• Our Vision

    To be the trusted guardian of
    New Zealand's
    Information Assets

  • Our Goal

    No advanced, technology-borne compromise of the most significant national information infrastructures by June 2016.

Persistent telephone inquiries could be precursor to cyber threats

Persistent telephone inquiries could be precursor to cyber threats


21 April, 2016

“The NCSC is aware of persistent, likely overseas sourced, telephone inquiries seeking confirmation of job titles and email addresses.

It is possible these calls could be a precursor to follow up cyber threat activity in the form of whaling, or spear-phishing.

“Whaling” or “spear-phishing” activities are where an email, often carefully engineered to reflect a particular interest of the receiver - which contain a threat, or a hyperlink to a threat, which when opened enables the adversary to access the user’s device or network.

If your organisation has encountered or suspects a cyber-security incident, please report this to the National Cyber Security Centre (NCSC)

The NCSC defines an incident as an occurrence or activity that impacts on the confidentiality, integrity or availability of an information system (infrastructure).

If you require assistance in dealing with the incident, please complete the Cyber Security Incident – Request for Assistance Form and submit it to incidents@ncsc.govt.nz

If required, you can speak with us directly on (04) 498-7654.

read more

NCSC Cyber Security Advisory CSA-002-16

3 March 2016

Ransomware attack infects victims through PDF-borne spear-phishing campaign

The National Cyber Security Centre (NCSC) has become aware of a PDF-borne crypto-ransomware attack.

In reported instances of this attack, a zipped PDF file was emailed to victims, which, when  opened, prompted the victim to download a new font package to render the PDF readable.

Installing the font package launched a crypto-ransomware exploit that encrypted the victim’s  files until a bitcoin payment was made.

Ransomware is widespread and infection can arise from a variety of continually evolving  vectors such as spear-phishing emails, malicious ads on websites, or navigation or redirection  to compromised websites that host ransomware or other malware. While this PDF attack has similarities to the recent “Locky” ransomware email campaign (i), the PDF attack differs in that  the zipped PDF file itself is apparently not malicious, and infection only occurs once a victim has downloaded and run the font package executable file.

In this instance, the NCSC recommends that recipients treat emails containing suspicious, zipped PDF files likely from an unrecognised sender with extreme caution, or delete such  emails altogether upon receipt or discovery. Other general mitigations against compromise include educating network users on the modes and risks of compromise, ensuring appropriate user permissions and network segmentation are in place, white-listing applications, and backing up business critical information.

The “Locky” campaign used an MS Word document purporting to be an invoice in a spear-phishing email to compromise victims. For further details, see https://www.arstechnica.com/security/2016/02/locky-crypto-ransomware-rides-in-on-malicious-word-document-macro and https://blogs.technet.microsoft.com/mmpc/2016/02/24/locky-malware-lucky-to-avoid-it/


read more

NCSC Cyber Security Advisory CSA-001-16

February 16, 2016

Vulnerabilities disclosed in Cisco equipment 

Cisco announced on January 29 and February 10, 2016, two vulnerabilities ranked respectively as High and Critical. These vulnerabilities effect certain equipment running Cisco ASA software and Open SSL. The critical vulnerability has the potential to allow remote code execution and the high vulnerability enables man-in-the-middle attack on an SSL/TLS connection. Cisco has released patches and NCSC recommends vulnerable devices be updated as soon as possible. 

Refer to the below link of the full report

read more

NCSC name used in new twist on telephone scam

NCSC name used in new twist on telephone scam

Telephone scammers have used the National Cyber Security Centre’s (NCSC) name in a new twist on a known scam.

The NCSC has received a report of scammers telephoning a private number alleging the subscriber has been visiting “illegal websites”, and seeking personal information such as physical address and IP address.

A spokesperson for the NCSC says the Centre provides enhanced services to government agencies and nationally significant organisations to assist them to defend against cyber-borne threats.

“We do not contact private individuals or organisations, seeking personal information. This is just another version of known scams where people are contacted by scammers, alleging to be from an official organisation or reputable supplier, in an effort to get access to computer systems or personal information which can then be used for illegal activity,” the spokesperson says.

More information about telephone and online scams is available at:





Anyone contacted by scammers alleging to be from the NCSC should not provide any information and should report the contact to Netsafe.

read more

Reporting an Incident

If your organisation has encountered or suspects a cyber-security incident, please complete and return the Cyber Security Incident - Report Form. If you require assistance in dealing with the incident, please complete the Cyber Security Incident – Request for Assistance Form. If required, you can speak with us directly on (04) 498-7654.

Some Interesting Stats

In the 12 months to 30 June 2015 the NCSC recorded a total of 190 incidents. Of those 114 were identified as targeting government systems, 56 targeting private sector – with a further 20 where the sector targeting was not identified in the reporting. Of total recorded incidents for the 2014/15 period spear phishing made up 30.5 percent, with 58 incidents, followed by network intrusion/compromise with 21.5 percent (41 incidents) and botnets, 9.5 percent (18 incidents). For the full article, see Cyber incidents for year to 30 June 2015.

According to Intel Security, New Zealand songstress Lorde ranks in the Top 10 of the "World’s Most Dangerous Celebrities" to search for online. Cybercriminals take advantage of interest in celebrities by filling search results with links to sites that may host malware and other online threats that can steal personal data and harm our devices. Intel Security conducted a study to determine the number of risky sites that would be generated in search results including a celebrity name and commonly searched terms.  Lorde ranged number nine in Intel’s 2015 list.  For the full article, see The 2015 Most Dangerous Celebrity.

The median number of days a cyber threat was present in victims system before being detected was 205 according to Mandiant’s 2015 MTrends report.  The report says 69 percent of victims were notified of the threat by an external entity.