Australia’s fintech capital, the NSW Government worked in partnership with Austrade to help get local startups to Israel.

Read Full Story

Phriendly Phishing selected for an exclusive startup program in Tel Aviv

Media Release

Sydney, NSW – Phriendly Phishing, Australia’s pioneering phishing awareness training provider, has been selected as one of eight New South Wales businesses to be part of an intensive startup accelerator program, the Tel Aviv Landing Pad, in Israel.

Aiming to stimulate Australian innovation and entrepreneurship, ‘Landing Pads’ are being held across the globe with the Tel Aviv Landing Pad located at South of Salame (SOSA), a community founded by some of Israel’s most prominent angel and venture capital investors.

Announcing earlier this month, Minister for industry, Resources and Energy Anthony Roberts, said this would allow Australia’s best and brightest to access talent, mentors and investors in some of the most exciting global innovation hubs and bring what they’ve learnt back to Australia.

“This is a fantastic opportunity for some of our best and brightest fintech and cyber startups to engage with other global players and to showcase NSW’s capabilities in these sectors”, Mr Roberts said.

Phriendly Phishing’s General Manager Damian Grace, said he was looking forward to being part of the Tel Aviv Landing Pad.

“I am confident that we are well positioned to take advantage of the program. The demand that we are seeing for security awareness training is unprecedented.

“Founded as an Australian alternative to American security awareness training, we currently have more than 70,000 users in Australia and New Zealand. Now with agreements in New Zealand, Singapore, Canada, South Africa and Europe we’re only going to see this number climb. With access to international expertise, Landing Pad will help us identify strategic partnership opportunities to accelerate our growth”, Mr Grace said.

For more information on Landing Pads, please visit http://www.australiaunlimited.com/LandingPads/about-landing-pads.

About Phriendly Phishing

Phriendly Phishing is an engaging, nurturing and comprehensive phishing education program for staff. By reinforcing awareness training with simulated real-world scenarios, Phriendly Phishing enhances phishing detection skills across private and government organisations and contributes to threat mitigation efforts. Easy to deploy, user-friendly and measurable, Phriendly Phishing provides security leaders with key improvement metrics to demonstrate success to stakeholders and raise awareness of security goals.

Announcing the winner of the Shearwater Capture the Flag contest at AusCERT2016


…and the winner is… from the Ukraine, Team “dcua”. Shearwater Capture the Flag (CTF) challenge at AusCERT2016.

The 48hrs non-stop contest featured 30 uniquely crafted challenges written by the expert team at Shearwater Solutions. The challenges included Web Exploitation, Reverse Engineering, Forensics, and many others.

The contest was varied, featuring the usual capture the flag games, in addition to real-world scenarios inspired by hundreds of penetration tests and incident responses that we have conducted over the years. The result was a unique and diverse contest with challenges ranging from easy to mind-bending. This allowed players at all skill levels to participate. Contestants included students, amateurs, and seasoned professionals.

A number of participating teams proved surprisingly nimble, advancing swiftly through the competition and solving some of the challenges in ingenious ways. But as expected, Shearwater Capture the Flag team included scenarios that threw participants off-balance and diminished any hopes of a quick win. These challenges included “vmessage”, a forensic challenge, which took 30 hours to solve, and “doggone”, a packet analysis task, which took nearly 42 hours to solve.

All participants deserve acknowledgment, especially those who played solo for the duration of the competition. Other participants made a great effort to balance work commitments with the challenge, many of them enlisting colleagues along the way.

The top 3 teams at the competition were:

  • Team 1: dcua
  • Team 2: Capture the Swag??
  • Team 3: rand0ml0l2

This event was an opportunity for Shearwater to host a free educational initiative to benefit the Information Security Community. The feedback from players tells us that this contest has been a skill validation for some and a baptism of fire for others, but overall it was fun for all.

Event Summary:

  • Challenges were written by Shearwater Ethical Hacking team (SEH). Shearwater Ethical Hacking is a trusted provider of penetration testing services for the private sector and government organisations.
  • 95 teams registered for the contest. The majority of these teams were Australian but others joined from Asia, Europe, Africa, and the United States.
  • The players had diverse skill sets and included amateurs, students, and seasoned professionals.
  • Whilst all the challenges were solved, no single team was able to solve all the challenges.
  • “dcua”, a Ukrainian team, won the competition scoring 3250 out of the 5250 available points.
  • The hardest challenge was “doggone”. It was solved 42hrs into the competition.
  • The 2nd hardest challenge was vmessage. It was solved 30 hours into the competition.